From bbc6f107c27c7f4cb081fb7627d4b8984f7f9956 Mon Sep 17 00:00:00 2001
From: Jean-Marie Mineau <mineau.jean.marie@gmail.com>
Date: Tue, 13 Oct 2020 09:39:01 +0200
Subject: [PATCH] fix an nginx bug and finish the config for certbot

---
 roles/reverse_proxy/tasks/main.yml            | 30 ++++++++++++-------
 .../nginx/sites-available/reverse_proxy       |  2 ++
 .../nginx/snippets/connection_upgrade.conf    |  7 +++++
 3 files changed, 29 insertions(+), 10 deletions(-)
 create mode 100644 roles/reverse_proxy/templates/nginx/snippets/connection_upgrade.conf

diff --git a/roles/reverse_proxy/tasks/main.yml b/roles/reverse_proxy/tasks/main.yml
index ddf1423..f54676e 100644
--- a/roles/reverse_proxy/tasks/main.yml
+++ b/roles/reverse_proxy/tasks/main.yml
@@ -30,6 +30,7 @@
     dest: "/etc/nginx/snippets/{{ item }}"
   loop:
     - options-proxypass.conf
+    - connection_upgrade.conf # fix some nginx bug
 
 - name: Copy reverse proxy sites
   template:
@@ -45,16 +46,25 @@
     force: yes
   loop: "{{ reverse_proxy_sites }}"
 
-- name: Stop nginx to let the certbot do its job
-  systemd:
-    name: nginx
-    state: stoped
-
 - name: Generate Certificate for Domains
-  shell: certbot certonly --standalone -d {{ item.from }} -m {{ vault_email }}  --noninteractive --redirect
+  shell: certbot certonly --standalone -d {{ item.from }} -m {{ vault_email }}  --noninteractive --redirect --pre-hook "sudo systemctl stop nginx" --post-hook "sudo systemctl start nginx"
+  args:
+    creates: "/etc/letsencrypt/live/{{ item.from }}/cert.pem"
   loop: "{{ reverse_proxy_sites }}"
 
-- name: Start nginx
-  systemd:
-    name: nginx
-    state: started
+- name: Copy certificates
+  file:
+    src: "/etc/letsencrypt/live/{{ item.from }}/cert.pem"
+    dest: "/etc/nginx/certs/{{ item.from }}.crt"
+    state: link
+    force: yes
+  loop: "{{ reverse_proxy_sites }}"
+
+- name: Copy certificate keys
+  file:
+    src: "/etc/letsencrypt/live/{{ item.from }}/privkey.pem"
+    dest: "/etc/nginx/certs/{{ item.from }}.key"
+    state: link
+    force: yes
+  loop: "{{ reverse_proxy_sites }}"
+  notify: Reload nginx
diff --git a/roles/reverse_proxy/templates/nginx/sites-available/reverse_proxy b/roles/reverse_proxy/templates/nginx/sites-available/reverse_proxy
index 61f68cd..a1e5faa 100644
--- a/roles/reverse_proxy/templates/nginx/sites-available/reverse_proxy
+++ b/roles/reverse_proxy/templates/nginx/sites-available/reverse_proxy
@@ -1,5 +1,7 @@
 {{ ansible_managed | comment }}
 
+include "/etc/nginx/snippets/connection_upgrade.conf";
+
 server {
 	listen 80;
 	listen [::]:80;
diff --git a/roles/reverse_proxy/templates/nginx/snippets/connection_upgrade.conf b/roles/reverse_proxy/templates/nginx/snippets/connection_upgrade.conf
new file mode 100644
index 0000000..27ac1b8
--- /dev/null
+++ b/roles/reverse_proxy/templates/nginx/snippets/connection_upgrade.conf
@@ -0,0 +1,7 @@
+{{ ansible_managed | comment }}
+
+map $http_upgrade $connection_upgrade {
+        default upgrade;
+        '' close;
+    }
+