--- - name: install base apps apt: force_apt_get: yes name: - docker-compose-v2 - name: base path file: path: "/srv/certbot/{{item}}" state: directory recurse: true with_items: - www - etc - name: copy docker-compose template: src: templates/docker-compose.yaml dest: /srv/certbot/docker-compose.yaml register: dockercompose #- name: nginx config # template: # src: templates/nginx.conf # dest: /srv/nginx/conf.d/certbot.conf # register: nginxconf - name: nginx options copy: dest: /srv/certbot/etc/options-ssl-nginx.conf content: | # https://ssl-config.mozilla.org/#server=nginx&version=1.25.3&config=modern&openssl=3.0.11&guideline=5.7 ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; # about 40000 sessions ssl_session_tickets off; # modern configuration ssl_protocols TLSv1.3; ssl_prefer_server_ciphers off; # HSTS (ngx_http_headers_module is required) (63072000 seconds) add_header Strict-Transport-Security "max-age=63072000" always; # OCSP stapling ssl_stapling on; ssl_stapling_verify on; register: nginxconf - name: create the dir for the cert if needed file: path: "/srv/certbot/etc/live/{{domain_name}}" state: directory recurse: true # XXX FIXME configure email address - name: seed a cert if needed command: "docker run --volume /srv/certbot/etc:/etc/letsencrypt --volume /srv/certbot/www:/var/www/certbot -p 80:80 --rm -t certbot/certbot certonly --agree-tos --email erik@erikstambaugh.com --standalone --noninteractive --cert-name {{domain_name}} --domains {{domain_name}}" args: chdir: /srv/certbot creates: "/srv/certbot/etc/live/{{domain_name}}/fullchain.pem" register: mkcert - name: launch certbot command: docker compose up -d args: chdir: /srv/certbot - name: restart certbot command: docker compose restart args: chdir: /srv/certbot when: dockercompose.changed or nginxconf.changed or mkcert.changed