diff options
| -rw-r--r-- | roles/certificate/tasks/main.yml | 11 | ||||
| -rw-r--r-- | roles/nginx/files/hooks/deploy/nginx.sh (renamed from roles/nginx/files/nginx.sh) | 0 | ||||
| -rw-r--r-- | roles/nginx/files/hooks/post/nginx.sh | 3 | ||||
| -rw-r--r-- | roles/nginx/files/hooks/pre/nginx.sh | 3 | ||||
| -rw-r--r-- | roles/nginx/tasks/main.yml | 9 |
5 files changed, 24 insertions, 2 deletions
diff --git a/roles/certificate/tasks/main.yml b/roles/certificate/tasks/main.yml index 5d25a63..a736e6b 100644 --- a/roles/certificate/tasks/main.yml +++ b/roles/certificate/tasks/main.yml @@ -13,3 +13,14 @@ -d {{ domains | join(' -d ') }} args: creates: '/etc/letsencrypt/live/{{ domains | first }}/fullchain.pem' + +# TODO: rewrite this role or make it more generic. +# +# Currently we reuse certificate role for web and mail servers, but they +# are actually quite different. +# * We can't start nginx without valid certificate, but can start postfix (and +# dovecot?). +# * We can serve acme challenge with nginx itself on renewal, but we need +# `--standalone` mode for mail server (or need to bring nginx). +# * It is undesirable to bring down nginx any time we are updating +# SSL certificates. diff --git a/roles/nginx/files/nginx.sh b/roles/nginx/files/hooks/deploy/nginx.sh index ca022f8..ca022f8 100644 --- a/roles/nginx/files/nginx.sh +++ b/roles/nginx/files/hooks/deploy/nginx.sh diff --git a/roles/nginx/files/hooks/post/nginx.sh b/roles/nginx/files/hooks/post/nginx.sh new file mode 100644 index 0000000..84e871d --- /dev/null +++ b/roles/nginx/files/hooks/post/nginx.sh @@ -0,0 +1,3 @@ +#! /bin/sh + +systemctl start nginx diff --git a/roles/nginx/files/hooks/pre/nginx.sh b/roles/nginx/files/hooks/pre/nginx.sh new file mode 100644 index 0000000..91b7633 --- /dev/null +++ b/roles/nginx/files/hooks/pre/nginx.sh @@ -0,0 +1,3 @@ +#! /bin/sh + +systemctl stop nginx diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index 73cb4ad..8edb7db 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -45,11 +45,16 @@ - name: Copy nginx certificate renewal hook ansible.builtin.copy: - src: files/nginx.sh - dest: /etc/letsencrypt/renewal-hooks/deploy/nginx.sh + src: 'files/hooks/{{ item }}/nginx.sh' + dest: '/etc/letsencrypt/renewal-hooks/{{ item }}/nginx.sh' owner: root group: root mode: u+rwx,g+r,o+r + loop: + - pre + - post + # There is no deploy hook and it is intentional. As we currently stop nginx + # before renewal and start it after, so there is no need for reload. - name: Enable nginx systemd service ansible.builtin.service: |