jokester/ansible-playbooks
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4ae7721070ef3264436cc02d075c95ef2eb6f7d3
ansible-playbooks/roles/nginx/tasks/certbot.yml
T
Clément Désiles aea450dc9d feat: nginx certbot
2026-05-29 21:26:17 +02:00

78 lines
2.7 KiB
YAML
Raw Blame History

---
# Provision a Let's Encrypt certificate for a hostname using the webroot method.
#
# Required variables:
# - certbot_hostname: the domain to provision (e.g. "apk.jokester.fr")
# - acme_email: Let's Encrypt account email (typically from host_vars)
#
# Usage from a service role:
# - name: Provision TLS certificate
# ansible.builtin.include_tasks: "{{ role_path }}/../nginx/tasks/certbot.yml"
# vars:
# certbot_hostname: "{{ myservice_nginx_hostname }}"
# when: myservice_nginx_enabled
- name: Validate certbot requirements
ansible.builtin.assert:
that:
- certbot_hostname is defined
- certbot_hostname | length > 0
- acme_email is defined
- acme_email | length > 0
fail_msg: |
certbot_hostname and acme_email are required for certificate provisioning.
Set acme_email in host_vars and pass certbot_hostname when including this task file.
success_msg: "Certbot requirements validated for {{ certbot_hostname }}"
- name: Check if certificate already exists for {{ certbot_hostname }}
ansible.builtin.stat:
path: "/etc/letsencrypt/live/{{ certbot_hostname }}/fullchain.pem"
register: certbot_cert_file
- name: Provision certificate for {{ certbot_hostname }}
when: not certbot_cert_file.stat.exists
block:
- name: Deploy temporary HTTP-only vhost for ACME challenge
ansible.builtin.template:
src: "{{ role_path }}/../nginx/templates/vhost-http-acme.conf.j2"
dest: "{{ nginx_conf_dir | default('/etc/nginx/conf.d') }}/{{ certbot_hostname | replace('.', '_') }}_acme_temp.conf"
owner: root
group: root
mode: "0644"
- name: Reload nginx to activate temporary ACME vhost
ansible.builtin.systemd:
name: nginx
state: reloaded
- name: Request certificate from Let's Encrypt for {{ certbot_hostname }}
ansible.builtin.command:
cmd: >-
certbot certonly
--webroot
-w /var/www/certbot
-d {{ certbot_hostname }}
--email {{ acme_email }}
--agree-tos
--non-interactive
creates: "/etc/letsencrypt/live/{{ certbot_hostname }}/fullchain.pem"
- name: Fix letsencrypt directory permissions for nginx
ansible.builtin.file:
path: "{{ item }}"
mode: "0755"
loop:
- /etc/letsencrypt/live
- /etc/letsencrypt/archive
always:
- name: Remove temporary ACME vhost
ansible.builtin.file:
path: "{{ nginx_conf_dir | default('/etc/nginx/conf.d') }}/{{ certbot_hostname | replace('.', '_') }}_acme_temp.conf"
state: absent
- name: Reload nginx after certificate provisioning
ansible.builtin.systemd:
name: nginx
state: reloaded
Reference in New Issue View Git Blame Copy Permalink