From f69780fa8d1992451150c5d67af088f5c329861a Mon Sep 17 00:00:00 2001
From: Dmitry Ilvokhin <d@ilvokhin.com>
Date: Sat, 6 Jan 2024 18:02:13 +0000
Subject: Add half-baked and untested certificate management

---
 roles/web/tasks/certificate.yml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)
 create mode 100644 roles/web/tasks/certificate.yml

(limited to 'roles/web/tasks/certificate.yml')

diff --git a/roles/web/tasks/certificate.yml b/roles/web/tasks/certificate.yml
new file mode 100644
index 0000000..5d25a63
--- /dev/null
+++ b/roles/web/tasks/certificate.yml
@@ -0,0 +1,15 @@
+- name: Request SSL certificate from Let's Encrypt
+  shell: |
+    # Make task independent: if nginx is already running, stop it and then
+    # start back on exit.
+    [ -f /var/run/nginx.pid ] && systemctl stop nginx
+    trap "systemctl start nginx" EXIT
+    certbot certonly \
+        --standalone \
+        --agree-tos \
+        --renew-by-default \
+        --email webmaster@ilvokhin.com \
+        --rsa-key-size 4096 \
+        -d {{ domains | join(' -d ') }}
+  args:
+    creates: '/etc/letsencrypt/live/{{ domains | first }}/fullchain.pem'
-- 
cgit v1.2.3-70-g09d2