aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--roles/sky/tasks/certbot.yml71
-rw-r--r--roles/sky/tasks/main.yml3
-rwxr-xr-xroles/sky/templates/certbot-nginx.sh.j29
-rw-r--r--roles/sky/templates/letsencrypt.nginx.j214
-rw-r--r--roles/sky/vars/main.yml4
5 files changed, 101 insertions, 0 deletions
diff --git a/roles/sky/tasks/certbot.yml b/roles/sky/tasks/certbot.yml
new file mode 100644
index 0000000..1ff4f03
--- /dev/null
+++ b/roles/sky/tasks/certbot.yml
@@ -0,0 +1,71 @@
+---
+- name: Create letsencrypt www directory
+ file:
+ name: '/var/www/letsencrypt'
+ state: directory
+ owner: root
+ group: root
+ mode: 0755
+
+- name: Install nginx site for letsencrypt requests
+ template:
+ dest: '/etc/nginx/sites-enabled/letsencrypt'
+ src: letsencrypt.nginx.j2
+ owner: root
+ group: root
+ mode: 0644
+ register: letsencrypt_site
+ tags:
+ - nginx
+
+# We need to have the letsencrypt site loaded in the
+# running nginx before creating the certificate below
+# so we can't wait for the regular handler to run
+- name: Reload nginx
+ systemd:
+ name: nginx.service
+ state: reloaded
+ when: letsencrypt_site is changed
+
+- name: 'Create {{ domain_name }} certificate'
+ command:
+ argv:
+ - '/usr/bin/certbot'
+ - 'certonly'
+ - '--non-interactive'
+ - '--agree-tos'
+ - '--max-log-backups'
+ - '99'
+ - '--webroot'
+ - '--webroot-path'
+ - '/var/www/letsencrypt'
+ - '--preferred-challenges'
+ - 'http'
+ - '--key-type'
+ - 'rsa'
+ - '-m'
+ - '{{ letsencrypt_email }}'
+ - '-d'
+ - '{{ domain_name }}'
+ - '-d'
+ - 'www.labitat.dk'
+ creates: '/etc/letsencrypt/renewal/{{ domain_name }}.conf'
+ notify:
+ - reload nginx
+
+- name: Enable certbot renewal timer
+ systemd:
+ name: certbot.timer
+ enabled: yes
+ masked: no
+ state: started
+
+- name: Add deploy hook to reload nginx
+ template:
+ dest: '/etc/letsencrypt/renewal-hooks/deploy/nginx.sh'
+ src: certbot-nginx.sh.j2
+ owner: root
+ group: root
+ mode: 0755
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/sky/tasks/main.yml b/roles/sky/tasks/main.yml
index 0e0e54e..6144e82 100644
--- a/roles/sky/tasks/main.yml
+++ b/roles/sky/tasks/main.yml
@@ -9,4 +9,7 @@
tags:
- networkd
+- import_tasks: certbot.yml
+ tags: certbot
+
# vim: set ts=2 sw=2 et:
diff --git a/roles/sky/templates/certbot-nginx.sh.j2 b/roles/sky/templates/certbot-nginx.sh.j2
new file mode 100755
index 0000000..96ffe6d
--- /dev/null
+++ b/roles/sky/templates/certbot-nginx.sh.j2
@@ -0,0 +1,9 @@
+#!/bin/sh
+
+case "$RENEWED_LINEAGE" in
+*'/{{ domain_name }}')
+ exec systemctl reload nginx.service
+ ;;
+esac
+
+# vim: set ts=2 sw=2 et:
diff --git a/roles/sky/templates/letsencrypt.nginx.j2 b/roles/sky/templates/letsencrypt.nginx.j2
new file mode 100644
index 0000000..a04f58c
--- /dev/null
+++ b/roles/sky/templates/letsencrypt.nginx.j2
@@ -0,0 +1,14 @@
+server {
+ listen *:80;
+ listen [::]:80;
+ server_name {{ domain_name }} www.labitat.dk;
+
+ location /.well-known/acme-challenge {
+ root /var/www/letsencrypt;
+ try_files $uri $uri/ =404;
+ }
+
+ location / {
+ return 301 https://$host$request_uri;
+ }
+}
diff --git a/roles/sky/vars/main.yml b/roles/sky/vars/main.yml
index cd85db3..ecdaefa 100644
--- a/roles/sky/vars/main.yml
+++ b/roles/sky/vars/main.yml
@@ -34,6 +34,7 @@ apt_sources_role:
apt_packages_role:
'nginx': present
+ 'certbot': present
journald_conf_role:
'Journal.Storage': 'persistent'
@@ -50,4 +51,7 @@ users:
'ast': sudo
'joshbuddy': sudo
+domain_name: 'new.labitat.dk'
+letsencrypt_email: 'josh@fireflop.com'
+
# vim: set ts=2 sw=2 et:
generated by cgit v1.2.1 (git 2.18.0) at 2025-06-08 21:48:24 +0000