♻️ refactor: Refactored the Ansible role to use the new nginx acme-module for automatic certificate management, and updated the Nginx configuration template to support Let's Encrypt.

Author: tibroc

README.md

@@ -24,14 +24,14 @@ nginx_proxy: |
   }
 ```
 
-### TLS Certificates
+### TLS Certificates with ACME
 
-The default configuration provides simple, self-signed certificates if none exist.
-Please make sure to replace them with your own certificates.
-Simply overwrite the following files:
+This role uses the [nginx-acme-module](https://github.com/nginx/nginx-acme) to automatically manage TLS-certificates.
 
-- `/etc/nginx/tls/certificate.key;`
-- `/etc/nginx/tls/certificate.crt;`
+You can modify the url to the acme issuer in `nginx_acme_issuer_uri`.
+If you need to provide multiple server names, you can list them in `nginx_server_names`.
+
+⚠️ You should check it the specified `nginx_resolver` is suitable for you.
 
 ### Advanced Configuration
 

defaults/main.yml

@@ -8,6 +8,11 @@ configure_for_firewalld: false
 configure_for_ufw: false
 configure_for_selinux: false
 
+nginx_server_names: ["{{ inventory_hostname }}"]
+nginx_acme_issuer_uri: "https://acme-v02.api.letsencrypt.org/directory"
+# Specify a suitable DNS resolver
+nginx_resolver: 1.1.1.1
+
 nginx_proxy: |
   location / {
     proxy_set_header        Host $host;

files/dummy-tls-crt.pem

@@ -1,9 +1,7 @@
 ---
 
-- name: Install nginx
-  ansible.builtin.package:
-    name: nginx
-    state: present
+- name: Include OS-specific install tasks
+  ansible.builtin.include_tasks: "install_{{ ansible_os_family | lower }}.yml"
 
 - name: Create configuration directories
   ansible.builtin.file:
@@ -35,19 +33,6 @@
   loop: '{{ nginx_config }}'
   notify: Reload nginx
 
-- name: Install dummy TLS certificate
-  ansible.builtin.copy:
-    src: dummy-tls-{{ item }}.pem
-    dest: /etc/nginx/tls/certificate.{{ item }}
-    owner: root
-    group: root
-    mode: '0400'
-    force: false
-  notify: Reload nginx
-  loop:
-    - key
-    - crt
-
 - name: SELinux settings
   when: configure_for_selinux
   block:

files/dummy-tls-key.pem

@@ -7,6 +7,9 @@ user    www-data;
 user    nginx;
 {% endif %}
 
+# Load the ACME module for automatic certificate management
+load_module modules/ngx_http_acme_module.so;
+
 # Defines the number of worker processes.    Setting it to the number of
 # available CPU cores should be a good start. The value `auto` will try to
 # autodetect that.
@@ -33,6 +36,15 @@ events {
 }
 
 http {
+  # ACME configuration
+  acme_issuer letsencrypt {
+    uri         {{ nginx_acme_issuer_uri }};
+    state_path  /var/cache/nginx/acme-letsencrypt;
+    accept_terms_of_service;
+  }
+
+  resolver {{ nginx_resolver }} valid=300s;
+
   # Include mime types for different file extensions.
   include /etc/nginx/mime.types;
 
@@ -87,18 +99,20 @@ http {
 
     # Enforce encrypted connections for everything else
     location / {
-      return 301 https://{{ inventory_hostname }}$request_uri;
+      return 301 https://{{ nginx_server_names | first }}$request_uri;
     }
   }
 
   server {
     listen 443 ssl http2;
     listen [::]:443 ssl http2;
-    server_name _;
+    server_name {{ nginx_server_names | join(" ") }};
 
-    ssl_certificate_key /etc/nginx/tls/certificate.key;
-    ssl_certificate     /etc/nginx/tls/certificate.crt;
+    acme_certificate letsencrypt; 
 
+    ssl_certificate       $acme_certificate; 
+    ssl_certificate_key   $acme_certificate_key; 
+    ssl_certificate_cache max=2; 
     # Additional TLS related Nginx options
     include /etc/nginx/tls/tls.conf;