ssl_cert.yml

---
- name: Ensure certbot-nginx is installed
  apt: pkg=python3-certbot-nginx state=present

- name: Ensure pre and post hook folders exist
  file:
    path: "/etc/letsencrypt/renewal-hooks/{{ item }}"
    state: directory
    mode: 0755
    owner: root
    group: root
  with_items:
    - pre
    - post

- name: create pre and post hooks to stop/start services during creation/renewal
  template:
    src: "templates/{{ item.template }}.j2"
    dest: "/etc/letsencrypt/renewal-hooks/{{ item.hook }}/{{ item.template }}"
    owner: root
    group: root
    mode: 0750
  with_items:
    - template: stop_services
      hook: pre
    - template: start_services
      hook: post

- name: Generate cert via the certbot command
  command: "{{ certbot_command }}"
  vars:
    certbot_command: >-
      certbot certonly --standalone --non-interactive --agree-tos
      --email {{ cert_admin_email }} --cert-name {{ server_hostname }}
      {% for domain in web_domains %}
      -d {{ domain }} -d www.{{ domain }}
      {% endfor %}
      -d {{ server_hostname }}
      --pre-hook /etc/letsencrypt/renewal-hooks/pre/stop_services
      --post-hook /etc/letsencrypt/renewal-hooks/post/start_services
  register: certbot_command_result
  changed_when: '"Running post-hook command" in certbot_command_result.stderr'

- name: Ensure that we have our local dhparam file for ssl
  get_url:
    url: "https://ssl-config.mozilla.org/ffdhe2048.txt"
    dest: /etc/letsencrypt/ssl-dhparams.pem