playbooks/https.yaml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73

- name: SSL certificates
  hosts: hollyhock
  become: true
  tasks:
    - name: Install certbot
      community.general.snap:
        name: certbot
        classic: true
        state: present

    - name: Create symlink for certbot
      ansible.builtin.file:
        src: /snap/bin/certbot
        dest: /usr/bin/certbot
        state: link

    - name: Allow https traffic through firewall
      community.general.ufw:
        rule: allow
        port: 443
        proto: tcp

    - name: Generate certificates
      ansible.builtin.command: |
        certbot certonly --nginx --non-interactive --agree-tos --email {{ admin_email }}
        {% for domain in item.domains %}-d {{ domain }} {% endfor %}
      loop: "{{ sites }}"
      register: ssl_certs
      failed_when:
        - ssl_certs.rc != 0
        - "'Certificate not yet due for renewal' not in ssl_certs.stdout"
        - "'Keeping the existing certificate' not in ssl_certs.stdout"
      changed_when:
        - "'Successfully received certificate' in ssl_certs.stdout"
        - "'Deploying Certificate' in ssl_certs.stdout"

    - name: Copy initial https sites
      ansible.builtin.template:
        src: nginx/https.conf.j2
        dest: "/etc/nginx/sites-available/{{ item.name }}-https"
        mode: "0644"
      loop: "{{ sites }}"

    - name: Disable http nginx sites
      ansible.builtin.file:
        path: "/etc/nginx/sites-enabled/{{ item.name }}-http"
        state: absent
      loop: "{{ sites }}"

    - name: Check if final sites have been enabled
      ansible.builtin.stat:
        path: "/etc/nginx/sites-enabled/{{ item.name }}"
      register: final_sites
      loop: "{{ sites }}"

    - name: Enable https sites
      ansible.builtin.file:
        src: "/etc/nginx/sites-available/{{ item.item.name }}-https"
        dest: "/etc/nginx/sites-enabled/{{ item.item.name }}-https"
        state: link
      loop: "{{ final_sites.results }}"
      when: not item.stat.exists
      notify: Test and restart nginx

    - name: Enable certbot timer
      ansible.builtin.systemd:
        name: snap.certbot.renew.timer
        enabled: true
        state: started

  handlers:
    - name: Test and restart nginx
      ansible.builtin.include_tasks: tasks/test_and_restart_nginx.yaml