79 lines
2 KiB
YAML
79 lines
2 KiB
YAML
---
|
|
|
|
- name: install base apps
|
|
apt:
|
|
force_apt_get: yes
|
|
name:
|
|
- docker-compose-v2
|
|
|
|
- name: base path
|
|
file:
|
|
path: "/srv/certbot/{{item}}"
|
|
state: directory
|
|
recurse: true
|
|
with_items:
|
|
- www
|
|
- etc
|
|
|
|
- name: copy docker-compose
|
|
template:
|
|
src: templates/docker-compose.yaml
|
|
dest: /srv/certbot/docker-compose.yaml
|
|
register: dockercompose
|
|
|
|
#- name: nginx config
|
|
# template:
|
|
# src: templates/nginx.conf
|
|
# dest: /srv/nginx/conf.d/certbot.conf
|
|
# register: nginxconf
|
|
|
|
- name: nginx options
|
|
copy:
|
|
dest: /srv/certbot/etc/options-ssl-nginx.conf
|
|
content: |
|
|
# https://ssl-config.mozilla.org/#server=nginx&version=1.25.3&config=modern&openssl=3.0.11&guideline=5.7
|
|
ssl_session_timeout 1d;
|
|
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
|
ssl_session_tickets off;
|
|
|
|
# modern configuration
|
|
ssl_protocols TLSv1.3;
|
|
ssl_prefer_server_ciphers off;
|
|
|
|
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
|
|
add_header Strict-Transport-Security "max-age=63072000" always;
|
|
|
|
# OCSP stapling
|
|
ssl_stapling on;
|
|
ssl_stapling_verify on;
|
|
|
|
- name: create the dir for the cert if needed
|
|
file:
|
|
path: "/srv/certbot/etc/live/{{domain_name}}"
|
|
state: directory
|
|
recurse: true
|
|
|
|
- name: launch certbot
|
|
command: docker compose up -d
|
|
args:
|
|
chdir: /srv/certbot
|
|
|
|
- name: seed a fake cert if needed
|
|
command: "docker exec -t certbot openssl req -nodes -new -x509 -subj '/CN=localhost' -out /etc/letsencrypt/live/{{domain_name}}/fullchain.pem -keyout /etc/letsencrypt/live/{{domain_name}}/privkey.pem"
|
|
args:
|
|
chdir: /srv/certbot
|
|
creates: "/srv/certbot/etc/live/{{domain_name}}/fullchain.pem"
|
|
register: mkcert
|
|
|
|
- name: restart certbot
|
|
command: docker compose restart
|
|
args:
|
|
chdir: /srv/certbot
|
|
when: mkcert.changed
|
|
|
|
- name: restart certbot
|
|
command: docker compose restart
|
|
args:
|
|
chdir: /srv/certbot
|
|
when: dockercompose.changed or nginxconf.changed
|
|
|