---
- name: install package
pkgng:
name:
- nginx
- acme.sh
state: present
- name: (local) ssl/tls - check dhparam existence
become: false
stat:
path: "{{ playbook_dir }}/private/ssl/dhparam4096.pem"
delegate_to: localhost
register: stat_result
tags: nginx
- name: (local) ssl/tls - generate dhparam (4096 bit)
become: false
command: >
openssl dhparam
-out "{{ playbook_dir }}/private/ssl/dhparam4096.pem" 4096
delegate_to: localhost
when: not stat_result.stat.exists
tags: nginx
- name: ssl/tls - copy dhparam
copy:
src: "{{ playbook_dir }}/private/ssl/dhparam4096.pem"
dest: /usr/local/etc/ssl/dhparam4096.pem
mode: 0444
tags: nginx
- name: nginx - copy conf.d/ config directory
copy:
src: nginx/conf.d/ # trailing '/' -> directory contents
dest: /usr/local/etc/nginx/conf.d/
tags: nginx
- name: nginx - create sites/ directory
file:
path: /usr/local/etc/nginx/sites
state: directory
tags: nginx
- name: nginx - generate basic site for ACME
template:
src: sites/00-acme-httpredirect.conf.j2
dest: /usr/local/etc/nginx/sites/00-acme-httpredirect.conf
tags: nginx
- name: nginx - copy nginx.conf
copy:
src: nginx/nginx.conf
dest: /usr/local/etc/nginx/nginx.conf
# XXX: Validation runs aganist a temporary file, thus nginx fails to
# include other config files!
#validate: "nginx -t -c %s"
notify: reload-nginx
tags: nginx
- name: nginx - check configuration
command: nginx -t
tags: nginx
- name: nginx - enable and start
command: rcenable nginx
tags: nginx
- name: nginx - set newsyslog to rotate log file
blockinfile:
path: /etc/newsyslog.conf
marker: '# {mark} ANSIBLE MANAGED - nginx'
block: |
/var/log/nginx/access.log 644 7 * @T00 Z /var/run/nginx.pid
/var/log/nginx/error.log 644 7 * @T00 Z /var/run/nginx.pid
tags: nginx
- name: acme - create webroot directory
file:
path: "{{ web.acme_webroot }}/.well-known/acme-challenge"
state: directory
owner: acme
group: www
mode: 0755
recurse: true
tags: acme
- name: acme.sh - touch log file
file:
path: /var/log/acme.sh.log
owner: acme
group: acme
mode: 0640
state: touch
tags: acme
- name: acme.sh - set newsyslog to rotate log file
lineinfile:
path: /etc/newsyslog.conf
regexp: '^#?/var/log/acme.sh.log'
line: "/var/log/acme.sh.log acme:acme 640 90 * @T00 Z"
tags: acme
- name: acme.sh - generate issue script
template:
src: acme/issue.sh.j2
dest: "{{ web.acme_home }}/issue.sh"
mode: 0755
tags:
- acme
- acme-renew
- name: acme.sh - issue certificates
become: true
become_user: acme
command: sh "{{ web.acme_home }}/issue.sh"
tags:
- acme
- acme-renew
- name: acme.sh - generate deploy script
template:
src: acme/deploy.sh.j2
dest: "{{ web.acme_home }}/deploy.sh"
mode: 0755
tags:
- acme
- acme-renew
- name: acme.sh - deploy certificates
command: sh "{{ web.acme_home }}/deploy.sh"
tags:
- acme
- acme-renew
- name: acme.sh - touch local deploy script
file:
path: "{{ web.acme_home }}/deploy.local.sh"
mode: 0755
state: touch
tags: acme
- name: acme.sh - add nginx reload to deploy
lineinfile:
path: "{{ web.acme_home }}/deploy.local.sh"
line: "service nginx reload"
tags: acme
- name: acme.sh - generate renew script
copy:
dest: "{{ web.acme_home }}/renew.sh"
mode: 0755
content: |
acme.sh --cron
sh {{ web.acme_home }}/deploy.sh
tags: acme
- name: acme.sh - install cron job to renew (1)
cron:
user: acme
name: MAILTO
env: true
job: root
tags: acme
- name: acme.sh - install cron job to renew (2)
cron:
user: acme
name: "acme.sh-renew"
special_time: monthly
job: "sh {{ web.acme_home }}/renew.sh"
tags: acme
- block:
- name: nginx - re-generate sites
include_tasks: nginx-gensites.yml
tags:
- acme
- sites