fix an nginx bug and finish the config for certbot

roles/reverse_proxy/tasks/main.yml

@@ -30,6 +30,7 @@
     dest: "/etc/nginx/snippets/{{ item }}"
   loop:
     - options-proxypass.conf
+    - connection_upgrade.conf # fix some nginx bug
 
 - name: Copy reverse proxy sites
   template:
@@ -45,16 +46,25 @@
     force: yes
   loop: "{{ reverse_proxy_sites }}"
 
-- name: Stop nginx to let the certbot do its job
-  systemd:
-    name: nginx
-    state: stoped
-
 - name: Generate Certificate for Domains
-  shell: certbot certonly --standalone -d {{ item.from }} -m {{ vault_email }}  --noninteractive --redirect
+  shell: certbot certonly --standalone -d {{ item.from }} -m {{ vault_email }}  --noninteractive --redirect --pre-hook "sudo systemctl stop nginx" --post-hook "sudo systemctl start nginx"
+  args:
+    creates: "/etc/letsencrypt/live/{{ item.from }}/cert.pem"
   loop: "{{ reverse_proxy_sites }}"
 
-- name: Start nginx
+- name: Copy certificates
-  systemd:
+  file:
-    name: nginx
+    src: "/etc/letsencrypt/live/{{ item.from }}/cert.pem"
-    state: started
+    dest: "/etc/nginx/certs/{{ item.from }}.crt"
+    state: link
+    force: yes
+  loop: "{{ reverse_proxy_sites }}"
+
+- name: Copy certificate keys
+  file:
+    src: "/etc/letsencrypt/live/{{ item.from }}/privkey.pem"
+    dest: "/etc/nginx/certs/{{ item.from }}.key"
+    state: link
+    force: yes
+  loop: "{{ reverse_proxy_sites }}"
+  notify: Reload nginx

roles/reverse_proxy/templates/nginx/sites-available/reverse_proxy

@@ -1,5 +1,7 @@
 {{ ansible_managed | comment }}
 
+include "/etc/nginx/snippets/connection_upgrade.conf";
+
 server {
 	listen 80;
 	listen [::]:80;

roles/reverse_proxy/templates/nginx/snippets/connection_upgrade.conf

@@ -0,0 +1,7 @@
+{{ ansible_managed | comment }}
+
+map $http_upgrade $connection_upgrade {
+        default upgrade;
+        '' close;
+    }
+