Let's Encrypt support with certbot.

tasks/lets-encrypt.yml

@@ -0,0 +1,29 @@
+---
+- name: Install certbot
+  ansible.builtin.apt:
+    name:
+      - certbot
+    state: present
+
+- name: Ensure webroot directory exists
+  ansible.builtin.file:
+    path: /var/www/html/.well-known/acme-challenge
+    state: directory
+    owner: www-data
+    group: www-data
+    mode: '0755'
+
+- name: Obtain or renew TLS certificate (non-destructive)
+  ansible.builtin.command:
+    cmd: >
+      certbot certonly
+      --webroot
+      -w /var/www/html
+      -d {{ gitea_domain }}
+      --agree-tos
+      --email {{ gitea_certbot_email }}
+      --non-interactive
+      --keep-until-expiring
+  register: certbot_result
+  changed_when: "'Congratulations' in certbot_result.stdout"
+  notify: Reload_nginx

tasks/main.yml

@@ -99,6 +99,11 @@
     file: self-signed-cert.yml
   when: gitea_self_signed | default(false)
 
+- name: Configure the Let's Encrypt certificates
+  ansible.builtin.include_tasks:
+    file: lets-encrypt.yml
+  when: gitea_lets_encrypt | default(false)
+  
 - name: Pause to generate and save the secrets in SOPS
   ansible.builtin.pause:
     prompt: |