init

ansible/roles/lego/tasks/copy_certs.yaml

@@ -0,0 +1,35 @@
+- name: Find certificates to copy
+  find:
+    paths: /root/.lego/certificates
+    recurse: true
+    patterns:
+      - "*.crt"
+  register: certs_to_copy
+
+- name: Copy certificates to nginx ssl directory
+  copy:
+    remote_src: true
+    src: "{{ item.path }}"
+    dest: /etc/nginx/ssl
+    owner: nginx
+    mode: 0600
+  with_items: "{{ certs_to_copy.files }}"
+
+- name: Find keys to copy
+  find:
+    paths: /root/.lego/certificates
+    recurse: true
+    patterns:
+      - "*.key"
+  register: keys_to_copy
+
+
+- name: Copy keys to nginx ssl directory
+  copy:
+    remote_src: true
+    src: "{{ item.path }}"
+    dest: /etc/nginx/ssl
+    owner: nginx
+    mode: 0600
+  with_items: "{{ keys_to_copy.files }}"
+

ansible/roles/lego/tasks/initial_cert.yaml

@@ -0,0 +1,15 @@
+- name: Stop nginx to generate initial lego cert
+  service:
+    name: nginx
+    state: stopped
+
+- name: Generate initial cert
+  command:
+    cmd: /usr/local/bin/lego -a --email="{{ letsencrypt_email }}" --domains="{{ inventory_hostname | default(cert_domain) }}" --key-type {{ cert_key_type | default('rsa4096') }} --http run
+    chdir: /root
+    creates: "/root/.lego/certificates/{{ inventory_hostname | default(cert_domain) }}.crt"
+
+- name: Start nginx after generating initial lego cert
+  service:
+    name: nginx
+    state: started

ansible/roles/lego/tasks/main.yaml

@@ -0,0 +1,19 @@
+- name: Download and untar lego
+  unarchive:
+    src: https://github.com/go-acme/lego/releases/download/v{{ lego_version }}/lego_v{{ lego_version }}_linux_amd64.tar.gz
+    dest: /usr/local/bin
+    remote_src: yes
+
+- name: Check if certs exist
+  stat:
+    path: /root/.lego/certificates/{{ inventory_hostname | default(cert_domain) }}.crt
+  register: cert_check
+
+- name: Generate an initial cert if not present
+  include_tasks:
+    file: initial_cert.yaml
+  when: not cert_check.stat.exists
+
+- name: Copy certificates
+  include_tasks:
+    file: copy_certs.yaml