Extended geerlingguy.certbot role

2026-06-05 02:35:12 +02:00 · 2026-06-05 02:35:12 +02:00 · 3109eb66d4
parent f909c30bc5
commit 3109eb66d4
8 changed files with 85 additions and 52 deletions
--- a/ansible/inventories/group_vars/automotive/automotive.yaml
+++ b/ansible/inventories/group_vars/automotive/automotive.yaml
@ -35,5 +35,5 @@ certbot_certs:
    - "{{ nginx_server_name }}"

 #Certbot verbose level
-certbot_create_extra_args: "-v"
+certbot_create_extra_args: "-vvv --force-renewal"
 certbot_testmode: false
--- a/ansible/playbooks/roles/certbot/defaults/main.yaml
+++ b/ansible/playbooks/roles/certbot/defaults/main.yaml
@ -0,0 +1 @@
+certbot_with_dockered_nginx : True
--- a/ansible/playbooks/roles/certbot/tasks/certbot_with_dockered_nginx.yaml
+++ b/ansible/playbooks/roles/certbot/tasks/certbot_with_dockered_nginx.yaml
@ -0,0 +1,62 @@
+---
+# Need to stop using port 80 for certbot webroot validation
+- name: Gathering NGINX container state
+  docker_container_info:
+    name: nginx
+  register: nginx_info
+
+- name: Stop NGINX if present
+  docker_container:
+    name: nginx
+    state: stopped
+  when: 
+    - nginx_info.exists
+
+# Manage certbot
+
+- name: Instal and configure certbot
+  include_role:
+    name: geerlingguy.certbot
+
+- name: Copy fullchain files to nginx volume
+  ansible.builtin.copy:
+    src: "/etc/letsencrypt/live/{{ item.name }}/fullchain.pem"
+    #TODO nginx configuration is not multi domain
+    dest: "{{ docker_base_volume_path }}/nginx/ssl/fullchain.pem"
+    remote_src: true
+    mode: '0644'
+  loop: "{{ certbot_certs }}"
+
+- name: Copy privkey files to nginx volume
+  ansible.builtin.copy:
+    src: "/etc/letsencrypt/live/{{ item.name }}/privkey.pem"
+    #TODO nginx configuration is not multi domain
+    dest: "{{ docker_base_volume_path }}/nginx/ssl/privatekey.pem"
+    remote_src: true
+    mode: '0644'
+  loop: "{{ certbot_certs }}"
+
+
+- name: Setting up Docker NGINX renewal hooks 
+  template:
+    src: "docker_nginx_{{ item }}.j2"
+    dest: "/etc/letsencrypt/renewal-hooks/{{ item }}/docker_nginx_{{ item }}.sh"
+    mode: '0744'
+  loop: 
+    - pre
+    - post
+
+- name: Removing systemctl hooks
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: absent
+  loop:
+    - "/etc/letsencrypt/renewal-hooks/pre/stop_services"
+    - "/etc/letsencrypt/renewal-hooks/post/start_services"
+
+
+# Installs dockered NGINX if needed and start it 
+
+- name: Installing and (Re)starting NGINX
+  include_role:
+    name: chrissayon.wordpress_docker.nginx
--- a/ansible/playbooks/roles/certbot/tasks/main.yaml
+++ b/ansible/playbooks/roles/certbot/tasks/main.yaml
@ -0,0 +1,3 @@
+---
+- include_tasks: certbot_with_dockered_nginx.yaml
+  when: certbot_with_dockered_nginx
--- a/ansible/playbooks/roles/certbot/templates/docker_nginx_post.j2
+++ b/ansible/playbooks/roles/certbot/templates/docker_nginx_post.j2
@ -0,0 +1,10 @@
+#!/bin/sh
+
+{% for item in certbot_certs %}
+cp /etc/letsencrypt/live/{{ item.name }}/fullchain.pem {{ docker_base_volume_path }}/nginx/ssl/fullchain.pem
+cp /etc/letsencrypt/live/{{ item.name }}/privkey.pem {{ docker_base_volume_path }}/nginx/ssl/private.pem
+{% endfor %}
+
+docker start nginx
+
+docker ps 
--- a/ansible/playbooks/roles/certbot/templates/docker_nginx_pre.j2
+++ b/ansible/playbooks/roles/certbot/templates/docker_nginx_pre.j2
@ -0,0 +1,5 @@
+#!/bin/sh
+docker stop nginx
+
+docker ps 
+
--- a/ansible/playbooks/templates/nginx.j2
+++ b/ansible/playbooks/templates/nginx.j2
@ -15,9 +15,10 @@ server {
    root   /var/www/html;
    index  index.php;

+
    ssl_certificate /etc/nginx/ssl/fullchain.pem;
    ssl_certificate_key /etc/nginx/ssl/privatekey.pem;
-    {# ssl_trusted_certificate /etc/nginx/ssl/intermediatecertificate.pem; #}
+

    location / {
        proxy_pass http://{{ docker_wordpress_hostname }}:80;
--- a/ansible/playbooks/wordpress.yaml
+++ b/ansible/playbooks/wordpress.yaml
@ -10,53 +10,4 @@
    - chrissayon.wordpress_docker.network
    - chrissayon.wordpress_docker.mysql
    - chrissayon.wordpress_docker.wordpress
-
-
-  tasks:
-    # Need to stop using port 80 for certbot webroot validation
-    - name: Gathering NGINX container state
-      docker_container_info:
-        name: nginx
-      register: nginx_info
-
-    - name: Stop NGINX if present
-      docker_container:
-        name: nginx
-        state: stopped
-      when: 
-        - nginx_info.exists
-
-    # Manage certbot
-
-    - name: Install / configure certbot
-      include_role: 
-        name: geerlingguy.certbot
-
-    # Copy certificates
-    # configured volume for ssl is 
-    # "/usr/data/wp/nginx/ssl:/etc/nginx/ssl/:ro"
-
-    - name: Copy fullchain files to nginx volume
-      ansible.builtin.copy:
-        src: "/etc/letsencrypt/live/{{ item.name }}/fullchain.pem"
-        #TODO nginx configuration is not multi domain
-        dest: "{{ docker_base_volume_path }}/nginx/ssl/fullchain.pem"
-        remote_src: true
-        mode: '0644'
-      loop: "{{ certbot_certs }}"
-
-    - name: Copy privkey files to nginx volume
-      ansible.builtin.copy:
-        src: "/etc/letsencrypt/live/{{ item.name }}/privkey.pem"
-        #TODO nginx configuration is not multi domain
-        dest: "{{ docker_base_volume_path }}/nginx/ssl/privatekey.pem"
-        remote_src: true
-        mode: '0644'
-      loop: "{{ certbot_certs }}"
-
-
-    # Restart NGINX
-
-    - name: (Re)start NGINX
-      include_role:
-        name: chrissayon.wordpress_docker.nginx
+    - certbot