Add half-baked and untested certificate management

author: Dmitry Ilvokhin <d@ilvokhin.com> 2024-01-06 18:02:13 +0000
committer: Dmitry Ilvokhin <d@ilvokhin.com> 2024-01-06 18:02:13 +0000
commit: f69780fa8d1992451150c5d67af088f5c329861a (patch)
tree: cf58989af972b5cf9432a76df6e7bf827d2ac132 /roles/web/tasks/certificate.yml
parent: f2e2d0ee6010b48b72c50b8747ae197bd91e491e (diff)
download: infra-f69780fa8d1992451150c5d67af088f5c329861a.tar.gz
infra-f69780fa8d1992451150c5d67af088f5c329861a.tar.bz2
infra-f69780fa8d1992451150c5d67af088f5c329861a.zip
1 files changed, 15 insertions, 0 deletions
diff --git a/roles/web/tasks/certificate.yml b/roles/web/tasks/certificate.yml
new file mode 100644
index 0000000..5d25a63
--- /dev/null
+++ b/roles/web/tasks/certificate.yml
@@ -0,0 +1,15 @@
+- name: Request SSL certificate from Let's Encrypt
+  shell: |
+    # Make task independent: if nginx is already running, stop it and then
+    # start back on exit.
+    [ -f /var/run/nginx.pid ] && systemctl stop nginx
+    trap "systemctl start nginx" EXIT
+    certbot certonly \
+        --standalone \
+        --agree-tos \
+        --renew-by-default \
+        --email webmaster@ilvokhin.com \
+        --rsa-key-size 4096 \
+        -d {{ domains | join(' -d ') }}
+  args:
+    creates: '/etc/letsencrypt/live/{{ domains | first }}/fullchain.pem'
author	Dmitry Ilvokhin <d@ilvokhin.com>	2024-01-06 18:02:13 +0000
committer	Dmitry Ilvokhin <d@ilvokhin.com>	2024-01-06 18:02:13 +0000
commit	f69780fa8d1992451150c5d67af088f5c329861a (patch)
tree	cf58989af972b5cf9432a76df6e7bf827d2ac132 /roles/web/tasks/certificate.yml
parent	f2e2d0ee6010b48b72c50b8747ae197bd91e491e (diff)
download	infra-f69780fa8d1992451150c5d67af088f5c329861a.tar.gz infra-f69780fa8d1992451150c5d67af088f5c329861a.tar.bz2 infra-f69780fa8d1992451150c5d67af088f5c329861a.zip