--- - name: allow http ufw: rule: allow port: '80' proto: tcp - name: allow https ufw: rule: allow port: '443' proto: tcp - name: restart ufw service: name=ufw state=restarted enabled=yes - name: install nginx apt: name=nginx state=latest - name: install letsencrypt apt: name=letsencrypt state=latest - name: create letsencrypt directory file: name=/var/www/letsencrypt state=directory - name: remove default nginx file: name=/etc/nginx/sites-enabled/default state=absent - name: generate dhparams shell: openssl dhparam -out /etc/nginx/dhparams.pem 2048 args: creates: /etc/nginx/dhparams.pem - name: add system nginx config template: src: ../files/nginx.conf dest: /etc/nginx/nginx.conf - name: copy http nginx configuration for each domain copy: src: "{{ item }}" dest: "/etc/nginx/sites-enabled/" with_fileglob: - "files/{{ inventory_hostname }}/http.*.conf" - "files/{{ inventory_hostname }}/https.*.conf" - name: restart nginx to get letsencrypt certificate service: name=nginx state=restarted enabled=yes - name: find deployed domains ansible.builtin.find: paths: "/etc/nginx/sites-enabled/" patterns: "http.*.conf" register: nginx_conf_files delegate_to: "{{ inventory_hostname }}" - name: extract domains from deployed nginx configurations shell: | grep -oP 'server_name\s+\K[^;]+' "{{ item.path }}" loop: "{{ nginx_conf_files.files }}" register: extracted_domains # simponic.xyz & others - name: request simponic letsencrypt certificates shell: > letsencrypt certonly -n --webroot -w /var/www/letsencrypt -m {{ letsencrypt_email }} \ --agree-tos -d {{ item.stdout }} args: creates: "/etc/letsencrypt/live/{{ item.stdout }}" loop: "{{ extracted_domains.results }}" when: 'not "hatecomputers.club" in item.stdout and not "rainrain" in item.stdout' # hatecomputers.club - name: build plugin template template: src: ../templates/plugin.sh.j2 dest: /etc/letsencrypt/hcdns.sh mode: 0744 owner: root group: root - name: clone hcdns auth repo ansible.builtin.git: repo: https://git.hatecomputers.club/simponic/hc-cert-dns dest: /root/hc-cert-dns - name: request hatecomputers letsencrypt certificate shell: > letsencrypt certonly -n \ --manual --manual-auth-hook /etc/letsencrypt/hcdns.sh \ --preferred-challenges dns \ -d {{ item.stdout }} \ --email {{ letsencrypt_email }} \ --agree-tos \ --no-eff-email args: creates: "/etc/letsencrypt/live/{{ item.stdout }}" loop: "{{ extracted_domains.results }}" when: '"hatecomputers.club" in item.stdout' - name: copy https nginx configuration for each domain copy: src: "{{ item }}" dest: "/etc/nginx/sites-enabled/" with_fileglob: - "files/{{ inventory_hostname }}/https.*.conf" - "files/{{ inventory_hostname }}/https.*.servconf" - name: reload nginx to activate sites service: name=nginx state=restarted - name: add monthly letsencrypt cronjob for cert renewal based on hash of domain name to prevent hitting LE rate limits cron: name: "letsencrypt_renewal_{{ item.stdout }}" day: "{{ '%02d' | format(1 + (item.stdout | hash('md5') | int(0, 16) % 27)) }}" hour: "{{ (item.stdout | hash('md5') | int(0, 16) % 24 ) }}" minute: "{{ (item.stdout | hash('md5') | int(0, 16) % 60 ) }}" job: "letsencrypt renew --cert-name {{ item.stdout }} -n --webroot -w /var/www/letsencrypt -m {{ letsencrypt_email }} --agree-tos && service nginx reload" loop: "{{ extracted_domains.results }}" when: item.stdout != ""