masto-aio/ansible/roles/certbot/tasks/main.yaml

---

- name: install base apps
  apt:
    force_apt_get: yes
    name:
      - docker-compose-v2

- name: base path
  file:
    path: "/srv/certbot/{{item}}"
    state: directory
    recurse: true
  with_items:
    - www
    - etc

- name: copy docker-compose
  template:
    src: templates/docker-compose.yaml
    dest: /srv/certbot/docker-compose.yaml
  notify:
    - certbot up
    - certbot restart

- name: nginx options
  copy:
    dest: /srv/certbot/etc/options-ssl-nginx.conf
    content: |
      # https://ssl-config.mozilla.org/#server=nginx&version=1.25.3&config=modern&openssl=3.0.11&guideline=5.7
      ssl_session_timeout 1d;
      ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
      ssl_session_tickets off;
      
      # modern configuration
      ssl_protocols TLSv1.3;
      ssl_prefer_server_ciphers off;
      
      # HSTS (ngx_http_headers_module is required) (63072000 seconds)
      add_header Strict-Transport-Security "max-age=63072000" always;
      
      # OCSP stapling
      ssl_stapling on;
      ssl_stapling_verify on;
  notify:
    - certbot up
    - certbot restart


- name: create the dir for the cert if needed
  file:
    path: "/srv/certbot/etc/live/{{domain_name}}"
    state: directory
    recurse: true

- name: seed a cert if needed
  command: "docker run --volume /srv/certbot/etc:/etc/letsencrypt --volume /srv/certbot/www:/var/www/certbot -p 80:80 --rm -t certbot/certbot certonly --agree-tos --email {{admin_email}} --standalone --noninteractive --cert-name {{domain_name}} --domains {{domain_name}}"
  args:
    chdir: /srv/certbot
    creates: "/srv/certbot/etc/live/{{domain_name}}/fullchain.pem"
  notify:
    - certbot up
    - certbot restart

#- name: launch certbot
#  command: docker compose up -d
#  args:
#    chdir: /srv/certbot
#
#- name: restart certbot
#  command: docker compose restart
#  args:
#    chdir: /srv/certbot
#  when: dockercompose.changed or nginxconf.changed or  mkcert.changed
Add certbot container 2024-01-19 18:58:51 -08:00			`---`

			`- name: install base apps`
			`apt:`
			`force_apt_get: yes`
			`name:`
			`- docker-compose-v2`

			`- name: base path`
			`file:`
			`path: "/srv/certbot/{{item}}"`
			`state: directory`
			`recurse: true`
			`with_items:`
			`- www`
			`- etc`

			`- name: copy docker-compose`
			`template:`
			`src: templates/docker-compose.yaml`
			`dest: /srv/certbot/docker-compose.yaml`
Fix race condition with certbot role needing nginx and vice versa 2024-01-31 12:53:59 -08:00			`notify:`
			`- certbot up`
			`- certbot restart`
Add certbot container 2024-01-19 18:58:51 -08:00
Add ssl config and create masto schema 2024-01-20 08:34:40 -08:00			`- name: nginx options`
			`copy:`
			`dest: /srv/certbot/etc/options-ssl-nginx.conf`
			`content: \|`
			`# https://ssl-config.mozilla.org/#server=nginx&version=1.25.3&config=modern&openssl=3.0.11&guideline=5.7`
			`ssl_session_timeout 1d;`
			`ssl_session_cache shared:MozSSL:10m; # about 40000 sessions`
			`ssl_session_tickets off;`

			`# modern configuration`
			`ssl_protocols TLSv1.3;`
			`ssl_prefer_server_ciphers off;`

			`# HSTS (ngx_http_headers_module is required) (63072000 seconds)`
			`add_header Strict-Transport-Security "max-age=63072000" always;`

			`# OCSP stapling`
			`ssl_stapling on;`
			`ssl_stapling_verify on;`
Fix race condition with certbot role needing nginx and vice versa 2024-01-31 12:53:59 -08:00			`notify:`
			`- certbot up`
			`- certbot restart`
Fix certbot to register the domain properly the first time 2024-01-22 20:02:30 -08:00
Add ssl config and create masto schema 2024-01-20 08:34:40 -08:00
Create a stub certificate so that nginx can launch 2024-01-20 08:51:52 -08:00			`- name: create the dir for the cert if needed`
Fix certbot playbook not running on fresh install 2024-01-22 19:25:52 -08:00			`file:`
			`path: "/srv/certbot/etc/live/{{domain_name}}"`
			`state: directory`
			`recurse: true`

Fix certbot to register the domain properly the first time 2024-01-22 20:02:30 -08:00			`- name: seed a cert if needed`
Parameterize admin email address 2024-01-22 20:05:57 -08:00			`command: "docker run --volume /srv/certbot/etc:/etc/letsencrypt --volume /srv/certbot/www:/var/www/certbot -p 80:80 --rm -t certbot/certbot certonly --agree-tos --email {{admin_email}} --standalone --noninteractive --cert-name {{domain_name}} --domains {{domain_name}}"`
Create a stub certificate so that nginx can launch 2024-01-20 08:51:52 -08:00			`args:`
Fix certbot playbook not running on fresh install 2024-01-22 19:25:52 -08:00			`chdir: /srv/certbot`
Create a stub certificate so that nginx can launch 2024-01-20 08:51:52 -08:00			`creates: "/srv/certbot/etc/live/{{domain_name}}/fullchain.pem"`
Fix race condition with certbot role needing nginx and vice versa 2024-01-31 12:53:59 -08:00			`notify:`
			`- certbot up`
			`- certbot restart`
Add ssl config and create masto schema 2024-01-20 08:34:40 -08:00
Fix race condition with certbot role needing nginx and vice versa 2024-01-31 12:53:59 -08:00			`#- name: launch certbot`
			`# command: docker compose up -d`
			`# args:`
			`# chdir: /srv/certbot`
			`#`
			`#- name: restart certbot`
			`# command: docker compose restart`
			`# args:`
			`# chdir: /srv/certbot`
			`# when: dockercompose.changed or nginxconf.changed or mkcert.changed`
Add certbot container 2024-01-19 18:58:51 -08:00