Implemented working version of drone w/nginx https

ansible/roles/http/defaults/main.yml

@@ -4,6 +4,5 @@ ci_server_name: ci.bdebyl.net
 
 deps: [
   certbot,
-  certbot-nginx,
   nginx
 ]

ansible/roles/http/files/nginx/nginx.conf

@@ -32,5 +32,5 @@ http {
 
   limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s;
 
-  include etc/nginx/sites-enabled/*.conf;
+  include /etc/nginx/sites-enabled/*.conf;
 }

ansible/roles/http/tasks/cron.yml

@@ -1,10 +1,9 @@
 ---
-- cron: renew certbot ssl certificate weekly
+- name: renew certbot ssl certificates weekly
+  become: true
   cron:
-    name: ci_bdebyl_net_renewal
+    name: certbot_renew
     special_time: weekly
     job: |
-      certbot --renew certonly --webroot --webroot-path=/srv/http \
-      -m {{ ci_server_email }} --agree-tos \
-      -d {{ ci_server_name }}
-  tags: never
+      certbot renew --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx"
+  tags: cron

ansible/roles/http/tasks/main.yml

@@ -2,3 +2,4 @@
 - import_tasks: deps.yml
 - import_tasks: http.yml
 - import_tasks: ssl.yml
+- import_tasks: cron.yml

ansible/roles/http/templates/nginx/sites/ci.bdebyl.net.https.conf.j2

@@ -1,35 +1,39 @@
+upstream drone {
+  server 127.0.0.1:8080;
+}
+
 server {
-	listen 443 ssl http2;
-	listen [::]:443 ssl http2;
-	server_name {{ ci_server_name }};
+  listen 443 ssl http2;
+  listen [::]:443 ssl http2;
+  server_name {{ ci_server_name }};
 
   add_header              Strict-Transport-Security max-age=6307200;
 
-	ssl_certificate         /etc/letsencrypt/live/{{ ci_server_name }}/fullchain.pem;
-	ssl_certificate_key     /etc/letsencrypt/live/{{ ci_server_name }}/privkey.pem;
-	ssl_trusted_certificate /etc/letsencrypt/live/{{ ci_server_name }}/fullchain.pem;
+  ssl_certificate         /etc/letsencrypt/live/{{ ci_server_name }}/fullchain.pem;
+  ssl_certificate_key     /etc/letsencrypt/live/{{ ci_server_name }}/privkey.pem;
+  ssl_trusted_certificate /etc/letsencrypt/live/{{ ci_server_name }}/fullchain.pem;
   ssl_dhparam             /etc/ssl/certs/dhparam.pem;
 
-	ssl_session_cache shared:SSL:10m;
-	ssl_session_timeout 1d;
+  ssl_session_cache shared:SSL:10m;
+  ssl_session_timeout 1d;
   ssl_session_tickets off;
-	ssl_stapling on;
-	ssl_stapling_verify on;
+  ssl_stapling on;
+  ssl_stapling_verify on;
 
-	ssl_protocols TLSv1.2 TLSv1.3;
+  ssl_protocols TLSv1.2 TLSv1.3;
   ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
-	ssl_prefer_server_ciphers off;
+  ssl_prefer_server_ciphers off;
 
-	location / {
-		proxy_set_header X-Forwarded-For $remote_addr;
+  location / {
+    proxy_set_header X-Forwarded-For $remote_addr;
     proxy_set_header X-Forwarded-Proto $scheme;
-    proxy_set_header Host $http_post;
+    proxy_set_header Host $http_host;
 
-    proxy_pass http://127.0.0.1:4242;
+    proxy_pass http://drone;
     proxy_redirect off;
     proxy_http_version 1.1;
     proxy_buffering off;
 
     chunked_transfer_encoding off;
-	}
+  }
 }