--- - name: Nginx -- Ensuring Nginx dependencies are installed. apk: name: "{{ pleroma_deps_nginx }}" state: present - name: Nginx -- Ensuring the Nginx configuration is present. template: src: etc_ngnix_confd_pleroma.conf.j2 dest: "{{ pleroma_nginx_conf_file }}" owner: root group: root mode: '0600' - name: Nginx -- Ensuring that the SSL folder exists file: name: "{{ pleroma_ssl_folder }}" state: directory mode: '0700' owner: root group: root - name: Nginx -- Ensuring that the ssl private key is generated. openssl_privatekey: mode: '0400' group: root owner: root path: "{{ pleroma_ssl_privateKeyPath }}" size: 4096 state: present type: RSA - name: Nginx -- Ensuring that the certificate signing request is generated. openssl_csr: common_name: "{{ pleroma.config.host }}" country_name: "{{ pleroma.ssl.csr.countryName }}" email_address: "{{ pleroma.ssl.csr.emailAddress }}" locality_name: "{{ pleroma.ssl.csr.localityName }}" organization_name: "{{ pleroma.ssl.csr.organizationName }}" organizational_unit_name: "{{ pleroma.ssl.csr.organizationUnitName }}" state_or_province_name: "{{ pleroma.ssl.csr.stateOrProvinceName }}" mode: '0400' group: root owner: root path: "{{ pleroma_ssl_csrPath }}" privatekey_path: "{{ pleroma_ssl_privateKeyPath }}" - name: Nginx -- Ensuring the self-signed certificate is generated. openssl_certificate: path: "{{ pleroma_ssl_selfSignedCertPath }}" mode: '0400' group: root owner: root privatekey_path: "{{ pleroma_ssl_privateKeyPath }}" csr_path: "{{ pleroma_ssl_csrPath }}" provider: selfsigned - name: Nginx -- Ensuring Nginx configuration references the self signed certificate lineinfile: path: "{{ pleroma_nginx_conf_file }}" owner: root group: root mode: '0600' insertafter: '^\s+#\s\[\[PLACEHOLDER\sFOR\sSSL\sCERTIFICATE\]\].*$' line: ' ssl_certificate {{ pleroma_ssl_selfSignedCertPath }};' state: present when: not pleroma.ssl.letsEncrypt.enable - name: Nginx -- Ensuring that the Let's encrypt challenge directory is present. file: name: "{{ pleroma_letsEncrypt_baseDir }}/.well-known/acme-challenge" state: directory mode: '0700' owner: nginx group: nginx recurse: yes when: pleroma.ssl.letsEncrypt.enable - name: Nginx -- Ensuring that the private ACME account key is present. openssl_privatekey: mode: '0400' group: root owner: root path: "{{ pleroma_ssl_privateAcmeAccountKeyPath }}" size: 4096 state: present type: RSA when: pleroma.ssl.letsEncrypt.enable - name: Nginx -- Ensuring the location block for the ACME challenge is configured. blockinfile: path: "{{ pleroma_nginx_conf_file }}" state: present mode: '0600' owner: root group: root insertafter: '^\s+#\s\[\[PLACEHOLDER\sFOR\sLETS\sENCRYPT\sFOLDER\]\].*$' block: |2 location ~/\.well-known/acme-challenge { root {{ pleroma_letsEncrypt_baseDir }}/; try_files $uri @forward_https; } location @forward_https { return 301 https://$server_name$request_uri; } when: pleroma.ssl.letsEncrypt.enable - name: Nginx -- Checking if certificate file exists. stat: path: "{{ pleroma_ssl_fullChainCert }}" register: certificate_file when: pleroma.ssl.letsEncrypt.enable - name: Nginx -- Temporarily adding the reference to the self signed certificate for ACME challenge. lineinfile: path: "{{ pleroma_nginx_conf_file }}" owner: root group: root mode: '0600' insertafter: '^\s+#\s\[\[PLACEHOLDER\sFOR\sSSL\sCERTIFICATE\]\].*$' line: ' ssl_certificate {{ pleroma_ssl_selfSignedCertPath }};' state: present when: pleroma.ssl.letsEncrypt.enable and certificate_file.stat.exists == false - name: Nginx -- Ensuring that Nginx is running for the ACME challenge. service: name: nginx state: started when: pleroma.ssl.letsEncrypt.enable - name: Nginx -- Acme challenge part 1 - Creating Acme challenge. acme_certificate: account_key_src: "{{ pleroma_ssl_privateAcmeAccountKeyPath }}" account_email: "{{ pleroma.ssl.letsEncrypt.acmeAccountEmail }}" acme_directory: "{{ pleroma.ssl.letsEncrypt.acmeDirectory }}" acme_version: 2 challenge: http-01 csr: "{{ pleroma_ssl_csrPath }}" fullchain_dest: "{{ pleroma_ssl_fullChainCert }}" remaining_days: "{{ pleroma.ssl.letsEncrypt.remainingDays }}" select_crypto_backend: cryptography terms_agreed: "{{ pleroma.ssl.letsEncrypt.termsAgreed }}" register: acme_challenge when: pleroma.ssl.letsEncrypt.enable - name: Nginx -- Creating the Acme challenge file copy: dest: "{{ pleroma_letsEncrypt_baseDir }}/{{ acme_challenge['challenge_data'][pleroma.config.host]['http-01']['resource'] }}" content: "{{ acme_challenge['challenge_data'][pleroma.config.host]['http-01']['resource_value'] }}" when: pleroma.ssl.letsEncrypt.enable and acme_challenge is changed - name: Nginx -- Acme challenge part 2 - Validating the Acme challenge to create the SSL certificate. acme_certificate: account_key_src: "{{ pleroma_ssl_privateAcmeAccountKeyPath }}" account_email: "{{ pleroma.ssl.letsEncrypt.acmeAccountEmail }}" acme_directory: "{{ pleroma.ssl.letsEncrypt.acmeDirectory }}" acme_version: 2 challenge: http-01 csr: "{{ pleroma_ssl_csrPath }}" fullchain_dest: "{{ pleroma_ssl_fullChainCert }}" remaining_days: "{{ pleroma.ssl.letsEncrypt.remainingDays }}" select_crypto_backend: cryptography terms_agreed: "{{ pleroma.ssl.letsEncrypt.termsAgreed }}" data: "{{ acme_challenge }}" when: pleroma.ssl.letsEncrypt.enable - name: Nginx -- Updating file permissions of the SSL certificate. file: path: "{{ pleroma_ssl_fullChainCert }}" owner: root group: root mode: 0400 state: file when: pleroma.ssl.letsEncrypt.enable - name: Nginx -- Ensuring the ssl_ceritificate option is up to date in the Nginx configuration. lineinfile: path: "{{ pleroma_nginx_conf_file }}" owner: root group: root mode: '0600' regexp: '^\s+ssl_certificate.*$' line: ' ssl_certificate {{ pleroma_ssl_fullChainCert }};' state: present when: pleroma.ssl.letsEncrypt.enable - name: Nginx -- Ensuring that Nginx is enabled and restarted. service: name: nginx enabled: yes state: restarted