--- - name: install package pkgng: name: - nginx - acme.sh state: present - name: (local) ssl/tls - check dhparam existence become: false stat: path: "{{ playbook_dir }}/private/ssl/dhparam4096.pem" delegate_to: localhost register: stat_result tags: nginx - name: (local) ssl/tls - generate dhparam (4096 bit) become: false command: > openssl dhparam -out "{{ playbook_dir }}/private/ssl/dhparam4096.pem" 4096 delegate_to: localhost when: not stat_result.stat.exists tags: nginx - name: ssl/tls - copy dhparam copy: src: "{{ playbook_dir }}/private/ssl/dhparam4096.pem" dest: /usr/local/etc/ssl/dhparam4096.pem mode: 0444 tags: nginx - name: nginx - copy conf.d/ config directory copy: src: nginx/conf.d/ # trailing '/' -> directory contents dest: /usr/local/etc/nginx/conf.d/ tags: nginx - name: nginx - create sites/ directory file: path: /usr/local/etc/nginx/sites state: directory tags: nginx - name: nginx - generate basic site for ACME template: src: sites/00-acme-httpredirect.conf.j2 dest: /usr/local/etc/nginx/sites/00-acme-httpredirect.conf tags: nginx - name: nginx - copy nginx.conf copy: src: nginx/nginx.conf dest: /usr/local/etc/nginx/nginx.conf # XXX: Validation runs aganist a temporary file, thus nginx fails to # include other config files! #validate: "nginx -t -c %s" notify: reload-nginx tags: nginx - name: nginx - check configuration command: nginx -t tags: nginx - name: nginx - enable and start command: rcenable nginx tags: nginx - name: nginx - set newsyslog to rotate log file blockinfile: path: /etc/newsyslog.conf marker: '# {mark} ANSIBLE MANAGED - nginx' block: | /var/log/nginx/access.log 644 7 * @T00 Z /var/run/nginx.pid /var/log/nginx/error.log 644 7 * @T00 Z /var/run/nginx.pid tags: nginx - name: acme - create webroot directory file: path: "{{ web.acme_webroot }}/.well-known/acme-challenge" state: directory owner: acme group: www mode: 0755 recurse: true tags: acme - name: acme.sh - touch log file file: path: /var/log/acme.sh.log owner: acme group: acme mode: 0640 state: touch tags: acme - name: acme.sh - set newsyslog to rotate log file lineinfile: path: /etc/newsyslog.conf regexp: '^#?/var/log/acme.sh.log' line: "/var/log/acme.sh.log acme:acme 640 7 100 * Z" tags: acme - name: acme.sh - generate issue script template: src: acme/issue.sh.j2 dest: "{{ web.acme_home }}/issue.sh" mode: 0755 tags: - acme - acme-renew - name: acme.sh - issue certificates become: true become_user: acme command: sh "{{ web.acme_home }}/issue.sh" tags: - acme - acme-renew - name: acme.sh - generate deploy script template: src: acme/deploy.sh.j2 dest: "{{ web.acme_home }}/deploy.sh" mode: 0755 tags: - acme - acme-renew - name: acme.sh - deploy certificates command: sh "{{ web.acme_home }}/deploy.sh" tags: - acme - acme-renew - name: acme.sh - touch local deploy script file: path: "{{ web.acme_home }}/deploy.local.sh" mode: 0755 state: touch tags: acme - name: acme.sh - add nginx reload to deploy lineinfile: path: "{{ web.acme_home }}/deploy.local.sh" line: "service nginx reload" tags: acme - name: acme.sh - generate renew script template: src: acme/renew.sh.j2 dest: "{{ web.acme_home }}/renew.sh" mode: 0755 tags: acme - name: acme.sh - set monthly task for cert renewal (1) copy: src: 600.acme-sh dest: /etc/periodic/monthly/600.acme-sh mode: 0755 tags: acme - name: acme.sh - set monthly task for cert renewal (2) blockinfile: path: /etc/periodic.conf marker: '# {mark} ANSIBLE MANAGED - acme' block: | monthly_acme_sh_enable="YES" monthly_acme_sh_renewscript="{{ web.acme_home }}/renew.sh" monthly_acme_sh_deployscript="{{ web.acme_home }}/deploy.sh" tags: acme - block: - name: nginx - re-generate sites include_tasks: nginx-gensites.yml tags: - acme - sites