95 lines
2.5 KiB
YAML
95 lines
2.5 KiB
YAML
---
|
|
- name: Install nginx package
|
|
ansible.builtin.apt:
|
|
name: nginx
|
|
state: present
|
|
update_cache: true
|
|
|
|
- name: Ensure ACME webroot exists for nginx
|
|
ansible.builtin.file:
|
|
path: /var/www/letsencrypt
|
|
state: directory
|
|
owner: www-data
|
|
group: www-data
|
|
mode: "0755"
|
|
|
|
- name: Ensure static site directories exist
|
|
ansible.builtin.file:
|
|
path: "{{ item.path }}"
|
|
state: directory
|
|
owner: "{{ item.owner }}"
|
|
group: "{{ item.group }}"
|
|
mode: "0755"
|
|
loop: "{{ static_sites | default([]) }}"
|
|
loop_control:
|
|
label: "{{ item.path }}"
|
|
|
|
- name: Publish static placeholder files
|
|
ansible.builtin.copy:
|
|
dest: "{{ item.0.path }}/{{ item.1.path }}"
|
|
content: "{{ item.1.content }}"
|
|
owner: "{{ item.0.owner }}"
|
|
group: "{{ item.0.group }}"
|
|
mode: "0644"
|
|
loop: "{{ (static_sites | default([])) | subelements('files', skip_missing=True) }}"
|
|
loop_control:
|
|
label: "{{ item.0.name }}/{{ item.1.path }}"
|
|
|
|
- name: Remove default nginx site
|
|
ansible.builtin.file:
|
|
path: /etc/nginx/sites-enabled/default
|
|
state: absent
|
|
notify: Reload nginx
|
|
|
|
- name: Check which ACME certificates already exist
|
|
ansible.builtin.stat:
|
|
path: "/etc/letsencrypt/live/{{ item.certificate_name | default(item.server_names[0]) }}/fullchain.pem"
|
|
loop: "{{ nginx_sites | selectattr('acme_managed', 'defined') | selectattr('acme_managed') | list }}"
|
|
loop_control:
|
|
label: "{{ item.name }}"
|
|
register: nginx_site_cert_stats
|
|
|
|
- name: Build ACME certificate availability map
|
|
ansible.builtin.set_fact:
|
|
nginx_acme_certificates_available: >-
|
|
{{
|
|
dict(
|
|
nginx_site_cert_stats.results
|
|
| map(attribute='item.name')
|
|
| zip(nginx_site_cert_stats.results | map(attribute='stat.exists'))
|
|
)
|
|
}}
|
|
|
|
- name: Render nginx site configurations
|
|
ansible.builtin.template:
|
|
src: site.conf.j2
|
|
dest: "/etc/nginx/sites-available/{{ item.name }}.conf"
|
|
owner: root
|
|
group: root
|
|
mode: "0644"
|
|
loop: "{{ nginx_sites }}"
|
|
loop_control:
|
|
label: "{{ item.name }}"
|
|
notify: Reload nginx
|
|
|
|
- name: Enable nginx sites
|
|
ansible.builtin.file:
|
|
src: "/etc/nginx/sites-available/{{ item.name }}.conf"
|
|
dest: "/etc/nginx/sites-enabled/{{ item.name }}.conf"
|
|
state: link
|
|
force: true
|
|
loop: "{{ nginx_sites }}"
|
|
loop_control:
|
|
label: "{{ item.name }}"
|
|
notify: Reload nginx
|
|
|
|
- name: Validate nginx configuration
|
|
ansible.builtin.command: nginx -t
|
|
changed_when: false
|
|
|
|
- name: Ensure nginx service is enabled
|
|
ansible.builtin.service:
|
|
name: nginx
|
|
state: started
|
|
enabled: true
|