almalinux.org/ansible/roles/website/tasks/nginx.yml

---
- name: Deploy temporary SSL cert build script
  copy: src='tempcrt.sh' dest='/opt/tempcrt.sh' mode='0750' owner=root group=root
  become: yes

- name: Create temporary SSL cert if none exists
  stat:
    path: /etc/ssl/selfsigned.key
  register: selfsigned_key
  changed_when: not selfsigned_key.stat.exists
  become: yes
  notify: [ 'Generate temporary SSL' ]

- meta: flush_handlers

- name: Install certbot
  pip: name='certbot' executable='/usr/local/bin/pip3'
  become: yes

- name: Configure NGINX upstream repository
  copy: src='nginx.repo' dest='/etc/yum.repos.d/nginx.repo' mode='0644' owner=root group=root
  become: yes

- name: Install NGINX
  package: name='nginx' state=latest
  notify: [ 'Restart NGINX' ]
  become: yes

- name: Install OpenSSL
  package: name='openssl' state=latest
  become: yes

- name: Configure NGINX
  copy: src='nginx.conf' dest='/etc/nginx/nginx.conf' mode='0644' owner='root' group='root'
  notify: [ 'Reload NGINX' ]
  become: yes

- name: Deploy dhparam.pem
  copy: src='dhparam.pem' dest='/etc/nginx/dhparam.pem' mode='0644' owner=root group=root
  notify: [ 'Reload NGINX' ]
  become: yes

- name: Create common site directory
  file: path='/var/www/_default' state=directory mode='0755' owner=root group=root
  become: yes

- name: Deploy security.txt
  copy: src='security.txt' dest='/var/www/_default/security.txt' mode='0644' owner=root group=root
  become: yes

- name: Create letsencrypt known root
  file: path='/var/www/_letsencrypt' state=directory mode='0755' owner='nginx' group='nginx'
  become: yes

- name: Create letsencrypt update hook directory
  file: path='/etc/letsencrypt/renewal-hooks/post/' state=directory mode='0755' owner='root' group='root'
  become: yes

- name: Deploy LetsEncrypt NGINX post-update hook
  copy: src='le-nginx-reload.sh' dest='/etc/letsencrypt/renewal-hooks/post/nginx-reload.sh' mode='0755' owner=root group=root
  become: yes

- name: Enable and start NGINX service
  service: name='nginx' state=started enabled=yes
  become: yes

- name: Create certbot update CRON job
  cron:
    name: 'certbot auto update'
    minute: '0'
    hour: '8'
    user: 'root'
    job: '/usr/local/bin/certbot renew --webroot --email info@almalinux.org -w /var/www/_letsencrypt -n --agree-tos 2>&1 | /usr/bin/logger -t certbot'
    cron_file: 'certbot-auto_update'
  become: yes

- name: Set httpd_can_network_connect flag on and keep it persistent across reboots
  seboolean:
    name: httpd_can_network_connect
    state: yes
    persistent: yes
  become: yes
Deployment 4 years ago			`---`
			`- name: Deploy temporary SSL cert build script`
			`copy: src='tempcrt.sh' dest='/opt/tempcrt.sh' mode='0750' owner=root group=root`
			`become: yes`

			`- name: Create temporary SSL cert if none exists`
			`stat:`
			`path: /etc/ssl/selfsigned.key`
			`register: selfsigned_key`
			`changed_when: not selfsigned_key.stat.exists`
			`become: yes`
			`notify: [ 'Generate temporary SSL' ]`

			`- meta: flush_handlers`

			`- name: Install certbot`
Fix pip3, update READMEs 4 years ago			`pip: name='certbot' executable='/usr/local/bin/pip3'`
Deployment 4 years ago			`become: yes`

			`- name: Configure NGINX upstream repository`
			`copy: src='nginx.repo' dest='/etc/yum.repos.d/nginx.repo' mode='0644' owner=root group=root`
			`become: yes`

			`- name: Install NGINX`
			`package: name='nginx' state=latest`
			`notify: [ 'Restart NGINX' ]`
			`become: yes`

			`- name: Install OpenSSL`
			`package: name='openssl' state=latest`
			`become: yes`

			`- name: Configure NGINX`
			`copy: src='nginx.conf' dest='/etc/nginx/nginx.conf' mode='0644' owner='root' group='root'`
			`notify: [ 'Reload NGINX' ]`
			`become: yes`

			`- name: Deploy dhparam.pem`
			`copy: src='dhparam.pem' dest='/etc/nginx/dhparam.pem' mode='0644' owner=root group=root`
			`notify: [ 'Reload NGINX' ]`
			`become: yes`

			`- name: Create common site directory`
			`file: path='/var/www/_default' state=directory mode='0755' owner=root group=root`
			`become: yes`

			`- name: Deploy security.txt`
			`copy: src='security.txt' dest='/var/www/_default/security.txt' mode='0644' owner=root group=root`
			`become: yes`

			`- name: Create letsencrypt known root`
			`file: path='/var/www/_letsencrypt' state=directory mode='0755' owner='nginx' group='nginx'`
			`become: yes`

			`- name: Create letsencrypt update hook directory`
			`file: path='/etc/letsencrypt/renewal-hooks/post/' state=directory mode='0755' owner='root' group='root'`
			`become: yes`

			`- name: Deploy LetsEncrypt NGINX post-update hook`
			`copy: src='le-nginx-reload.sh' dest='/etc/letsencrypt/renewal-hooks/post/nginx-reload.sh' mode='0755' owner=root group=root`
			`become: yes`

			`- name: Enable and start NGINX service`
			`service: name='nginx' state=started enabled=yes`
			`become: yes`

			`- name: Create certbot update CRON job`
			`cron:`
			`name: 'certbot auto update'`
			`minute: '0'`
			`hour: '8'`
			`user: 'root'`
			`job: '/usr/local/bin/certbot renew --webroot --email info@almalinux.org -w /var/www/_letsencrypt -n --agree-tos 2>&1 \| /usr/bin/logger -t certbot'`
			`cron_file: 'certbot-auto_update'`
			`become: yes`

			`- name: Set httpd_can_network_connect flag on and keep it persistent across reboots`
			`seboolean:`
			`name: httpd_can_network_connect`
			`state: yes`
			`persistent: yes`
			`become: yes`