masto-aio/ansible/roles/certbot/tasks/main.yaml

---

- name: install base apps
  apt:
    force_apt_get: yes
    name:
      - docker-compose-v2

- name: base path
  file:
    path: "/srv/certbot/{{item}}"
    state: directory
    recurse: true
  with_items:
    - www
    - etc

- name: copy docker-compose
  template:
    src: templates/docker-compose.yaml
    dest: /srv/certbot/docker-compose.yaml
  register: dockercompose

#- name: nginx config
#  template:
#    src: templates/nginx.conf
#    dest: /srv/nginx/conf.d/certbot.conf
#  register: nginxconf

- name: nginx options
  copy:
    dest: /srv/certbot/etc/options-ssl-nginx.conf
    content: |
      # https://ssl-config.mozilla.org/#server=nginx&version=1.25.3&config=modern&openssl=3.0.11&guideline=5.7
      ssl_session_timeout 1d;
      ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
      ssl_session_tickets off;
      
      # modern configuration
      ssl_protocols TLSv1.3;
      ssl_prefer_server_ciphers off;
      
      # HSTS (ngx_http_headers_module is required) (63072000 seconds)
      add_header Strict-Transport-Security "max-age=63072000" always;
      
      # OCSP stapling
      ssl_stapling on;
      ssl_stapling_verify on;

- name: create the dir for the cert if needed
  file:
    path: "/srv/certbot/etc/live/{{domain_name}}"
    state: directory
    recurse: true

- name: launch certbot
  command: docker compose up -d
  args:
    chdir: /srv/certbot

- name: seed a fake cert if needed
  command: "docker exec -t certbot openssl req -nodes -new -x509 -subj '/CN=localhost' -out /etc/letsencrypt/live/{{domain_name}}/fullchain.pem -keyout /etc/letsencrypt/live/{{domain_name}}/privkey.pem"
  args:
    chdir: /srv/certbot
    creates: "/srv/certbot/etc/live/{{domain_name}}/fullchain.pem"
  register: mkcert

- name: restart certbot
  command: docker compose restart
  args:
    chdir: /srv/certbot
  when: mkcert.changed

- name: restart certbot
  command: docker compose restart
  args:
    chdir: /srv/certbot
  when: dockercompose.changed or nginxconf.changed
Add certbot container 2024-01-19 18:58:51 -08:00			`---`

			`- name: install base apps`
			`apt:`
			`force_apt_get: yes`
			`name:`
			`- docker-compose-v2`

			`- name: base path`
			`file:`
			`path: "/srv/certbot/{{item}}"`
			`state: directory`
			`recurse: true`
			`with_items:`
			`- www`
			`- etc`

			`- name: copy docker-compose`
			`template:`
			`src: templates/docker-compose.yaml`
			`dest: /srv/certbot/docker-compose.yaml`
			`register: dockercompose`

			`#- name: nginx config`
			`# template:`
			`# src: templates/nginx.conf`
			`# dest: /srv/nginx/conf.d/certbot.conf`
			`# register: nginxconf`

Add ssl config and create masto schema 2024-01-20 08:34:40 -08:00			`- name: nginx options`
			`copy:`
			`dest: /srv/certbot/etc/options-ssl-nginx.conf`
			`content: \|`
			`# https://ssl-config.mozilla.org/#server=nginx&version=1.25.3&config=modern&openssl=3.0.11&guideline=5.7`
			`ssl_session_timeout 1d;`
			`ssl_session_cache shared:MozSSL:10m; # about 40000 sessions`
			`ssl_session_tickets off;`

			`# modern configuration`
			`ssl_protocols TLSv1.3;`
			`ssl_prefer_server_ciphers off;`

			`# HSTS (ngx_http_headers_module is required) (63072000 seconds)`
			`add_header Strict-Transport-Security "max-age=63072000" always;`

			`# OCSP stapling`
			`ssl_stapling on;`
			`ssl_stapling_verify on;`

Create a stub certificate so that nginx can launch 2024-01-20 08:51:52 -08:00			`- name: create the dir for the cert if needed`
Fix certbot playbook not running on fresh install 2024-01-22 19:25:52 -08:00			`file:`
			`path: "/srv/certbot/etc/live/{{domain_name}}"`
			`state: directory`
			`recurse: true`

			`- name: launch certbot`
			`command: docker compose up -d`
Create a stub certificate so that nginx can launch 2024-01-20 08:51:52 -08:00			`args:`
Fix certbot playbook not running on fresh install 2024-01-22 19:25:52 -08:00			`chdir: /srv/certbot`
Add ssl config and create masto schema 2024-01-20 08:34:40 -08:00
Create a stub certificate so that nginx can launch 2024-01-20 08:51:52 -08:00			`- name: seed a fake cert if needed`
			`command: "docker exec -t certbot openssl req -nodes -new -x509 -subj '/CN=localhost' -out /etc/letsencrypt/live/{{domain_name}}/fullchain.pem -keyout /etc/letsencrypt/live/{{domain_name}}/privkey.pem"`
			`args:`
Fix certbot playbook not running on fresh install 2024-01-22 19:25:52 -08:00			`chdir: /srv/certbot`
Create a stub certificate so that nginx can launch 2024-01-20 08:51:52 -08:00			`creates: "/srv/certbot/etc/live/{{domain_name}}/fullchain.pem"`
Fix certbot playbook not running on fresh install 2024-01-22 19:25:52 -08:00			`register: mkcert`
Add ssl config and create masto schema 2024-01-20 08:34:40 -08:00
Fix certbot playbook not running on fresh install 2024-01-22 19:25:52 -08:00			`- name: restart certbot`
			`command: docker compose restart`
Add certbot container 2024-01-19 18:58:51 -08:00			`args:`
			`chdir: /srv/certbot`
Fix certbot playbook not running on fresh install 2024-01-22 19:25:52 -08:00			`when: mkcert.changed`
Add certbot container 2024-01-19 18:58:51 -08:00
			`- name: restart certbot`
			`command: docker compose restart`
			`args:`
			`chdir: /srv/certbot`
			`when: dockercompose.changed or nginxconf.changed`