sr2/ansible-collection-core
2
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions
ansible-collection-core/roles/podman_nginx/tasks/main.yml

112 lines
3.9 KiB
YAML
Raw Normal View History

Initial import; migrate some roles from irl.wip
2025-10-31 22:36:32 +00:00
---
- name: Podman Nginx | PATCH | Create service configuration directories
ansible.builtin.file:
path: "/home/{{ podman_nginx_podman_rootless_user }}/{{ item }}"
state: directory
owner: "{{ podman_nginx_podman_rootless_user }}"
group: "{{ podman_nginx_podman_rootless_user }}"
mode: "0755"
become: true
with_items:
- .config/systemd/user
- certbot/conf
- certbot/www
- nginx
- name: Podman Nginx | PATCH | Install podman quadlet for rootless podman user
ansible.builtin.template:
src: "{{ item }}"
dest: "/home/{{ podman_nginx_podman_rootless_user }}/.config/containers/systemd/{{ item }}"
owner: "{{ podman_nginx_podman_rootless_user }}"
mode: "0400"
with_items:
- certbot-renew.container
- nginx.container
notify:
- "Restart {{ item | split('.') | first }}"
become: true
- name: Podman Nginx | PATCH | Install certbot renewal timer for rootless podman user
ansible.builtin.template:
src: "certbot-renew.timer"
dest: "/home/{{ podman_nginx_podman_rootless_user }}/.config/systemd/user/certbot-renew.timer"
owner: "{{ podman_nginx_podman_rootless_user }}"
mode: "0400"
become: true
- name: Podman Nginx | AUDIT | Verify quadlets are correctly defined
ansible.builtin.command: /usr/libexec/podman/quadlet -dryrun -user
register: podman_nginx_quadlet_result
ignore_errors: true
changed_when: false
become: true
become_user: "{{ podman_nginx_podman_rootless_user }}"
- name: Podman Nginx | AUDIT | Check if certificate exists
ansible.builtin.stat:
path: "/home/{{ podman_nginx_podman_rootless_user }}/certbot/conf/live/{{ podman_nginx_primary_hostname }}/fullchain.pem"
register: podman_nginx_cert_stat
become: true
become_user: "{{ podman_nginx_podman_rootless_user }}"
- name: Podman Nginx | PATCH | Create temporary nginx configuration (no https)
ansible.builtin.template:
src: nginx.conf
dest: "/home/{{ podman_nginx_podman_rootless_user }}/nginx/nginx.conf"
owner: "{{ podman_nginx_podman_rootless_user }}"
group: "{{ podman_nginx_podman_rootless_user }}"
mode: "0644"
become: true
when: not podman_nginx_cert_stat.stat.exists
- name: Podman Nginx | PATCH | Start nginx
ansible.builtin.systemd_service:
name: nginx
state: started
scope: user
daemon_reload: true
become: true
become_user: "{{ podman_nginx_podman_rootless_user }}"
- name: Podman Nginx | PATCH | Run certbot container to create certificate
ansible.builtin.command:
cmd: >
podman run --name certbot-generate
--rm
--volume /home/{{ podman_nginx_podman_rootless_user }}/certbot/www:/var/www/certbot:rw,z
--volume /home/{{ podman_nginx_podman_rootless_user }}/certbot/conf:/etc/letsencrypt:rw,z
docker.io/certbot/certbot:latest
certonly
--register-unsafely-without-email
--agree-tos
--webroot
--webroot-path /var/www/certbot/
-d "{{ podman_nginx_primary_hostname }}"
{% for hostname in podman_nginx_additional_hostnames %} -d "{{ hostname }}"{% endfor %}
{% if podman_nginx_certbot_testing %} --test-cert{% endif %}
when: not podman_nginx_cert_stat.stat.exists
become: true
become_user: "{{ podman_nginx_podman_rootless_user }}"
- name: Podman Nginx | AUDIT | Check if certificate exists
ansible.builtin.stat:
path: "/home/{{ podman_nginx_podman_rootless_user }}/certbot/conf/live/{{ podman_nginx_primary_hostname }}/fullchain.pem"
register: podman_nginx_cert_stat
become: true
become_user: "{{ podman_nginx_podman_rootless_user }}"
- name: Podman Nginx | AUDIT | Assert that certificate exists now
ansible.builtin.assert:
that:
- podman_nginx_cert_stat.stat.exists
fail_msg: "Failed to get a Lets Encrypt certificate."
- name: Podman Nginx | PATCH | Start certbot renewal timer
ansible.builtin.systemd_service:
name: "certbot-renew.timer"
state: started
enabled: true
scope: user
become: true
become_user: "{{ podman_nginx_podman_rootless_user }}"
Reference in a new issue Copy permalink