1 files changed, 73 insertions, 0 deletions

diff --git a/playbooks/https.yaml b/playbooks/https.yaml
new file mode 100644
index 0000000..84146db
--- /dev/null
+++ b/playbooks/https.yaml
@@ -0,0 +1,73 @@
+- name: SSL certificates
+  hosts: hollyhock
+  become: true
+  tasks:
+    - name: Install certbot
+      community.general.snap:
+        name: certbot
+        classic: true
+        state: present
+
+    - name: Create symlink for certbot
+      ansible.builtin.file:
+        src: /snap/bin/certbot
+        dest: /usr/bin/certbot
+        state: link
+
+    - name: Allow https traffic through firewall
+      community.general.ufw:
+        rule: allow
+        port: 443
+        proto: tcp
+
+    - name: Generate certificates
+      ansible.builtin.command: |
+        certbot certonly --nginx --non-interactive --agree-tos --email {{ admin_email }}
+        {% for domain in item.domains %}-d {{ domain }} {% endfor %}
+      loop: "{{ sites }}"
+      register: ssl_certs
+      failed_when:
+        - ssl_certs.rc != 0
+        - "'Certificate not yet due for renewal' not in ssl_certs.stdout"
+        - "'Keeping the existing certificate' not in ssl_certs.stdout"
+      changed_when:
+        - "'Successfully received certificate' in ssl_certs.stdout"
+        - "'Deploying Certificate' in ssl_certs.stdout"
+
+    - name: Copy initial https sites
+      ansible.builtin.template:
+        src: nginx/https.conf.j2
+        dest: "/etc/nginx/sites-available/{{ item.name }}-https"
+        mode: "0644"
+      loop: "{{ sites }}"
+
+    - name: Disable http nginx sites
+      ansible.builtin.file:
+        path: "/etc/nginx/sites-enabled/{{ item.name }}-http"
+        state: absent
+      loop: "{{ sites }}"
+
+    - name: Check if final sites have been enabled
+      ansible.builtin.stat:
+        path: "/etc/nginx/sites-enabled/{{ item.name }}"
+      register: final_sites
+      loop: "{{ sites }}"
+
+    - name: Enable https sites
+      ansible.builtin.file:
+        src: "/etc/nginx/sites-available/{{ item.item.name }}-https"
+        dest: "/etc/nginx/sites-enabled/{{ item.item.name }}-https"
+        state: link
+      loop: "{{ final_sites.results }}"
+      when: not item.stat.exists
+      notify: Test and restart nginx
+
+    - name: Enable certbot timer
+      ansible.builtin.systemd:
+        name: snap.certbot.renew.timer
+        enabled: true
+        state: started
+
+  handlers:
+    - name: Test and restart nginx
+      ansible.builtin.include_tasks: tasks/test_and_restart_nginx.yaml