Nginx has ssl_password_file parameter.
Specifies a file with passphrases for secret keys where each passphrase is specified on a separate line. Passphrases are tried in turn when loading the key.
Example:
http {
ssl_password_file /etc/keys/global.pass;
...
server {
server_name www1.example.com;
ssl_certificate_key /etc/keys/first.key;
}
server {
server_name www2.example.com;
# named pipe can also be used instead of a file
ssl_password_file /etc/keys/fifo;
ssl_certificate_key /etc/keys/second.key;
}
}
What you could do is keep that ssl_password_file in ansible-vault, copy it over, restart nginx and then if successful delete it.
I have no first-hand experience if it’ll actually work or what other side-effects this might have(for example manual service nginx restart will probably fail), but it seems like a logical approach to me.