80 lines
2.1 KiB
YAML
80 lines
2.1 KiB
YAML
---
|
|
# Certbot SSL certificate setup tasks
|
|
- name: Install Certbot and Nginx plugin
|
|
apt:
|
|
name:
|
|
- certbot
|
|
- python3-certbot-nginx
|
|
state: present
|
|
update_cache: yes
|
|
|
|
- name: Create web root directory
|
|
file:
|
|
path: /var/www/html
|
|
state: directory
|
|
mode: '0755'
|
|
|
|
- name: Create initial web page for ACME challenge
|
|
copy:
|
|
content: |
|
|
<!DOCTYPE html>
|
|
<html>
|
|
<head>
|
|
<title>ACME Challenge</title>
|
|
</head>
|
|
<body>
|
|
<h1>ACME Challenge Page</h1>
|
|
<p>This page is used for SSL certificate validation.</p>
|
|
</body>
|
|
</html>
|
|
dest: /var/www/html/index.html
|
|
mode: '0644'
|
|
|
|
- name: Stop Nginx temporarily for initial certificate request
|
|
systemd:
|
|
name: nginx
|
|
state: stopped
|
|
|
|
- name: Obtain SSL certificate using standalone mode
|
|
command: >
|
|
certbot certonly
|
|
--standalone
|
|
--non-interactive
|
|
--agree-tos
|
|
--email {{ ssl_email }}
|
|
--domains {{ trillium_domain }}
|
|
register: certbot_result
|
|
changed_when: certbot_result.rc == 0
|
|
failed_when: certbot_result.rc != 0 and "already exists" not in certbot_result.stderr
|
|
|
|
- name: Start Nginx service
|
|
systemd:
|
|
name: nginx
|
|
state: started
|
|
|
|
- name: Setup automatic certificate renewal
|
|
cron:
|
|
name: "Certbot renewal"
|
|
job: "/usr/bin/certbot renew --quiet --post-hook 'systemctl reload nginx'"
|
|
minute: "0"
|
|
hour: "2"
|
|
user: root
|
|
|
|
- name: Test certificate renewal
|
|
command: certbot renew --dry-run
|
|
register: certbot_test
|
|
changed_when: false
|
|
|
|
- name: Display certificate renewal test result
|
|
debug:
|
|
msg: "{{ certbot_test.stdout }}"
|
|
|
|
- name: Verify SSL certificate exists
|
|
stat:
|
|
path: "/etc/letsencrypt/live/{{ trillium_domain }}/fullchain.pem"
|
|
register: ssl_cert
|
|
|
|
- name: Display SSL certificate status
|
|
debug:
|
|
msg: "SSL certificate for {{ trillium_domain }}: {{ 'exists' if ssl_cert.stat.exists else 'not found' }}"
|