2024-01-19 18:58:51 -08:00
|
|
|
---
|
|
|
|
|
|
|
|
- name: install base apps
|
|
|
|
apt:
|
|
|
|
force_apt_get: yes
|
|
|
|
name:
|
|
|
|
- docker-compose-v2
|
|
|
|
|
|
|
|
- name: base path
|
|
|
|
file:
|
|
|
|
path: "/srv/certbot/{{item}}"
|
|
|
|
state: directory
|
|
|
|
recurse: true
|
|
|
|
with_items:
|
|
|
|
- www
|
|
|
|
- etc
|
|
|
|
|
|
|
|
- name: copy docker-compose
|
|
|
|
template:
|
|
|
|
src: templates/docker-compose.yaml
|
|
|
|
dest: /srv/certbot/docker-compose.yaml
|
|
|
|
register: dockercompose
|
|
|
|
|
|
|
|
#- name: nginx config
|
|
|
|
# template:
|
|
|
|
# src: templates/nginx.conf
|
|
|
|
# dest: /srv/nginx/conf.d/certbot.conf
|
|
|
|
# register: nginxconf
|
|
|
|
|
2024-01-20 08:34:40 -08:00
|
|
|
- name: nginx options
|
|
|
|
copy:
|
|
|
|
dest: /srv/certbot/etc/options-ssl-nginx.conf
|
|
|
|
content: |
|
|
|
|
# https://ssl-config.mozilla.org/#server=nginx&version=1.25.3&config=modern&openssl=3.0.11&guideline=5.7
|
|
|
|
ssl_session_timeout 1d;
|
|
|
|
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
|
|
|
ssl_session_tickets off;
|
|
|
|
|
|
|
|
# modern configuration
|
|
|
|
ssl_protocols TLSv1.3;
|
|
|
|
ssl_prefer_server_ciphers off;
|
|
|
|
|
|
|
|
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
|
|
|
|
add_header Strict-Transport-Security "max-age=63072000" always;
|
|
|
|
|
|
|
|
# OCSP stapling
|
|
|
|
ssl_stapling on;
|
|
|
|
ssl_stapling_verify on;
|
2024-01-22 20:02:30 -08:00
|
|
|
register: nginxconf
|
|
|
|
|
2024-01-20 08:34:40 -08:00
|
|
|
|
2024-01-20 08:51:52 -08:00
|
|
|
- name: create the dir for the cert if needed
|
2024-01-22 19:25:52 -08:00
|
|
|
file:
|
|
|
|
path: "/srv/certbot/etc/live/{{domain_name}}"
|
|
|
|
state: directory
|
|
|
|
recurse: true
|
|
|
|
|
2024-01-22 20:02:30 -08:00
|
|
|
# XXX FIXME configure email address
|
|
|
|
- name: seed a cert if needed
|
|
|
|
command: "docker run --volume /srv/certbot/etc:/etc/letsencrypt --volume /srv/certbot/www:/var/www/certbot -p 80:80 --rm -t certbot/certbot certonly --agree-tos --email erik@erikstambaugh.com --standalone --noninteractive --cert-name {{domain_name}} --domains {{domain_name}}"
|
2024-01-20 08:51:52 -08:00
|
|
|
args:
|
2024-01-22 19:25:52 -08:00
|
|
|
chdir: /srv/certbot
|
2024-01-20 08:51:52 -08:00
|
|
|
creates: "/srv/certbot/etc/live/{{domain_name}}/fullchain.pem"
|
2024-01-22 19:25:52 -08:00
|
|
|
register: mkcert
|
2024-01-20 08:34:40 -08:00
|
|
|
|
2024-01-22 20:02:30 -08:00
|
|
|
- name: launch certbot
|
|
|
|
command: docker compose up -d
|
2024-01-19 18:58:51 -08:00
|
|
|
args:
|
|
|
|
chdir: /srv/certbot
|
|
|
|
|
|
|
|
- name: restart certbot
|
|
|
|
command: docker compose restart
|
|
|
|
args:
|
|
|
|
chdir: /srv/certbot
|
2024-01-22 20:02:30 -08:00
|
|
|
when: dockercompose.changed or nginxconf.changed or mkcert.changed
|
2024-01-19 18:58:51 -08:00
|
|
|
|