--- # SSL Certificate Setup - name: Create SSL directories file: path: "{{ item }}" state: directory owner: root group: root mode: '0755' loop: - /etc/ssl/private - /etc/ssl/certs - "{{ ssl_certificate_path | dirname }}" tags: - nginx - ssl - directories - name: Generate DH parameters for SSL openssl_dhparam: path: /etc/ssl/certs/dhparam.pem size: 2048 owner: root group: root mode: '0644' tags: - nginx - ssl - dhparam - name: Generate self-signed certificate for initial setup block: - name: Generate private key openssl_privatekey: path: /etc/ssl/private/{{ domain_name }}.key size: 2048 type: RSA owner: root group: root mode: '0600' - name: Generate self-signed certificate openssl_certificate: path: /etc/ssl/certs/{{ domain_name }}.crt privatekey_path: /etc/ssl/private/{{ domain_name }}.key provider: selfsigned common_name: "{{ domain_name }}" subject_alt_name: - "DNS:{{ domain_name }}" - "DNS:www.{{ domain_name }}" owner: root group: root mode: '0644' when: ssl_provider == 'self-signed' or environment == 'development' tags: - nginx - ssl - self-signed - name: Setup Let's Encrypt certificates block: - name: Check if certificates already exist stat: path: "{{ ssl_certificate_path }}/fullchain.pem" register: letsencrypt_cert - name: Create temporary Nginx config for Let's Encrypt template: src: nginx-letsencrypt-temp.conf.j2 dest: /etc/nginx/sites-available/letsencrypt-temp owner: root group: root mode: '0644' when: not letsencrypt_cert.stat.exists - name: Enable temporary Nginx config file: src: /etc/nginx/sites-available/letsencrypt-temp dest: /etc/nginx/sites-enabled/letsencrypt-temp state: link when: not letsencrypt_cert.stat.exists notify: reload nginx - name: Start Nginx for Let's Encrypt validation service: name: "{{ nginx_service }}" state: started enabled: true when: not letsencrypt_cert.stat.exists - name: Obtain Let's Encrypt certificate command: > certbot certonly --webroot --webroot-path {{ letsencrypt_webroot_path }} --email {{ letsencrypt_email }} --agree-tos --non-interactive --expand {% for domain in letsencrypt_domains %} -d {{ domain }} {% endfor %} when: not letsencrypt_cert.stat.exists tags: - ssl - letsencrypt - certificate - name: Remove temporary Nginx config file: path: /etc/nginx/sites-enabled/letsencrypt-temp state: absent when: not letsencrypt_cert.stat.exists notify: reload nginx - name: Setup automatic certificate renewal cron: name: "Renew Let's Encrypt certificates" minute: "{{ letsencrypt_renewal_minute }}" hour: "{{ letsencrypt_renewal_hour }}" job: "certbot renew --quiet && systemctl reload nginx" user: "{{ letsencrypt_renewal_user }}" when: letsencrypt_renewal_cron | bool when: letsencrypt_enabled | bool and environment != 'development' tags: - nginx - ssl - letsencrypt - name: Set up SSL certificate paths set_fact: ssl_cert_file: >- {%- if letsencrypt_enabled and environment != 'development' -%} {{ ssl_certificate_path }}/fullchain.pem {%- else -%} /etc/ssl/certs/{{ domain_name }}.crt {%- endif -%} ssl_key_file: >- {%- if letsencrypt_enabled and environment != 'development' -%} {{ ssl_certificate_path }}/privkey.pem {%- else -%} /etc/ssl/private/{{ domain_name }}.key {%- endif -%} tags: - nginx - ssl - config - name: Verify SSL certificate files exist stat: path: "{{ item }}" register: ssl_files_check loop: - "{{ ssl_cert_file }}" - "{{ ssl_key_file }}" failed_when: not ssl_files_check.results | selectattr('stat.exists') | list tags: - nginx - ssl - verification