michaelschiemer/deployment/infrastructure/roles/nginx-proxy/tasks/ssl-setup.yml

---
# SSL Certificate Setup

- name: Create SSL directories
  file:
    path: "{{ item }}"
    state: directory
    owner: root
    group: root
    mode: '0755'
  loop:
    - /etc/ssl/private
    - /etc/ssl/certs
    - "{{ ssl_certificate_path | dirname }}"
  tags:
    - nginx
    - ssl
    - directories

- name: Generate DH parameters for SSL
  openssl_dhparam:
    path: /etc/ssl/certs/dhparam.pem
    size: 2048
    owner: root
    group: root
    mode: '0644'
  tags:
    - nginx
    - ssl
    - dhparam

- name: Generate self-signed certificate for initial setup
  block:
    - name: Generate private key
      openssl_privatekey:
        path: /etc/ssl/private/{{ domain_name }}.key
        size: 2048
        type: RSA
        owner: root
        group: root
        mode: '0600'

    - name: Generate self-signed certificate
      openssl_certificate:
        path: /etc/ssl/certs/{{ domain_name }}.crt
        privatekey_path: /etc/ssl/private/{{ domain_name }}.key
        provider: selfsigned
        common_name: "{{ domain_name }}"
        subject_alt_name:
          - "DNS:{{ domain_name }}"
          - "DNS:www.{{ domain_name }}"
        owner: root
        group: root
        mode: '0644'
  when: ssl_provider == 'self-signed' or environment == 'development'
  tags:
    - nginx
    - ssl
    - self-signed

- name: Setup Let's Encrypt certificates
  block:
    - name: Check if certificates already exist
      stat:
        path: "{{ ssl_certificate_path }}/fullchain.pem"
      register: letsencrypt_cert

    - name: Create temporary Nginx config for Let's Encrypt
      template:
        src: nginx-letsencrypt-temp.conf.j2
        dest: /etc/nginx/sites-available/letsencrypt-temp
        owner: root
        group: root
        mode: '0644'
      when: not letsencrypt_cert.stat.exists

    - name: Enable temporary Nginx config
      file:
        src: /etc/nginx/sites-available/letsencrypt-temp
        dest: /etc/nginx/sites-enabled/letsencrypt-temp
        state: link
      when: not letsencrypt_cert.stat.exists
      notify: reload nginx

    - name: Start Nginx for Let's Encrypt validation
      service:
        name: "{{ nginx_service }}"
        state: started
        enabled: true
      when: not letsencrypt_cert.stat.exists

    - name: Obtain Let's Encrypt certificate
      command: >
        certbot certonly
        --webroot
        --webroot-path {{ letsencrypt_webroot_path }}
        --email {{ letsencrypt_email }}
        --agree-tos
        --non-interactive
        --expand
        {% for domain in letsencrypt_domains %}
        -d {{ domain }}
        {% endfor %}
      when: not letsencrypt_cert.stat.exists
      tags:
        - ssl
        - letsencrypt
        - certificate

    - name: Remove temporary Nginx config
      file:
        path: /etc/nginx/sites-enabled/letsencrypt-temp
        state: absent
      when: not letsencrypt_cert.stat.exists
      notify: reload nginx

    - name: Setup automatic certificate renewal
      cron:
        name: "Renew Let's Encrypt certificates"
        minute: "{{ letsencrypt_renewal_minute }}"
        hour: "{{ letsencrypt_renewal_hour }}"
        job: "certbot renew --quiet && systemctl reload nginx"
        user: "{{ letsencrypt_renewal_user }}"
      when: letsencrypt_renewal_cron | bool

  when: letsencrypt_enabled | bool and environment != 'development'
  tags:
    - nginx
    - ssl
    - letsencrypt

- name: Set up SSL certificate paths
  set_fact:
    ssl_cert_file: >-
      {%- if letsencrypt_enabled and environment != 'development' -%}
      {{ ssl_certificate_path }}/fullchain.pem
      {%- else -%}
      /etc/ssl/certs/{{ domain_name }}.crt
      {%- endif -%}
    ssl_key_file: >-
      {%- if letsencrypt_enabled and environment != 'development' -%}
      {{ ssl_certificate_path }}/privkey.pem
      {%- else -%}
      /etc/ssl/private/{{ domain_name }}.key
      {%- endif -%}
  tags:
    - nginx
    - ssl
    - config

- name: Verify SSL certificate files exist
  stat:
    path: "{{ item }}"
  register: ssl_files_check
  loop:
    - "{{ ssl_cert_file }}"
    - "{{ ssl_key_file }}"
  failed_when: not ssl_files_check.results | selectattr('stat.exists') | list
  tags:
    - nginx
    - ssl
    - verification