ssl retrieval with nginx running on host

roles/matrix-nginx-proxy/defaults/main.yml

@@ -269,7 +269,28 @@ matrix_ssl_base_path: "{{ matrix_base_data_path }}/ssl"
 matrix_ssl_config_dir_path: "{{ matrix_ssl_base_path }}/config"
 matrix_ssl_log_dir_path: "{{ matrix_ssl_base_path }}/log"
 
+# Define local adress for proxying well-known challenge, if `matrix_nginx_proxy_well_known_serving_for_all_domains_enabled` is true
+matrix_ssl_lets_encrypt_certbot_challenge_addr: "127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}"
+
 
 # nginx status page configurations.
 matrix_nginx_proxy_proxy_matrix_nginx_status_enabled: false
 matrix_nginx_proxy_proxy_matrix_nginx_status_allowed_addresses: ['{{ ansible_default_ipv4.address }}']
+
+
+# Controls whether matrix-nginx-proxy should serve well-known challenges for all `{{ matrix_ssl_domains_to_obtain_certificates_for }}`
+# 
+# This is useful when you don't use matrix-nginx-proxy, but instead your own server,
+# but you still want playbooks to retrieve ssl certs for you,
+# but you are annoyed by the need to stop your server while retrieving certs.
+#
+# If enabled, allows matrix-nginx-proxy to generate nginx conf in `/matrix/nginx-proxy/conf.d` (only `well-known`block)
+# for all domains defined in `{{ matrix_ssl_domains_to_obtain_certificates_for }}`,
+# even is matrix_nginx_proxy_enabled is not true.
+#
+# You will need to define which server you use on host with `{{ matrix_host_server }}`.
+# Actually only 'nginx' is implemented.
+matrix_nginx_proxy_well_known_serving_for_all_domains_enabled: false
+matrix_host_server: ""
+
+

roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml

@@ -12,6 +12,10 @@
 - set_fact:
     domain_name_needs_cert: "{{ not domain_name_certificate_path_stat.stat.exists }}"
 
+- name: Delegate well-known challenge to nginx on host
+  import_tasks: setup_ssl_well-known_challenge_for_nginx.yaml
+  when: "not matrix_nginx_proxy_enabled|bool and matrix_nginx_proxy_well_known_serving_for_all_domains_enabled|bool and matrix_host_server == 'nginx'"
+
 # This will fail if there is something running on port 80 (like matrix-nginx-proxy).
 # We suppress the error, as we'll try another method below.
 - name: Attempt initial SSL certificate retrieval with standalone authenticator (directly)

roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_well-known_challenge_for_nginx.yaml

@@ -0,0 +1,19 @@
+- name: Create nginx conf file dedicated to well-known challenge
+  copy:
+    content: ""
+    dest: "{{ matrix_nginx_proxy_confd_path }}/well-known.conf"
+    force: no
+    mode: 0644
+
+- name: Append well-known challenge for domain
+  blockinfile:
+    path: "{{ matrix_nginx_proxy_confd_path }}/well-known.conf"
+    block: "{{ lookup('template', 'nginx/conf.d/nginx-well-known.conf.j2') }}"
+    marker: "# {mark} WELL-KNOWN CHALLENGE CONFIG FOR {{ domain_name }}"
+
+- name: Reload nginx for well-known challenge
+  systemd:
+    name: nginx
+    state: reloaded
+
+

roles/matrix-nginx-proxy/templates/nginx/conf.d/nginx-well-known.conf.j2

@@ -0,0 +1,7 @@
+
+server {
+    server_name {{ domain_name }};
+    location ~ /.well-known/challenge {
+        proxy_pass http://{{ matrix_ssl_lets_encrypt_certbot_challenge_addr }};
+    }
+}