WIP roles for easy selfhosting based on ansible
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
southerntofu be3a0c1212 Better TLS handling 2 weeks ago
tasks Better TLS handling 2 weeks ago
README.md Move joinjabber recipes to dedicated submodule 6 months ago



This service role will request a TLS certificate from Letsencrypt for a given domain, with aliases support.


This role will request a single TLS certificate. It takes the following arguments:

  • (required) tls_host: the primary hostname for the certificate, which will be used as identifier
  • tls_aliases: an optional list of aliases that should be contained in the certificate


  • if you add an alias after the domain has been generated, a new certificate will not be regenerated; however, the alias will be included in the new certificate upon renewal
  • currently contact information is not setup automatically, so the task run may request your input at runtime


  • TODO contact: override default server contact information
  • TODO rsa_key_size: RSA key length (default: 4096) No settings yet.


In order to interface with other roles/services, this role follows a certain number of conventions:

  • /etc/letsencrypt/live/HOST/ will contain the private/public key for HOST
  • /etc/letsencrypt/renewal-hooks/post/ contains the scripts that should be executed upon renewing a certificate, as populated by other roles


  • Support adding aliases after the fact
  • Support multiple vhosts
  • Support other ACME providers (not just letsencrypt)