In theory the gogs role should now be able automatically issue a certificate if none is available

roles/service-gogs/tasks/nginx.yml

@@ -1,7 +1,38 @@
 - name: Ensure nginx configuration is up to date
   template:
-    src: gogs_nginx.conf.j2
-    dest: /etc/nginx/sites-available/gogs.conf 
+    src: {{ item.src }}
+    dest: /etc/nginx/sites-available/{{ item.dest }}
+  with_items:
+    - src: gogs_nginx.conf.j2
+      dest: gogs.conf
+    - src: gogs_unsecure.conf.j2
+      dest: gogs_unsecure.conf
+
+- name: Ensure unsecure nginx configuration is up to date
+  template:
+    src: gogs_unsecure.conf.j2
+    dest: /etc/nginx/sites-available/gogs_unsecure.conf
+
+- name: Ensure unsecure gogs configuration for nginx is enabled
+  file: 
+    state: link
+    dest: /etc/nginx/sites-enabled/gogs_unsecure.conf
+    src: /etc/nginx/sites-available/gogs_unsecure.conf 
+  notify: Reload nginx
+
+- name: Ensure nginx is running
+  service:
+    name: nginx
+    state: started
+
+- stat:
+    path: "/var/lib/acme/live/{{ gogs_domain }}/privkey;"
+  register: gogs_key_file_stat
+
+- name: Let acmetool generate a key and a certificate
+  when: not gogs_key_file_stat.stat.exists
+  shell: /usr/bin/acmetool want --batch {{ gogs_domain }}
+
 
 - name: Ensure gogs configuration for nginx is enabled
   file: 

roles/service-gogs/templates/gogs_nginx.conf.j2

@@ -1,15 +1,14 @@
 server {
-  listen          443 ssl;
+  listen          443 ssl http2 default_server;
+  listen          [::]:443 ssl http2 default_server;
   server_name     {{ gogs_domain }};
 
   include /etc/nginx/ssl.conf
 
-  # TODO set correct keys
-  ssl_certificate                 /etc/nginx/ssl/server.pem;
-  ssl_certificate_key             /etc/nginx/ssl/server.key;
+  ssl_certificate /var/lib/acme/live/{{ gogs_domain }}/fullchain;
+  ssl_certificate_key /var/lib/acme/live/{{ gogs_domain }}/privkey;
 
-  access_log  /var/log/nginx/{{ gogs_domain }}.access.log;
-  error_log   /var/log/nginx/{{ gogs_domain }}.error.log;
+  access_log off;
 
   location / {
     proxy_http_version      1.1;
@@ -21,5 +20,4 @@ server {
     proxy_pass              http://localhost:{{ gogs_port }};
     proxy_redirect          off;
   }
-  {% endif %}
 }

roles/service-gogs/templates/gogs_unsecure.conf.j2

@@ -0,0 +1,16 @@
+server {
+  listen          [::]:80 default_server;
+  listen          80 default_server;
+  server_name     {{ gogs_domain }};
+
+  access_log off;
+
+  location / {
+    return 301 https://$host$request_uri;
+  }
+
+  location /.well-known/acme-challenge/ {
+    include           proxy_params;
+    proxy_pass        http://127.0.0.1:402;
+  }
+}