Simplify usage of acmetool with nginx

acmetool/defaults/main.yml

@@ -6,4 +6,4 @@ acmetool_key_type: rsa
 acmetool_rsa_key_size: 4096
 
 acmetool_mail: "{{ adminaddr }}"
-acmetool_enable_proxy: true
+acmetool_services: ["nginx-proxy"]

acmetool/tasks/main.yml

@@ -29,7 +29,7 @@
 - name: initially configure acmetool
   # yamllint disable-line rule:line-length
   command: acmetool quickstart --expert --batch --response-file /var/lib/acme/quickstart-reponses.yml
-  when: not acmetool_status.stdout|search(acmetool_endpoint)
+  when: not acmetool_status.stdout is search(acmetool_endpoint)
   tags:
     - acmetool
     - config
@@ -54,7 +54,6 @@
     mode: '0755'
   notify:
     - reload systemd service files
-  when: acmetool_enable_proxy
   tags:
     - acmetool
     - services
@@ -68,7 +67,6 @@
     mode: '0644'
   notify:
     - reload systemd service files
-  when: acmetool_enable_proxy
   tags:
     - acmetool
     - services

acmetool/templates/reload-config.j2

-{% if acmetool_enable_proxy %}
-SERVICES="nginx-proxy"
-{% else %}
-SERVICES="nginx"
-{% endif %}
+SERVICES="{{acmetool_services|join(" ")}}"

webserver/templates/sites/hostnamerewrite.conf

@@ -3,11 +3,9 @@ server {
     listen 443 ssl;
     server_name {{server.forward_hostnames.hostnames|default(server.forward_hostnames)|join(" ")}};
 
-    ssl_certificate {{server.certificate}};
-    ssl_trusted_certificate {{server.certificate}};
-    ssl_certificate_key {{server.private_key}};
+    {% include "ssl-certificate" %}
 
-{% if server.include_acme is defined and server.include_acme %}
+{% if server.include_acme|default(true) %}
     include /etc/nginx/snippets/acmetool.conf;
 
     location / {

webserver/templates/sites/iprewrite.conf

@@ -3,9 +3,7 @@ server {
     listen 443 ssl;
     server_name {{ansible_all_ipv4_addresses|join(" ")}};
 
-    ssl_certificate {{server.certificate}};
-    ssl_trusted_certificate {{server.certificate}};
-    ssl_certificate_key {{server.private_key}};
+    {% include "ssl-certificate" %}
 
     return 301 https://{{server.server_name}}$request_uri;
 }

webserver/templates/sites/mediawiki.conf

@@ -13,7 +13,7 @@ server {
     index {{server.indices|join(" ")}};
     {% endif %}
 
-    {% if server.include_acme is defined and server.include_acme %}
+    {% if server.include_acme|default(true) %}
     include /etc/nginx/snippets/acmetool.conf;
 
     {% endif -%}

webserver/templates/sites/tlsproxy.conf

@@ -2,7 +2,7 @@ server {
     listen {% if server.no_ssl is undefined or not server.no_ssl %}443 ssl{% else %}80{% endif %};
     server_name {{server.server_names|default([server.server_name])|join(" ")}};
 
-    {% if server.include_acme is defined and server.include_acme %}
+    {% if server.include_acme|default(true) %}
     include /etc/nginx/snippets/acmetool.conf;
 
     {% endif -%}
@@ -11,9 +11,7 @@ server {
     {% endif %}
     {% if server.no_ssl is undefined or not server.no_ssl %}
 
-    ssl_certificate {{server.certificate}};
-    ssl_trusted_certificate {{server.certificate}};
-    ssl_certificate_key {{server.private_key}};
+    {% include "ssl-certificate" %}
     {% endif %}
     {% if server.cipher_strength is defined -%}
     ssl_ciphers '{{ciphers[server.cipher_strength]}}';

webserver/templates/sites/webapp.conf

@@ -17,7 +17,7 @@ server {
     {% endfor %}
     {% endif %}
 
-    {% if server.include_acme is defined and server.include_acme %}
+    {% if server.include_acme|default(true) %}
     include /etc/nginx/snippets/acmetool.conf;
 
     {% endif -%}

webserver/templates/ssl-certificate

+    ssl_certificate {{server.certificate|default("/var/lib/acme/live/" + server.server_name + "/fullchain")}};
+    ssl_trusted_certificate {{server.certificate|default("/var/lib/acme/live/" + server.server_name + "/fullchain")}};
+    ssl_certificate_key {{server.private_key|default("/var/lib/acme/live/" + server.server_name + "/privkey")}};