From 899eca5f024f22b67aa032dd82aa4393b60b85e4 Mon Sep 17 00:00:00 2001
From: Dmitry Ilvokhin <d@ilvokhin.com>
Date: Sun, 14 Apr 2024 19:27:14 +0100
Subject: Make certificate updates work for nginx

Currently, we obtain certificates from Let's Encrypt with standalone
mode, so when we do renew, certbot tries to run it is own webserver on
port 80, but this port is already in use by nginx.

Stop nginx, before renewal. This is quite hacky, but should work. Proper
solution is to split certificate role by standalone and non-standalone
versions.
---
 roles/nginx/tasks/main.yml | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

(limited to 'roles/nginx/tasks/main.yml')

diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml
index 73cb4ad..8edb7db 100644
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@@ -45,11 +45,16 @@
 
 - name: Copy nginx certificate renewal hook
   ansible.builtin.copy:
-    src: files/nginx.sh
-    dest: /etc/letsencrypt/renewal-hooks/deploy/nginx.sh
+    src: 'files/hooks/{{ item }}/nginx.sh'
+    dest: '/etc/letsencrypt/renewal-hooks/{{ item }}/nginx.sh'
     owner: root
     group: root
     mode: u+rwx,g+r,o+r
+  loop:
+    - pre
+    - post
+    # There is no deploy hook and it is intentional. As we currently stop nginx
+    # before renewal and start it after, so there is no need for reload.
 
 - name: Enable nginx systemd service
   ansible.builtin.service:
-- 
cgit v1.2.3-70-g09d2