--- - name: Create SSL dhparam get_url: url: https://ssl-config.mozilla.org/ffdhe2048.txt dest: /etc/ssl/certs/dhparam.pem mode: 0644 - name: Setup or upgrade venv command: python3 -m venv --upgrade-deps /root/certbot-venv/ changed_when: False - name: Prepare certbot+gandi venv pip: chdir: /root/ virtualenv_command: /usr/bin/python3 -m venv virtualenv: /root/certbot-venv/ name: - "pip>=21.0.1" - "setuptools>=53.0.0" - "wheel>=0.36.2" - name: Install certbot+gandi in venv pip: chdir: /root/ virtualenv_command: /usr/bin/python3 -m venv virtualenv: /root/certbot-venv/ name: - "certbot<2" # See https://github.com/certbot/certbot/issues/9485 - "acme<2" # See https://github.com/certbot/certbot/issues/9485 - "certbot-plugin-gandi" - name: Setup Gandi credentials copy: content: | dns_gandi_api_key = {{ gandi_api_key }} dns_gandi_sharing_id = 146a3b9a-1b93-11ec-804f-00163ea99cff mode: 0600 dest: /root/gandi.ini when: certbot_authenticator == 'gandi' - name: Generate TLS certificates via Gandi command: /root/certbot-venv/bin/certbot certonly --cert-name {{ nginx_domain | quote }} -n --agree-tos -d {{ nginx_certificates | join(",") | quote }} -m {{ admin_email | quote }} --authenticator dns-gandi --dns-gandi-credentials /root/gandi.ini register: certbot changed_when: '"no action taken." not in certbot.stdout' when: certbot_authenticator == 'gandi' - name: Generate TLS certificates via nginx command: /root/certbot-venv/bin/certbot certonly --nginx --cert-name {{ nginx_domain | quote }} -n --agree-tos -d {{ nginx_certificates | join(",") | quote }} -m {{ admin_email | quote }} register: certbot changed_when: '"no action taken." not in certbot.stdout' when: certbot_authenticator == 'nginx' - name: Setup renewal cron cron: name: certbot minute: "55" hour: "8" job: '/root/certbot-venv/bin/certbot -q renew' - name: Setup PATH in renewal cron ansible.builtin.cron: name: PATH env: yes job: "/usr/sbin:/usr/bin" - name: Setup renewal hook directory file: path: /etc/letsencrypt/renewal-hooks/post state: directory mode: 0755 - name: Setup renewal hook script copy: dest: /etc/letsencrypt/renewal-hooks/deploy/nginx.sh mode: 0755 content: | #!/bin/sh /usr/bin/systemctl reload nginx - name: Install nginx package: state: present name: - nginx - ca-certificates - name: Ensure certbot is not installed from Debian packages package: state: absent name: - certbot - python-certbot-nginx - python3-certbot-nginx - name: Create letsencrypt snippets template: src: letsencrypt.conf.j2 dest: '/etc/nginx/snippets/letsencrypt-{{ nginx_domain }}.conf' - name: User user: system: true name: "{{ nginx_owner }}" when: nginx_owner is defined - name: .ssh directory file: path: "~{{ nginx_owner }}/.ssh" state: directory owner: "{{ nginx_owner }}" mode: 0755 when: nginx_owner is defined - name: Deploy key blockinfile: create: true owner: "{{ nginx_owner }}" mode: 0644 path: "~{{ nginx_owner }}/.ssh/authorized_keys" marker: "" block: "{{ nginx_public_deploy_key }}" when: nginx_owner is defined and nginx_public_deploy_key is defined - name: Configure nginx copy: content: "{{ nginx_conf }}" dest: "/etc/nginx/conf.d/{{ nginx_domain }}.conf" notify: reload nginx - name: WWW directory file: path: "{{ nginx_path }}" state: directory owner: "{{ nginx_owner }}" group: "{{ nginx_owner }}" mode: 0755 when: nginx_owner is defined and nginx_path is defined - name: Setup custom log format copy: dest: /etc/nginx/conf.d/logging.conf owner: root group: root mode: 0644 content: | log_format custom '$host $remote_addr - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent"'; access_log /var/log/nginx/access.log custom; - name: Hide logging setup from nginx.conf lineinfile: regex: access_log state: absent path: /etc/nginx/nginx.conf backup: true