nginx: Re-introduce bootstrap_certs

2025-04-12 19:18:38 +02:00 · 2025-04-12 19:18:38 +02:00 · 75795f0238
commit 75795f0238
parent b680bf6902
5 changed files with 11 additions and 3 deletions
--- a/group_vars/all.yaml
+++ b/group_vars/all.yaml
@ -3,7 +3,6 @@
 ansible_user: root
 ansible_python_interpreter: auto_silent
 notify_email: bestuur@bitlair.nl
-acme_bootstrap_certs: no
 trusted_ranges:
  - { v: ipv4, cidr: "127.0.0.1/8", comment: "localhost" }
  - { v: ipv4, cidr: "10.0.0.0/8", comment: "rfc1918" }
--- a/group_vars/homeassistant.yaml
+++ b/group_vars/homeassistant.yaml
@ -1,4 +1,3 @@
-acme_bootstrap_certs: yes
 acme_san_domains:
  - [ homeassistant.bitlair.nl ]

--- a/group_vars/wiki.yaml
+++ b/group_vars/wiki.yaml
@ -1,4 +1,3 @@
-acme_bootstrap_certs: yes
 acme_san_domains:
  - [ bitlair.nl, wiki.bitlair.nl, www.bitlair.nl ]
  - [ bitair.nl ]
--- a/roles/nginx/tasks/main.yaml
+++ b/roles/nginx/tasks/main.yaml
@ -7,6 +7,13 @@
  when:
    - nginx_sites is defined

+- name: Install bootstrap cert
+  ansible.builtin.apt:
+    name: "ssl-cert"
+    state: present
+  when:
+    - nginx_bootstrap_certs is defined and nginx_bootstrap_certs
+
 - name: Create sites-available / sites-enabled directories
  ansible.builtin.file:
    state: directory
--- a/roles/nginx/templates/site.conf.j2
+++ b/roles/nginx/templates/site.conf.j2
@ -11,8 +11,12 @@ server {
    server_name {{ site.server_name | default(inventory_hostname) }}{% if site.server_alias is defined %} {{ site.server_alias }}{% endif %};

    include /etc/nginx/tls_params;
+    {% if nginx_bootstrap_certs | default(false) %}
+    include "snippets/snakeoil.conf";
+    {% else %}
    ssl_certificate        /var/lib/dehydrated/certs/{{ site.server_name }}/fullchain.pem;
    ssl_certificate_key    /var/lib/dehydrated/certs/{{ site.server_name }}/privkey.pem;
+    {% endif %}

    index {{ nginx_index | default('index.php index.html index.htm') }};
    client_max_body_size {{ nginx_client_max_body_size }};