Update to fetch cert twice to allow easier renewal.
Match current production docs.
This commit is contained in:
Matthew Somerville
parent
81e3c0962e
commit
2b340fef6d
|
|
@ -1,4 +1,3 @@
|
||||||
#!/usr/bin/env bash
|
#!/usr/bin/env bash
|
||||||
service nginx stop
|
|
||||||
letsencrypt renew
|
letsencrypt renew
|
||||||
service nginx start
|
service nginx reload
|
||||||
|
|
|
||||||
|
|
@ -2,15 +2,11 @@
|
||||||
# This role install nginx, configures it and sets up a Let's Encrypt certificate for the
|
# This role install nginx, configures it and sets up a Let's Encrypt certificate for the
|
||||||
# Mastodon instance
|
# Mastodon instance
|
||||||
|
|
||||||
- name: Install nginx and letsencrypt
|
- name: Install nginx and certbot
|
||||||
apt: name={{ item }} state=latest update_cache=yes
|
apt: name={{ item }} state=latest update_cache=yes
|
||||||
with_items:
|
with_items:
|
||||||
- nginx
|
- nginx
|
||||||
- letsencrypt
|
- letsencrypt
|
||||||
- name: Stop nginx for now
|
|
||||||
service: name=nginx state=stopped
|
|
||||||
- name: Generate Let's Encrypt TLS certificate for Mastodon instance
|
|
||||||
shell: letsencrypt certonly -n --agree-tos --standalone -d {{ ansible_nodename }} --email "webmaster@{{ ansible_nodename }}"
|
|
||||||
- name: Remove default nginx config in sites-enabled
|
- name: Remove default nginx config in sites-enabled
|
||||||
file:
|
file:
|
||||||
path: /etc/nginx/sites-enabled/default
|
path: /etc/nginx/sites-enabled/default
|
||||||
|
|
@ -24,8 +20,14 @@
|
||||||
src: /etc/nginx/sites-available/{{ LOCAL_DOMAIN }}.conf
|
src: /etc/nginx/sites-available/{{ LOCAL_DOMAIN }}.conf
|
||||||
dest: /etc/nginx/sites-enabled/{{ LOCAL_DOMAIN }}.conf
|
dest: /etc/nginx/sites-enabled/{{ LOCAL_DOMAIN }}.conf
|
||||||
state: link
|
state: link
|
||||||
- name: Start nginx
|
- name: Stop nginx for now
|
||||||
|
service: name=nginx state=stopped
|
||||||
|
- name: Generate standalone Let's Encrypt TLS certificate for Mastodon instance
|
||||||
|
shell: letsencrypt certonly -n --agree-tos --standalone -d {{ LOCAL_DOMAIN }} --email "webmaster@{{ LOCAL_DOMAIN }}"
|
||||||
|
- name: Restart nginx
|
||||||
service: name=nginx state=started
|
service: name=nginx state=started
|
||||||
|
- name: Generate webroot Let's Encrypt TLS certificate for Mastodon instance
|
||||||
|
shell: letsencrypt certonly -n --webroot -d {{ LOCAL_DOMAIN }} -w /home/mastodon/live/public/ --email "webmaster@{{ LOCAL_DOMAIN }}"
|
||||||
- name: Copy and enable Let's Encrypt renew script
|
- name: Copy and enable Let's Encrypt renew script
|
||||||
copy:
|
copy:
|
||||||
src: letsencrypt-renew.sh
|
src: letsencrypt-renew.sh
|
||||||
|
|
|
||||||
|
|
@ -8,6 +8,7 @@ server {
|
||||||
listen [::]:80;
|
listen [::]:80;
|
||||||
server_name {{ LOCAL_DOMAIN }};
|
server_name {{ LOCAL_DOMAIN }};
|
||||||
# Useful for Let's Encrypt
|
# Useful for Let's Encrypt
|
||||||
|
root /home/mastodon/live/public;
|
||||||
location /.well-known/acme-challenge/ { allow all; }
|
location /.well-known/acme-challenge/ { allow all; }
|
||||||
location / { return 301 https://$host$request_uri; }
|
location / { return 301 https://$host$request_uri; }
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue