blob: a736e6b3c5d65d976c1083177eac805448519f0d (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
- name: Request SSL certificate from Let's Encrypt
shell: |
# Make task independent: if nginx is already running, stop it and then
# start back on exit.
[ -f /var/run/nginx.pid ] && systemctl stop nginx
trap "systemctl start nginx" EXIT
certbot certonly \
--standalone \
--agree-tos \
--renew-by-default \
--email webmaster@ilvokhin.com \
--rsa-key-size 4096 \
-d {{ domains | join(' -d ') }}
args:
creates: '/etc/letsencrypt/live/{{ domains | first }}/fullchain.pem'
# TODO: rewrite this role or make it more generic.
#
# Currently we reuse certificate role for web and mail servers, but they
# are actually quite different.
# * We can't start nginx without valid certificate, but can start postfix (and
# dovecot?).
# * We can serve acme challenge with nginx itself on renewal, but we need
# `--standalone` mode for mail server (or need to bring nginx).
# * It is undesirable to bring down nginx any time we are updating
# SSL certificates.
|