summaryrefslogtreecommitdiff
path: root/roles/webservers/tasks/main.yml
blob: fccd34e8993de24fdc10c61c9e59ec0672cbcefa (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93

---
- name: allow http
  ufw:
    rule: allow
    port: '80'
    proto: tcp

- name: allow https
  ufw:
    rule: allow
    port: '443'
    proto: tcp

- name: restart ufw
  service: name=ufw state=restarted enabled=yes

- name: install nginx
  apt: name=nginx state=latest

- name: install libnginx-mod-http-set-misc
  apt: name=libnginx-mod-http-set-misc state=latest

- name: install letsencrypt
  apt: name=letsencrypt state=latest

- name: create letsencrypt directory
  file: name=/var/www/letsencrypt state=directory

- name: remove default nginx
  file: name=/etc/nginx/sites-enabled/default state=absent

- name: generate dhparams
  shell: openssl dhparam -out /etc/nginx/dhparams.pem 2048
  args:
    creates: /etc/nginx/dhparams.pem

- name: add system nginx config
  template:
    src: ../files/nginx.conf
    dest: /etc/nginx/nginx.conf

- name: copy http nginx configuration for each domain
  copy:
    src: "{{ item }}"
    dest: "/etc/nginx/sites-enabled/"
  with_fileglob:
    - "files/{{ inventory_hostname }}/http.*.conf"

- name: restart nginx to get letsencrypt certificate
  service: name=nginx state=restarted enabled=yes

- name: find deployed domains
  ansible.builtin.find:
    paths: "/etc/nginx/sites-enabled/"
    patterns: "http.*.conf"
  register: nginx_conf_files
  delegate_to: "{{ inventory_hostname }}"

- name: extract domains from deployed nginx configurations
  shell: |
    grep -oP 'server_name\s+\K[^;]+' "{{ item.path }}"
  loop: "{{ nginx_conf_files.files }}"
  register: extracted_domains

- name: request letsencrypt certificate
  shell: >
    letsencrypt certonly -n --webroot -w /var/www/letsencrypt -m {{ letsencrypt_email }} \
      --agree-tos -d {{ item.stdout }}
  args:
    creates: "/etc/letsencrypt/live/{{ item.stdout }}"
  loop: "{{ extracted_domains.results }}"
  when: item.stdout != ""

- name: copy https nginx configuration for each domain
  copy:
    src: "{{ item }}"
    dest: "/etc/nginx/sites-enabled/"
  with_fileglob:
    - "files/{{ inventory_hostname }}/https.*.conf"

- name: reload nginx to activate sites
  service: name=nginx state=restarted

- name: add monthly letsencrypt cronjob for cert renewal based on hash of domain name to prevent hitting LE rate limits
  cron:
    name: "letsencrypt_renewal_{{ item.stdout }}"
    day: "{{ '%02d' | format(1 + (item.stdout | hash('md5') | int(0, 16) % 27)) }}"
    hour: "{{ (item.stdout | hash('md5') | int(0, 16) % 24 ) }}"
    minute: "{{ (item.stdout | hash('md5') | int(0, 16) % 60 ) }}"
    job: "letsencrypt renew --cert-name {{ item.stdout }} -n --webroot -w /var/www/letsencrypt -m {{ letsencrypt_email }} --agree-tos && service nginx reload"
  loop: "{{ extracted_domains.results }}"
  when: item.stdout != ""
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2025-09-22 21:28:37 +0000