From 06d5fb15da114bd9e0037ddd7b5bf40dcca3399c Mon Sep 17 00:00:00 2001
From: Lenoctambule <106790775+lenoctambule@users.noreply.github.com>
Date: Tue, 10 Mar 2026 21:54:35 +0100
Subject: [PATCH] feat(setup-reverse-proxy.yml): certificate install  tasks for
 local and prod

---
 playbooks/setup-reverse-proxy.yml | 36 ++++++++++++++++++++++++++++++-
 1 file changed, 35 insertions(+), 1 deletion(-)

diff --git a/playbooks/setup-reverse-proxy.yml b/playbooks/setup-reverse-proxy.yml
index 21fe53b..a442f53 100644
--- a/playbooks/setup-reverse-proxy.yml
+++ b/playbooks/setup-reverse-proxy.yml
@@ -1,6 +1,11 @@
 - name: Setting up reverse proxy and load balancer
   hosts: hosts
   become: true
+  vars:
+    is_local: true
+    passphrase: changeme
+    cert_domain: "example.com"
+    cert_email: "admin@example.com"
 
   tasks:
   - name: Install Certbot and Nginx
@@ -22,4 +27,33 @@
         ansible.builtin.pip:
           name:
             - certbot
-            - certbox-nginx
\ No newline at end of file
+            - certbox-nginx
+        when: not ansible_check_mode
+
+  # - name: Manage SSL certificate with community module
+  - name: Obtain or renew SSL certificate for {{ cert_domain }}
+    ansible.builtin.shell: |
+      certbot --nginx -d {{ cert_domain }} --non-interactive --agree-tos --email {{ cert_email }}
+    args:
+      executable: /bin/bash
+      creates: /etc/letsencrypt/live/{{ cert_domain }}/fullchain.pem
+    register: certbot_result
+    changed_when: "'Obtained a new certificate' in certbot_result.stdout or 'renewed' in certbot_result.stdout"
+    failed_when: false  # Set to true if you want the playbook to fail immediately on error
+    ignore_errors: true # Optional: Allows the playbook to continue if certbot isn't installed yet
+    when: cert_domain is defined
+
+  - name: Installing self-signed certificate
+    when: is_local
+    block:
+      - name: Create private key (X25519) with password protection
+        community.crypto.openssl_privatekey:
+          path: /etc/ssl/private/nginx-selfsigned.key
+          type: X25519
+          passphrase: { passphrase }
+
+      - name: Create self-signed certificate
+        community.crypto.x509_certificate:
+          path: /etc/ssl/certs/nginx-selfsigned.crt
+          privatekey_path: /etc/ssl/private/nginx-selfsigned.key
+          provider: selfsigned
\ No newline at end of file