♻️ refactor: nginx acme

README.md

@@ -24,14 +24,14 @@ nginx_proxy: |
   }
 ```
 
-### TLS Certificates
+### TLS Certificates with ACME
 
-The default configuration provides simple, self-signed certificates if none exist.
-Please make sure to replace them with your own certificates.
-Simply overwrite the following files:
+This role uses the [nginx-acme-module](https://github.com/nginx/nginx-acme) to automatically manage TLS-certificates.
 
-- `/etc/nginx/tls/certificate.key;`
-- `/etc/nginx/tls/certificate.crt;`
+You can modify the url to the acme issuer in `nginx_acme_issuer_uri`.
+If you need to provide multiple server names, you can list them in `nginx_server_names`.
+
+⚠️ You should check it the specified `nginx_resolver` is suitable for you.
 
 ### Advanced Configuration
 

defaults/main.yml

@@ -8,6 +8,11 @@ configure_for_firewalld: false
 configure_for_ufw: false
 configure_for_selinux: false
 
+nginx_server_names: ["{{ inventory_hostname }}"]
+nginx_acme_issuer_uri: "https://acme-v02.api.letsencrypt.org/directory"
+# Specify a suitable DNS resolver
+nginx_resolver: 1.1.1.1
+
 nginx_proxy: |
   location / {
     proxy_set_header        Host $host;

tasks/install_debian.yml

@@ -0,0 +1,51 @@
+---
+- name: Ensure prerequisites
+  ansible.builtin.apt:
+    name:
+      - curl
+      - gnupg2
+      - ca-certificates
+      - lsb-release
+      - debian-archive-keyring
+
+- name: Create directory for keyrings used by apt
+  ansible.builtin.file:
+    path: /etc/apt/keyrings
+    state: directory
+    owner: root
+    group: root
+    mode: '0755'
+
+- name: Install the nginx package repository key
+  ansible.builtin.get_url:
+    url: https://nginx.org/keys/nginx_signing.key
+    dest: /etc/apt/keyrings/nginx.asc
+    force: false
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Add nginx repository
+  ansible.builtin.apt_repository:
+    # yamllint disable-line rule:line-length
+    repo: "deb [signed-by=/etc/apt/keyrings/nginx.asc] http://nginx.org/packages/mainline/debian {{ ansible_distribution_release }} nginx"
+    filename: nginx
+
+- name: Add nginx repository pinning
+  ansible.builtin.copy:
+    dest: /etc/apt/preferences.d/99nginx
+    content: |
+      Package: *
+      Pin: origin nginx.org
+      Pin: release o=nginx
+      Pin-Priority: 900
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Install nginx
+  ansible.builtin.apt:
+    name:
+      - nginx
+      - nginx-module-acme
+    update_cache: true

tasks/install_redhat.yml

@@ -0,0 +1,43 @@
+---
+
+- name: Ensure yum-utils are present
+  ansible.builtin.dnf:
+    name: yum-utils
+
+- name: Create nginx repository file
+  ansible.builtin.copy:
+    dest: /etc/yum.repos.d/nginx.repo
+    owner: root
+    group: root
+    mode: '0644'
+    content: |
+      [nginx-stable]
+      name=nginx stable repo
+      baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
+      gpgcheck=1
+      enabled=1
+      gpgkey=https://nginx.org/keys/nginx_signing.key
+      module_hotfixes=true
+
+      [nginx-mainline]
+      name=nginx mainline repo
+      baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/
+      gpgcheck=1
+      enabled=1
+      gpgkey=https://nginx.org/keys/nginx_signing.key
+      module_hotfixes=true
+
+- name: Verify and import nginx GPG key
+  ansible.builtin.rpm_key:
+    key: https://nginx.org/keys/nginx_signing.key
+    fingerprint: 573B FD6B 3D8F BC64 1079 A6AB ABF5 BD82 7BD9 BF62
+
+- name: Enable nginx-mainline repo
+  community.general.dnf_config_manager:
+    name: nginx-mainline
+
+- name: Install nginx and its acme module
+  ansible.builtin.dnf:
+    name:
+      - nginx
+      - nginx-module-acme

tasks/main.yml

@@ -1,9 +1,7 @@
 ---
 
-- name: Install nginx
-  ansible.builtin.package:
-    name: nginx
-    state: present
+- name: Include OS-specific install tasks
+  ansible.builtin.include_tasks: "install_{{ ansible_os_family | lower }}.yml"
 
 - name: Create configuration directories
   ansible.builtin.file:
@@ -35,19 +33,6 @@
   loop: '{{ nginx_config }}'
   notify: Reload nginx
 
-- name: Install dummy TLS certificate
-  ansible.builtin.copy:
-    src: dummy-tls-{{ item }}.pem
-    dest: /etc/nginx/tls/certificate.{{ item }}
-    owner: root
-    group: root
-    mode: '0400'
-    force: false
-  notify: Reload nginx
-  loop:
-    - key
-    - crt
-
 - name: SELinux settings
   when: configure_for_selinux
   block:

templates/nginx.conf

@@ -7,6 +7,9 @@ user    www-data;
 user    nginx;
 {% endif %}
 
+# Load the ACME module for automatic certificate management
+load_module modules/ngx_http_acme_module.so;
+
 # Defines the number of worker processes.    Setting it to the number of
 # available CPU cores should be a good start. The value `auto` will try to
 # autodetect that.
@@ -33,6 +36,15 @@ events {
 }
 
 http {
+  # ACME configuration
+  acme_issuer letsencrypt {
+    uri         {{ nginx_acme_issuer_uri }};
+    state_path  /var/cache/nginx/acme-letsencrypt;
+    accept_terms_of_service;
+  }
+
+  resolver {{ nginx_resolver }} valid=300s;
+
   # Include mime types for different file extensions.
   include /etc/nginx/mime.types;
 
@@ -87,18 +99,20 @@ http {
 
     # Enforce encrypted connections for everything else
     location / {
-      return 301 https://{{ inventory_hostname }}$request_uri;
+      return 301 https://{{ nginx_server_names | first }}$request_uri;
     }
   }
 
   server {
     listen 443 ssl http2;
     listen [::]:443 ssl http2;
-    server_name _;
+    server_name {{ nginx_server_names | join(" ") }};
 
-    ssl_certificate_key /etc/nginx/tls/certificate.key;
-    ssl_certificate     /etc/nginx/tls/certificate.crt;
+    acme_certificate letsencrypt; 
 
+    ssl_certificate       $acme_certificate; 
+    ssl_certificate_key   $acme_certificate_key; 
+    ssl_certificate_cache max=2; 
     # Additional TLS related Nginx options
     include /etc/nginx/tls/tls.conf;