My ansible playbook includes several roles, for example dovecot, postfix, postgres and rspamd. All of them require SSL certificates, which are generated by the certbot (lets encrypt) role. For this reason and for easier handling all roles follow the same data structure to define SSL certificates with different requirements:
certbot_domains: []
dovecot_domains:
- name: imap1.example.com
subject_alternative_names: []
- name: imap1.department-a.example.com
subject_alternative_names: []
- name: pop3.example.com
subject_alternative_names: []
- name: pop3.department-a.example.com
subject_alternative_names: []
postfix_domains:
- name: smtp1.example.com
subject_alternative_names:
- smtp1.department-a.example.com
postgres_domains:
- name: postgres.example.com
subject_alternative_names: []
rspamd_domains:
- name: rspamd.example.com
subject_alternative_names:
- rspamd.department-a.example.com
However, I want to avoid including the role certbot in the roles dovecot, postfix, postgres and rspamd which automtically creates the certificate, because each time will be installed nginx, vhosts.conf files for each domain and some snippets to provide the path /.well-known/acme-challange as alias.
To avoid each time to install nginx, configure the snippets and so on should be the tasks only run once. The variable certbot_domains shall be extended by dovecot_domains, postfix_domains, postgres_domains and rspamd_domains and the installation of nginx and their vhosts should be the last task. Perhaps the following graphic can describe the problem more precisely.
If there is already something from ansible, I would be very grateful for a small snippet that makes the solution more understandable.
