From 75795f02380a413adce6776310b99e54385f8d42 Mon Sep 17 00:00:00 2001
From: polyfloyd <floyd@polyfloyd.net>
Date: Sat, 12 Apr 2025 19:18:38 +0200
Subject: [PATCH] nginx: Re-introduce bootstrap_certs

---
 group_vars/all.yaml                | 1 -
 group_vars/homeassistant.yaml      | 1 -
 group_vars/wiki.yaml               | 1 -
 roles/nginx/tasks/main.yaml        | 7 +++++++
 roles/nginx/templates/site.conf.j2 | 4 ++++
 5 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/group_vars/all.yaml b/group_vars/all.yaml
index f439200..3deb227 100644
--- a/group_vars/all.yaml
+++ b/group_vars/all.yaml
@@ -3,7 +3,6 @@
 ansible_user: root
 ansible_python_interpreter: auto_silent
 notify_email: bestuur@bitlair.nl
-acme_bootstrap_certs: no
 trusted_ranges:
   - { v: ipv4, cidr: "127.0.0.1/8", comment: "localhost" }
   - { v: ipv4, cidr: "10.0.0.0/8", comment: "rfc1918" }
diff --git a/group_vars/homeassistant.yaml b/group_vars/homeassistant.yaml
index 4c826c5..53b604a 100644
--- a/group_vars/homeassistant.yaml
+++ b/group_vars/homeassistant.yaml
@@ -1,4 +1,3 @@
-acme_bootstrap_certs: yes
 acme_san_domains:
   - [ homeassistant.bitlair.nl ]
 
diff --git a/group_vars/wiki.yaml b/group_vars/wiki.yaml
index 7bc009b..19dda0b 100644
--- a/group_vars/wiki.yaml
+++ b/group_vars/wiki.yaml
@@ -1,4 +1,3 @@
-acme_bootstrap_certs: yes
 acme_san_domains:
   - [ bitlair.nl, wiki.bitlair.nl, www.bitlair.nl ]
   - [ bitair.nl ]
diff --git a/roles/nginx/tasks/main.yaml b/roles/nginx/tasks/main.yaml
index 78f6f9b..6afb741 100644
--- a/roles/nginx/tasks/main.yaml
+++ b/roles/nginx/tasks/main.yaml
@@ -7,6 +7,13 @@
   when:
     - nginx_sites is defined
 
+- name: Install bootstrap cert
+  ansible.builtin.apt:
+    name: "ssl-cert"
+    state: present
+  when:
+    - nginx_bootstrap_certs is defined and nginx_bootstrap_certs
+
 - name: Create sites-available / sites-enabled directories
   ansible.builtin.file:
     state: directory
diff --git a/roles/nginx/templates/site.conf.j2 b/roles/nginx/templates/site.conf.j2
index 181e604..1fb5a1d 100644
--- a/roles/nginx/templates/site.conf.j2
+++ b/roles/nginx/templates/site.conf.j2
@@ -11,8 +11,12 @@ server {
     server_name {{ site.server_name | default(inventory_hostname) }}{% if site.server_alias is defined %} {{ site.server_alias }}{% endif %};
 
     include /etc/nginx/tls_params;
+    {% if nginx_bootstrap_certs | default(false) %}
+    include "snippets/snakeoil.conf";
+    {% else %}
     ssl_certificate        /var/lib/dehydrated/certs/{{ site.server_name }}/fullchain.pem;
     ssl_certificate_key    /var/lib/dehydrated/certs/{{ site.server_name }}/privkey.pem;
+    {% endif %}
 
     index {{ nginx_index | default('index.php index.html index.htm') }};
     client_max_body_size {{ nginx_client_max_body_size }};