Рабочие роли вынесены на уровень вверх

ansible/roles/ssl-certificate/defaults/main.yml

@@ -0,0 +1,23 @@
+---
+# Required, allowed: self-signed, letsencrypt
+cert_type: 'self-signed'
+
+# Required, name for ssl-certificate configuration
+cert_name: ''
+
+# Required: domain owner email
+cert_email: ''
+
+# Required: domains for lets encrypt certificate creation
+cert_domains: []
+
+# Paths to store generated keys
+cert_directory: '/opt/ssl-certificates/{{ cert_name }}'
+cert_key: '{{ cert_directory }}/ssl.key'
+cert_request: '{{ cert_directory }}/ssl.csr'
+cert_certificate: '{{ cert_directory }}/ssl.crt'
+cert_dhparam: '{{ cert_directory }}/dhparam.pem'
+cert_dhparam_n: 2048
+
+# lets encrypt well-known challenge folder
+cert_le_webroot_path: /var/www/letsencrypt

ansible/roles/ssl-certificate/tasks/letsencrypt.yml

@@ -0,0 +1,32 @@
+---
+- name: Check required parameters.
+  fail:
+    msg: You must set up domain and email.
+  when: not cert_domains or not cert_email
+
+- name: Create letsencrypt web root directory.
+  file:
+    name: '{{ cert_le_webroot_path }}'
+    state: directory
+
+- name: Copy notes acme server config.
+  template:
+    src: vhost.conf.j2
+    dest: "/etc/nginx/sites-enabled/{{ cert_name }}_letsencrypt.conf"
+
+- name: Restart nginx.
+  service:
+    name: nginx
+    state: restarted
+
+- name: Configure Lest Encrypt certificate.
+  include_role:
+    name: thefinn93.ansible-letsencrypt
+    private: yes
+  vars:
+    letsencrypt_webroot_path: '{{ cert_le_webroot_path }}'
+    letsencrypt_email: '{{ cert_email }}'
+    letsencrypt_cert_domains: '{{ cert_domains }}'
+    letsencrypt_renewal_command_args: '--renew-hook "systemctl restart nginx"'
+    ssl_certificate: '{{ cert_certificate }}'
+    ssl_certificate_key: '{{ cert_key }}'

ansible/roles/ssl-certificate/tasks/main.yml

@@ -0,0 +1,22 @@
+---
+- name: Ensure certificate storage exists.
+  file:
+    path: '{{ cert_directory }}'
+    state: directory
+
+- include: self-signed.yml
+  when: cert_type == 'self-signed'
+
+- include: letsencrypt.yml
+  when: cert_type == 'letsencrypt'
+
+- name: Generate dhparams.
+  shell: 'openssl dhparam -out {{ cert_dhparam }} {{ cert_dhparam_n }}'
+  args:
+    creates: '{{ cert_dhparam }}'
+
+- name: Set facts about generated files.
+  set_fact:
+    '{{ cert_name }}_ssl_key': '{{ cert_key }}'
+    '{{ cert_name }}_ssl_certificate': '{{ cert_certificate }}'
+    '{{ cert_name }}_ssl_dhparam': '{{ cert_dhparam }}'

ansible/roles/ssl-certificate/tasks/self-signed.yml

@@ -0,0 +1,33 @@
+---
+- name: Check certificate params.
+  fail:
+    msg: You must setup certificate file params.
+  when: not cert_certificate or not cert_key
+
+- name: Generate self signed ssl key.
+  shell: |
+    openssl genrsa \
+      -aes256 \
+      -passout pass:client11 \
+      -out {{ cert_directory }}/ssl.pass.key \
+      1024
+
+    openssl rsa \
+      -passin pass:client11 \
+      -in {{ cert_directory }}/ssl.pass.key \
+      -out {{ cert_key }}
+
+    openssl req \
+      -new \
+      -key {{ cert_key }} \
+      -out {{ cert_request }} \
+      -subj "/CN=localhost"
+
+    openssl x509 \
+      -req \
+      -days 365 \
+      -in {{ cert_request }} \
+      -signkey {{ cert_key }} \
+      -out {{ cert_certificate }}
+  args:
+    creates: '{{ cert_certificate }}'

ansible/roles/ssl-certificate/templates/vhost.conf.j2

@@ -0,0 +1,13 @@
+server {
+    listen 80;
+    server_name {{ cert_domains|join(' ') }};
+
+    location /.well-known {
+        root {{ cert_le_webroot_path }};
+        try_files $uri $uri/ =404;
+    }
+
+    location / {
+        rewrite ^ https://$host$request_uri? permanent;
+    }
+}