roles/nginx: Switch to acme.sh for Let's Encrypt

The certbot-auto client that I've been using for a long time is now only supported if you install it using snap. I don't use snap on my systems so I decided to switch to the acme.sh client, which is imp- lemented in POSIX shell with no dependencies. One bonus of this is that I can start using ECC certificates. This also configures the .well-known directory so we can use webroot when installing and renewing certificates. I have yet to understand how the renewal works with regards to webroot, though. I may have to update the systemd timers to point to /var/lib/letsencrypt/.well-known.
2021-03-19 23:39:30 +02:00
parent 65fc52c5e5
commit a34cb1e666
7 changed files with 63 additions and 132 deletions
--- a/roles/nginx/templates/vhost.conf.j2
+++ b/roles/nginx/templates/vhost.conf.j2
@ -14,6 +14,8 @@ server {
    listen [::]:80;
    server_name {{ domain_name }} {{ domain_aliases }};

+    {% include 'well-known.j2' %}
+
    # redirect http -> https
    location / {
        # ? in rewrite makes sure nginx doesn't append query string again