104 lines
3.4 KiB
YAML
104 lines
3.4 KiB
YAML
---
|
|
|
|
- name: SET_FACT | Assign default...
|
|
ansible.builtin.set_fact:
|
|
acme_create: []
|
|
|
|
- name: STAT | Check if certificates are already installed
|
|
ansible.builtin.stat:
|
|
path: "{{ item | nginx_cert_path(nginx_ssl_dir) }}"
|
|
loop: "{{ nginx_ssl_pairs }}"
|
|
when: item.acme is defined and item.acme
|
|
register: acme_installed_certs
|
|
|
|
- name: SET_FACT | Assign var with certificates to create
|
|
ansible.builtin.set_fact:
|
|
acme_create: "{{ acme_create | default([]) + [(item.item)] }}"
|
|
loop: "{{ acme_installed_certs.results }}"
|
|
when: item.skipped is not defined and (not item.stat.exists or item.stat.size == 0)
|
|
|
|
- name: BLOCK | Start acme
|
|
block:
|
|
|
|
- name: TEMPLATE | Create fake site
|
|
ansible.builtin.template:
|
|
src: "etc/nginx/conf.d/FAKESITE.conf.j2"
|
|
dest: "{{ nginx_etc_dir }}/conf.d/FAKESITE_{{ item | nginx_site_name }}.conf"
|
|
mode: 0644
|
|
owner: root
|
|
group: root
|
|
loop: "{{ acme_create }}"
|
|
register: fake_site
|
|
notify: Restart nginx
|
|
|
|
- name: TEMPLATE | Create fake site
|
|
ansible.builtin.template:
|
|
src: "etc/nginx/conf.d/FAKESITE.conf.j2"
|
|
dest: "/tmp/FAKESITE_{{ item | nginx_site_name }}.conf"
|
|
mode: 0644
|
|
owner: root
|
|
group: root
|
|
loop: "{{ acme_create }}"
|
|
|
|
- name: FILE | Delete current site if needed # noqa: no-handler
|
|
ansible.builtin.file:
|
|
path: "{{ nginx_etc_dir }}/sites-enabled/{{ item | nginx_site_name }}"
|
|
state: absent
|
|
loop: "{{ acme_create }}"
|
|
when: fake_site.changed
|
|
notify: Restart nginx
|
|
|
|
- name: META | Ensure nginx is restarted if needed
|
|
ansible.builtin.meta: flush_handlers
|
|
|
|
- name: COMMAND | Get certificates
|
|
ansible.builtin.command: |
|
|
{{ nginx_acmesh_bin }}
|
|
--home {{ nginx_acmesh_dir }}
|
|
--issue{% for s in nginx_sites | nginx_search_by_ssl_name(item.name) | nginx_all_site_names %} -d {{ s }}{% endfor %}
|
|
--nginx
|
|
{% if nginx_acmesh_test %}--test --log{% endif %}
|
|
args:
|
|
creates: "{{ nginx_acmesh_dir }}/{{ item | nginx_site_name }}/fullchain.cer"
|
|
loop: "{{ acme_create }}"
|
|
register: acme_get
|
|
failed_when: acme_get.rc != 0 and acme_get.rc != 2
|
|
no_log: "{{ not nginx_debug_role }}"
|
|
|
|
- name: FILE | Create SSL dir per site
|
|
ansible.builtin.file:
|
|
path: "{{ nginx_ssl_dir }}/{{ item | nginx_site_name }}"
|
|
loop: "{{ acme_create }}"
|
|
|
|
- name: COMMAND | Install certificates
|
|
ansible.builtin.command: |
|
|
{{ nginx_acmesh_bin }}
|
|
--home {{ nginx_acmesh_dir }}
|
|
--install-cert -d {{ nginx_sites | nginx_search_by_ssl_name(item | nginx_site_name) | nginx_site_name }}
|
|
--fullchain-file {{ item | nginx_cert_path(nginx_ssl_dir) }}
|
|
--key-file {{ item | nginx_key_path(nginx_ssl_dir) }}
|
|
--reloadcmd "service nginx reload"
|
|
args:
|
|
creates: "{{ item | nginx_cert_path(nginx_ssl_dir) }}"
|
|
loop: "{{ nginx_ssl_pairs }}"
|
|
when: item.acme is defined and item.acme
|
|
notify: Restart nginx
|
|
|
|
rescue:
|
|
|
|
- name: FAIL | Explicit
|
|
ansible.builtin.fail:
|
|
msg: "Something is bad... Auto crash!"
|
|
|
|
always:
|
|
|
|
- name: FILE | Delete fake sites
|
|
ansible.builtin.file:
|
|
path: "{{ nginx_etc_dir }}/conf.d/FAKESITE_{{ item | nginx_site_name }}.conf"
|
|
state: absent
|
|
loop: "{{ acme_create }}"
|
|
notify: Restart nginx
|
|
|
|
- name: META | Flush handlers
|
|
ansible.builtin.meta: flush_handlers
|