blob: 1ff4f03ce1421e04e812e614c0b0cdb3f7bd4326 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
|
---
- name: Create letsencrypt www directory
file:
name: '/var/www/letsencrypt'
state: directory
owner: root
group: root
mode: 0755
- name: Install nginx site for letsencrypt requests
template:
dest: '/etc/nginx/sites-enabled/letsencrypt'
src: letsencrypt.nginx.j2
owner: root
group: root
mode: 0644
register: letsencrypt_site
tags:
- nginx
# We need to have the letsencrypt site loaded in the
# running nginx before creating the certificate below
# so we can't wait for the regular handler to run
- name: Reload nginx
systemd:
name: nginx.service
state: reloaded
when: letsencrypt_site is changed
- name: 'Create {{ domain_name }} certificate'
command:
argv:
- '/usr/bin/certbot'
- 'certonly'
- '--non-interactive'
- '--agree-tos'
- '--max-log-backups'
- '99'
- '--webroot'
- '--webroot-path'
- '/var/www/letsencrypt'
- '--preferred-challenges'
- 'http'
- '--key-type'
- 'rsa'
- '-m'
- '{{ letsencrypt_email }}'
- '-d'
- '{{ domain_name }}'
- '-d'
- 'www.labitat.dk'
creates: '/etc/letsencrypt/renewal/{{ domain_name }}.conf'
notify:
- reload nginx
- name: Enable certbot renewal timer
systemd:
name: certbot.timer
enabled: yes
masked: no
state: started
- name: Add deploy hook to reload nginx
template:
dest: '/etc/letsencrypt/renewal-hooks/deploy/nginx.sh'
src: certbot-nginx.sh.j2
owner: root
group: root
mode: 0755
# vim: set ts=2 sw=2 et:
|
