initial commit

2025-10-16 22:54:40 +02:00
parent d80ca5979e
commit 5e6faaffcf
23 changed files with 1608 additions and 1 deletions
--- a/playbooks/03-setup-certbot.yml
+++ b/playbooks/03-setup-certbot.yml
@@ -0,0 +1,79 @@
+---
+# Certbot SSL certificate setup tasks
+    - name: Install Certbot and Nginx plugin
+      apt:
+        name:
+          - certbot
+          - python3-certbot-nginx
+        state: present
+        update_cache: yes
+
+    - name: Create web root directory
+      file:
+        path: /var/www/html
+        state: directory
+        mode: '0755'
+
+    - name: Create initial web page for ACME challenge
+      copy:
+        content: |
+          <!DOCTYPE html>
+          <html>
+          <head>
+              <title>ACME Challenge</title>
+          </head>
+          <body>
+              <h1>ACME Challenge Page</h1>
+              <p>This page is used for SSL certificate validation.</p>
+          </body>
+          </html>
+        dest: /var/www/html/index.html
+        mode: '0644'
+
+    - name: Stop Nginx temporarily for initial certificate request
+      systemd:
+        name: nginx
+        state: stopped
+
+    - name: Obtain SSL certificate using standalone mode
+      command: >
+        certbot certonly
+        --standalone
+        --non-interactive
+        --agree-tos
+        --email {{ ssl_email }}
+        --domains {{ trillium_domain }}
+      register: certbot_result
+      changed_when: certbot_result.rc == 0
+      failed_when: certbot_result.rc != 0 and "already exists" not in certbot_result.stderr
+
+    - name: Start Nginx service
+      systemd:
+        name: nginx
+        state: started
+
+    - name: Setup automatic certificate renewal
+      cron:
+        name: "Certbot renewal"
+        job: "/usr/bin/certbot renew --quiet --post-hook 'systemctl reload nginx'"
+        minute: "0"
+        hour: "2"
+        user: root
+
+    - name: Test certificate renewal
+      command: certbot renew --dry-run
+      register: certbot_test
+      changed_when: false
+
+    - name: Display certificate renewal test result
+      debug:
+        msg: "{{ certbot_test.stdout }}"
+
+    - name: Verify SSL certificate exists
+      stat:
+        path: "/etc/letsencrypt/live/{{ trillium_domain }}/fullchain.pem"
+      register: ssl_cert
+
+    - name: Display SSL certificate status
+      debug:
+        msg: "SSL certificate for {{ trillium_domain }}: {{ 'exists' if ssl_cert.stat.exists else 'not found' }}"