Create SSL certificates automatically for nginx configs

Signed-off-by: Florian Pritz <bluewind@xinu.at>

Create SSL certificates automatically for nginx configs
86147086 · Florian Pritz · 315d1cfc · 86147086 · 86147086 · 86147086
Commit 86147086 authored 7 years ago by Florian Pritz
--- a/roles/dbscripts/tasks/main.yml
+++ b/roles/dbscripts/tasks/main.yml
@@ -18,10 +18,8 @@
 - name: set up sudoers.d for special users
  copy: src=sudoers.d dest=/etc/sudoers.d/dbscripts owner=root group=root mode=0600

- stat: path="/etc/letsencrypt/live/{{ repos_domain }}/fullchain.pem"
-  register: certfile
-  tags:
-    - nginx
+- name: create ssl cert
+  command: certbot certonly --email webmaster@archlinux.org --agree-tos --rsa-key-size 4096 --renew-by-default --webroot -w {{letsencrypt_validation_dir}} -d '{{ repos_domain }}' create='/etc/letsencrypt/live/{{ repos_domain }}/fullchain.pem'

 - name: set up nginx
  template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/dbscripts.conf owner=root group=root mode=0644

--- a/roles/dbscripts/templates/nginx.d.conf.j2
+++ b/roles/dbscripts/templates/nginx.d.conf.j2
@@ -51,11 +51,9 @@ server {
    server_name  {{ repos_domain }} {{repos_rsync_domain}};
    root         /srv/ftp;

-{% if certfile.stat.exists %}
    ssl_certificate      /etc/letsencrypt/live/{{ repos_domain }}/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/{{ repos_domain }}/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/{{ repos_domain }}/chain.pem;
-{% endif %}

    satisfy  any;


--- a/roles/matrix/tasks/main.yml
+++ b/roles/matrix/tasks/main.yml
 ---

- stat: path="/etc/letsencrypt/live/{{ matrix_domain }}/fullchain.pem"
-  register: certfile
+- name: create ssl cert
+  command: certbot certonly --email webmaster@archlinux.org --agree-tos --rsa-key-size 4096 --renew-by-default --webroot -w {{letsencrypt_validation_dir}} -d '{{ matrix_domain }}' create='/etc/letsencrypt/live/{{ matrix_domain }}/fullchain.pem'
  when: 'matrix_domain != ""'

 - name: install packages

--- a/roles/matrix/templates/nginx.d.conf.j2
+++ b/roles/matrix/templates/nginx.d.conf.j2
@@ -25,11 +25,9 @@ server {
    access_log   /var/log/nginx/{{ matrix_domain }}/access.log;
    error_log    /var/log/nginx/{{ matrix_domain }}/error.log;

-{% if certfile.stat.exists %}
    ssl_certificate      /etc/letsencrypt/live/{{ matrix_domain }}/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/{{ matrix_domain }}/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/{{ matrix_domain }}/chain.pem;
-{% endif %}

    location /_matrix {
        proxy_pass http://matrix;

--- a/roles/public_html/tasks/main.yml
+++ b/roles/public_html/tasks/main.yml
 ---

- stat: path="/etc/letsencrypt/live/{{ public_domain }}/fullchain.pem"
-  register: certfile
+- name: create ssl cert
+  command: certbot certonly --email webmaster@archlinux.org --agree-tos --rsa-key-size 4096 --renew-by-default --webroot -w {{letsencrypt_validation_dir}} -d '{{ public_domain }}' create='/etc/letsencrypt/live/{{ public_domain }}/fullchain.pem'

 - name: copy webroot files
  copy: src=public_html dest=/srv owner=root group=root mode=0644 directory_mode=0755

--- a/roles/public_html/templates/nginx.d.conf.j2
+++ b/roles/public_html/templates/nginx.d.conf.j2
@@ -25,11 +25,9 @@ server {
    access_log   /var/log/nginx/{{ public_domain }}/access.log;
    error_log    /var/log/nginx/{{ public_domain }}/error.log;

-{% if certfile.stat.exists %}
    ssl_certificate      /etc/letsencrypt/live/{{ public_domain }}/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/{{ public_domain }}/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/{{ public_domain }}/chain.pem;
-{% endif %}

    location ~ ^/~([A-Za-z0-9]+)(/.*)? {
        alias /home/$1/public_html$2;

--- a/roles/syncrepo/tasks/main.yml
+++ b/roles/syncrepo/tasks/main.yml
 ---

- stat: path="/etc/letsencrypt/live/{{ mirror_domain }}/fullchain.pem"
-  register: certfile
+- name: create ssl cert
+  command: certbot certonly --email webmaster@archlinux.org --agree-tos --rsa-key-size 4096 --renew-by-default --webroot -w {{letsencrypt_validation_dir}} -d '{{ mirror_domain }}' create='/etc/letsencrypt/live/{{ mirror_domain }}/fullchain.pem'
  when: 'mirror_domain != ""'

 - name: install rsync

--- a/roles/syncrepo/templates/nginx.d.conf.j2
+++ b/roles/syncrepo/templates/nginx.d.conf.j2
@@ -21,11 +21,9 @@ server {
    access_log   /var/log/nginx/{{ mirror_domain }}/access.log;
    error_log    /var/log/nginx/{{ mirror_domain }}/error.log;

-{% if certfile.stat.exists %}
    ssl_certificate      /etc/letsencrypt/live/{{ mirror_domain }}/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/{{ mirror_domain }}/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/{{ mirror_domain }}/chain.pem;
-{% endif %}

    autoindex on;
 }