ansible/roles/acme/certificate/defaults/main.yml

---

# at least one of domain or domains is required
domain: "{{ domains[0] }}"
domains:
  - "{{ effective_domain }}"
# effective_domain from all/vars.yml

acme_must_staple: yes

dane_configure: yes
dane_protocol: tcp
dane_port: 443 # default for https
dane_domain: "_{{ dane_port }}._{{ dane_protocol }}.{{ domain }}"

# TODO Requires gnutls-bin to be installed
dane_command: >-
  danetool --tlsa-rr
  --load-pubkey=cert.pem
  --hash=sha512
  --host={{ domain | quote }}
  --proto={{ dane_protocol | quote }}
  --port={{ dane_port | quote }}
  --no-domain  

certificate_name: "{{ effective_domain }}"

# acme_validation_root_directory from nginx/application

acme_certificate_directory: "{{ global_certbot_certificates_directory }}/{{ certificate_name }}"
acme_certificate_location: "{{ acme_certificate_directory }}/cert.pem"
acme_chain_location: "{{ acme_certificate_directory }}/chain.pem"
acme_fullchain_location: "{{ acme_certificate_directory }}/fullchain.pem"
acme_key_location: "{{ acme_certificate_directory }}/privkey.pem"
acme_keyfullchain_location: "{{ acme_certificate_directory }}/keyfullchain.pem"

# at maximun one of is used
reload_command: "systemctl reload-or-restart {{ global_nginx_service_name | quote }}"
reload_commands:
  - "{{ reload_command }}"