feat(setup-reverse-proxy.yml): certificate install tasks for local and prod

playbooks/setup-reverse-proxy.yml

@@ -1,6 +1,11 @@
 - name: Setting up reverse proxy and load balancer
   hosts: hosts
   become: true
+  vars:
+    is_local: true
+    passphrase: changeme
+    cert_domain: "example.com"
+    cert_email: "admin@example.com"
 
   tasks:
   - name: Install Certbot and Nginx
@@ -22,4 +27,33 @@
         ansible.builtin.pip:
           name:
             - certbot
-            - certbox-nginx
+            - certbox-nginx
+        when: not ansible_check_mode
+
+  # - name: Manage SSL certificate with community module
+  - name: Obtain or renew SSL certificate for {{ cert_domain }}
+    ansible.builtin.shell: |
+      certbot --nginx -d {{ cert_domain }} --non-interactive --agree-tos --email {{ cert_email }}
+    args:
+      executable: /bin/bash
+      creates: /etc/letsencrypt/live/{{ cert_domain }}/fullchain.pem
+    register: certbot_result
+    changed_when: "'Obtained a new certificate' in certbot_result.stdout or 'renewed' in certbot_result.stdout"
+    failed_when: false  # Set to true if you want the playbook to fail immediately on error
+    ignore_errors: true # Optional: Allows the playbook to continue if certbot isn't installed yet
+    when: cert_domain is defined
+
+  - name: Installing self-signed certificate
+    when: is_local
+    block:
+      - name: Create private key (X25519) with password protection
+        community.crypto.openssl_privatekey:
+          path: /etc/ssl/private/nginx-selfsigned.key
+          type: X25519
+          passphrase: { passphrase }
+
+      - name: Create self-signed certificate
+        community.crypto.x509_certificate:
+          path: /etc/ssl/certs/nginx-selfsigned.crt
+          privatekey_path: /etc/ssl/private/nginx-selfsigned.key
+          provider: selfsigned