ansible-collection-wip/roles/podman_nginx/tasks/main.yml

---
- name: create service configuration directories
  ansible.builtin.file:
    path: "/home/{{ podman_nginx_podman_rootless_user }}/{{ item }}"
    state: directory
    owner: "{{ podman_nginx_podman_rootless_user }}"
    group: "{{ podman_nginx_podman_rootless_user }}"
    mode: "0755"
  become: true
  with_items:
    - .config/systemd/user
    - certbot/conf
    - certbot/www
    - nginx

- name: install podman quadlet for rootless podman user
  ansible.builtin.template:
    src: "{{ item }}"
    dest: "/home/{{ podman_nginx_podman_rootless_user }}/.config/containers/systemd/{{ item }}"
    owner: "{{ podman_nginx_podman_rootless_user }}"
    mode: "0400"
  with_items:
    - certbot-renew.container
    - nginx.container
  notify:
    - "restart {{ item | split('.') | first }}"
  become: true

- name: install certbot renewal timer for rootless podman user
  ansible.builtin.template:
    src: "certbot-renew.timer"
    dest: "/home/{{ podman_nginx_podman_rootless_user }}/.config/systemd/user/certbot-renew.timer"
    owner: "{{ podman_nginx_podman_rootless_user }}"
    mode: "0400"
  become: true

- name: verify quadlets are correctly defined
  ansible.builtin.command: /usr/libexec/podman/quadlet -dryrun -user
  register: podman_nginx_quadlet_result
  ignore_errors: true
  changed_when: false
  become: true
  become_user: "{{ podman_nginx_podman_rootless_user }}"

- name: check if certificate exists
  stat:
    path: "/home/{{ podman_nginx_podman_rootless_user }}/certbot/conf/live/{{ podman_nginx_primary_hostname }}/fullchain.pem"
  register: podman_nginx_cert_stat
  become: yes
  become_user: "{{ podman_nginx_podman_rootless_user }}"

- name: create temporary nginx configuration (no https)
  ansible.builtin.template:
    src: nginx.conf
    dest: "/home/{{ podman_nginx_podman_rootless_user }}/nginx/nginx.conf"
    owner: "{{ podman_nginx_podman_rootless_user }}"
    group: "{{ podman_nginx_podman_rootless_user }}"
    mode: "0644"
  become: true
  when: podman_nginx_cert_stat.stat.exists == false

- name: start nginx
  ansible.builtin.systemd_service:
    name: nginx
    state: started
    scope: user
    daemon_reload: true
  become: true
  become_user: "{{ podman_nginx_podman_rootless_user }}"

- name: run certbot container to create certificate
  ansible.builtin.command:
    cmd: >
      podman run --name certbot-generate
      --rm
      --volume /home/{{ podman_nginx_podman_rootless_user }}/certbot/www:/var/www/certbot:rw
      --volume /home/{{ podman_nginx_podman_rootless_user }}/certbot/conf:/etc/letsencrypt:rw
      docker.io/certbot/certbot:latest
      certonly
      --register-unsafely-without-email
      --agree-tos
      --webroot
      --webroot-path /var/www/certbot/
      -d "{{ podman_nginx_primary_hostname }}"
      {% for hostname in podman_nginx_additional_hostnames %} -d "{{ hostname }}"{% endfor %}
      {% if podman_nginx_certbot_testing %} --test-cert{% endif %}
  when: podman_nginx_cert_stat.stat.exists == false
  become: yes
  become_user: "{{ podman_nginx_podman_rootless_user }}"

- name: check if certificate exists
  stat:
    path: "/home/{{ podman_nginx_podman_rootless_user }}/certbot/conf/live/{{ podman_nginx_primary_hostname }}/fullchain.pem"
  register: podman_nginx_cert_stat
  become: yes
  become_user: "{{ podman_nginx_podman_rootless_user }}"

- name: ensure certificate exists now
  ansible.builtin.assert:
    that:
      - podman_nginx_cert_stat.stat.exists
    fail_msg: "Failed to get a Lets Encrypt certificate."

- name: start certbot renewal timer
  ansible.builtin.systemd_service:
    name: "certbot-renew.timer"
    state: started
    scope: user
  become: true
  become_user: "{{ podman_nginx_podman_rootless_user }}"
feat: initial commit 2025-06-02 14:55:56 +01:00			`---`
			`- name: create service configuration directories`
			`ansible.builtin.file:`
			`path: "/home/{{ podman_nginx_podman_rootless_user }}/{{ item }}"`
			`state: directory`
			`owner: "{{ podman_nginx_podman_rootless_user }}"`
			`group: "{{ podman_nginx_podman_rootless_user }}"`
			`mode: "0755"`
			`become: true`
			`with_items:`
			`- .config/systemd/user`
			`- certbot/conf`
			`- certbot/www`
			`- nginx`

			`- name: install podman quadlet for rootless podman user`
			`ansible.builtin.template:`
			`src: "{{ item }}"`
			`dest: "/home/{{ podman_nginx_podman_rootless_user }}/.config/containers/systemd/{{ item }}"`
			`owner: "{{ podman_nginx_podman_rootless_user }}"`
			`mode: "0400"`
			`with_items:`
			`- certbot-renew.container`
			`- nginx.container`
			`notify:`
			`- "restart {{ item \| split('.') \| first }}"`
			`become: true`

			`- name: install certbot renewal timer for rootless podman user`
			`ansible.builtin.template:`
			`src: "certbot-renew.timer"`
			`dest: "/home/{{ podman_nginx_podman_rootless_user }}/.config/systemd/user/certbot-renew.timer"`
			`owner: "{{ podman_nginx_podman_rootless_user }}"`
			`mode: "0400"`
			`become: true`

			`- name: verify quadlets are correctly defined`
			`ansible.builtin.command: /usr/libexec/podman/quadlet -dryrun -user`
			`register: podman_nginx_quadlet_result`
			`ignore_errors: true`
			`changed_when: false`
			`become: true`
			`become_user: "{{ podman_nginx_podman_rootless_user }}"`

			`- name: check if certificate exists`
			`stat:`
			`path: "/home/{{ podman_nginx_podman_rootless_user }}/certbot/conf/live/{{ podman_nginx_primary_hostname }}/fullchain.pem"`
			`register: podman_nginx_cert_stat`
			`become: yes`
			`become_user: "{{ podman_nginx_podman_rootless_user }}"`

			`- name: create temporary nginx configuration (no https)`
			`ansible.builtin.template:`
			`src: nginx.conf`
			`dest: "/home/{{ podman_nginx_podman_rootless_user }}/nginx/nginx.conf"`
			`owner: "{{ podman_nginx_podman_rootless_user }}"`
			`group: "{{ podman_nginx_podman_rootless_user }}"`
			`mode: "0644"`
			`become: true`
			`when: podman_nginx_cert_stat.stat.exists == false`

			`- name: start nginx`
			`ansible.builtin.systemd_service:`
			`name: nginx`
			`state: started`
			`scope: user`
			`daemon_reload: true`
			`become: true`
			`become_user: "{{ podman_nginx_podman_rootless_user }}"`

			`- name: run certbot container to create certificate`
			`ansible.builtin.command:`
			`cmd: >`
			`podman run --name certbot-generate`
			`--rm`
			`--volume /home/{{ podman_nginx_podman_rootless_user }}/certbot/www:/var/www/certbot:rw`
			`--volume /home/{{ podman_nginx_podman_rootless_user }}/certbot/conf:/etc/letsencrypt:rw`
			`docker.io/certbot/certbot:latest`
			`certonly`
			`--register-unsafely-without-email`
			`--agree-tos`
			`--webroot`
			`--webroot-path /var/www/certbot/`
			`-d "{{ podman_nginx_primary_hostname }}"`
			`{% for hostname in podman_nginx_additional_hostnames %} -d "{{ hostname }}"{% endfor %}`
			`{% if podman_nginx_certbot_testing %} --test-cert{% endif %}`
			`when: podman_nginx_cert_stat.stat.exists == false`
			`become: yes`
			`become_user: "{{ podman_nginx_podman_rootless_user }}"`

			`- name: check if certificate exists`
			`stat:`
			`path: "/home/{{ podman_nginx_podman_rootless_user }}/certbot/conf/live/{{ podman_nginx_primary_hostname }}/fullchain.pem"`
			`register: podman_nginx_cert_stat`
			`become: yes`
			`become_user: "{{ podman_nginx_podman_rootless_user }}"`

			`- name: ensure certificate exists now`
			`ansible.builtin.assert:`
			`that:`
			`- podman_nginx_cert_stat.stat.exists`
			`fail_msg: "Failed to get a Lets Encrypt certificate."`

			`- name: start certbot renewal timer`
			`ansible.builtin.systemd_service:`
			`name: "certbot-renew.timer"`
			`state: started`
			`scope: user`
			`become: true`
			`become_user: "{{ podman_nginx_podman_rootless_user }}"`