Add certbot container

ansible/roles/certbot/tasks/main.yaml

@@ -0,0 +1,40 @@
+---
+
+- name: install base apps
+  apt:
+    force_apt_get: yes
+    name:
+      - docker-compose-v2
+
+- name: base path
+  file:
+    path: "/srv/certbot/{{item}}"
+    state: directory
+    recurse: true
+  with_items:
+    - www
+    - etc
+
+- name: copy docker-compose
+  template:
+    src: templates/docker-compose.yaml
+    dest: /srv/certbot/docker-compose.yaml
+  register: dockercompose
+
+#- name: nginx config
+#  template:
+#    src: templates/nginx.conf
+#    dest: /srv/nginx/conf.d/certbot.conf
+#  register: nginxconf
+
+- name: launch certbot
+  command: docker compose up -d
+  args:
+    chdir: /srv/certbot
+
+- name: restart certbot
+  command: docker compose restart
+  args:
+    chdir: /srv/certbot
+  when: dockercompose.changed or nginxconf.changed
+

ansible/roles/certbot/templates/docker-compose.yaml

@@ -0,0 +1,21 @@
+version: '3.5'
+services:
+  certbot:
+    container_name: certbot
+    image: certbot/certbot
+    restart: unless-stopped
+    volumes:
+      - /srv/certbot/etc:/etc/letsencrypt
+      - /srv/certbot/www:/var/www/certbot
+    entrypoint: >
+      /bin/sh -c 'trap exit TERM;
+      certbot certonly --noninteractive --register-unsafely-without-email --agree-tos --reinstall --cert-name {{domain_name}} -d {{domain_name}} --webroot --webroot-path=/var/www/certbot
+      ; while :; do certbot renew --noninteractive --webroot --webroot-path=/var/www/certbot --cert-name {{domain_name}}
+      ; sleep 12h & wait $${!}; done;'
+    networks:
+      - nginx
+
+networks:
+  nginx:
+    external: true
+

ansible/site.yaml

@@ -9,5 +9,6 @@
   hosts: social
   roles:
     - { role: nginx, become: yes }
+    - { role: certbot, become: yes }
     - { role: mastodon, become: yes }