blob: 1456fe2ef8bed123373238617e45f233d475bc7b (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
- name: Request SSL certificate from Let's Encrypt
shell: |
# Make task independent: if nginx is already running, stop it and then
# start back on exit.
[ -f /var/run/nginx.pid ] && systemctl stop nginx
trap "systemctl start nginx" EXIT
certbot certonly \
--standalone \
--agree-tos \
--renew-by-default \
--email webmaster@ilvokhin.com \
--rsa-key-size 4096 \
-d {{ domains | join(' -d ') }}
args:
creates: /etc/letsencrypt/live/{{ domains | first }}/fullchain.pem
# TODO: rewrite this role or make it more generic.
#
# Currently we reuse certificate role for web and mail servers, but they
# are actually quite different.
# * We can't start nginx without valid certificate, but can start postfix (and
# dovecot?).
# * We can serve acme challenge with nginx itself on renewal, but we need
# `--standalone` mode for mail server (or need to bring nginx).
# * It is undesirable to bring down nginx any time we are updating
# SSL certificates.
|