Alan Orth a34cb1e666
roles/nginx: Switch to acme.sh for Let's Encrypt
The certbot-auto client that I've been using for a long time is now
only supported if you install it using snap. I don't use snap on my
systems so I decided to switch to the acme.sh client, which is imp-
lemented in POSIX shell with no dependencies. One bonus of this is
that I can start using ECC certificates.

This also configures the .well-known directory so we can use webroot
when installing and renewing certificates. I have yet to understand
how the renewal works with regards to webroot, though. I may have to
update the systemd timers to point to /var/lib/letsencrypt/.well-known.
2021-03-19 23:39:30 +02:00

78 lines
2.1 KiB
YAML

---
- name: Add nginx.org apt signing key
apt_key: id=0x573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 url=https://nginx.org/keys/nginx_signing.key state=present
register: add_nginx_apt_key
tags: nginx, packages
- name: Add nginx.org repo
template: src=nginx_org_sources.list.j2 dest=/etc/apt/sources.list.d/nginx_org_sources.list owner=root group=root mode=0644
register: add_nginx_apt_repository
tags: nginx, packages
- name: Update apt cache
apt:
update_cache: yes
when:
add_nginx_apt_key is changed or
add_nginx_apt_repository is changed
- name: Install nginx
apt: pkg=nginx cache_valid_time=3600 state=present
tags: nginx, packages
- name: Copy nginx.conf
template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf mode=0644 owner=root group=root
notify:
- reload nginx
tags: nginx
- name: Copy extra nginx configs
copy: src={{ item }} dest=/etc/nginx/{{ item }} mode=0644 owner=root group=root
loop:
- extra-security.conf
- fastcgi_cache
notify:
- reload nginx
tags: nginx
- name: Remove default nginx vhost
file: path=/etc/nginx/conf.d/default.conf state=absent
tags: nginx
- name: Create fastcgi cache dir
file: path=/var/cache/nginx/cached/fastcgi state=directory owner=nginx group=nginx mode=0755
tags: nginx
- name: Configure nginx virtual hosts
include_tasks: vhosts.yml
when: nginx_vhosts is defined
tags: nginx
- name: Configure WordPress
include_tasks: wordpress.yml
when: nginx_vhosts is defined
tags: wordpress
- name: Configure blank nginx vhost
template: src=blank-vhost.conf.j2 dest={{ nginx_confd_path }}/blank-vhost.conf mode=0644 owner=root group=root
notify:
- reload nginx
tags: nginx
- name: Configure munin vhost
copy: src=munin.conf dest=/etc/nginx/conf.d/munin.conf mode=0644 owner=root group=root
notify:
- reload nginx
tags: nginx
- name: Start and enable nginx service
systemd: name=nginx state=started enabled=yes
tags: nginx
- name: Configure Let's Encrypt
include_tasks: letsencrypt.yml
#when: use_letsencrypt is defined and use_letsencrypt
tags: letsencrypt
# vim: set ts=2 sw=2: