initial cleanup server-manager

roles/native-letsencrypt/meta/main.yml

@@ -0,0 +1,2 @@
+dependencies:
+- native-certbot-nginx

roles/native-letsencrypt/tasks/main.yml

@@ -0,0 +1,6 @@
+- name: create nginx letsencrypt config file
+  template: src=letsencrypt.conf.j2 dest=/etc/nginx/conf.d/letsencrypt.conf
+  notify: restart nginx
+
+- name: flush nginx service
+  meta: flush_handlers

roles/native-letsencrypt/templates/letsencrypt.conf.j2

@@ -0,0 +1,16 @@
+server
+{
+  listen 80;
+  listen [::]:80;
+  location /
+  {
+    return 301 https://$host$request_uri;
+  }
+  #letsencrypt
+  location ^~ /.well-known/acme-challenge/ {
+    allow all;
+    root /var/lib/letsencrypt/;
+    default_type "text/plain";
+    try_files $uri =404;
+  }
+}

roles/native-letsencrypt/templates/ssl_header.j2

@@ -0,0 +1,12 @@
+listen 443 ssl http2;
+listen [::]:443 ssl http2;
+ssl_session_timeout 1d;
+ssl_session_cache shared:SSL:50m;
+ssl_session_tickets off;
+ssl_prefer_server_ciphers on;
+add_header Strict-Transport-Security max-age=15768000;
+ssl_stapling on;
+ssl_stapling_verify on;
+ssl_certificate /etc/letsencrypt/live/{{domain}}/fullchain.pem;
+ssl_certificate_key /etc/letsencrypt/live/{{domain}}/privkey.pem;
+ssl_trusted_certificate /etc/letsencrypt/live/{{domain}}/chain.pem;