THE HUGE REFACTORING CALENDER WEEK 33; Optimized Matrix and during this updated variables, and implemented better reset and cleanup mode handling, also solved some initial setup bugs

roles/sys-svc-certbot/README.md

@@ -0,0 +1,32 @@
+# Certbot
+
+## 🔥 Description
+
+This Ansible role automates the installation and configuration of [Certbot](https://certbot.eff.org/), a free and open-source tool for automating the deployment of [Let's Encrypt](https://letsencrypt.org/) certificates. It also handles the setup of DNS plugins for ACME challenges.
+
+## 📖 Overview
+
+Optimized for Archlinux, this role ensures secure SSL/TLS certificate generation with minimal manual intervention. It supports both `webroot` and `DNS-01` validation methods, providing flexibility based on your infrastructure needs.
+
+### Key Features
+- **Automatic Installation:** Installs `certbot` and the necessary DNS plugin via pacman.
+- **Dynamic DNS Plugin Support:** Automatically installs the correct `certbot-dns-<provider>` package based on your selected challenge method.
+- **Credential Management:** Creates secure credential files for DNS API tokens when using DNS-01 validation.
+- **Idempotent Execution:** Tasks are intelligently executed only once per playbook run.
+
+## 🎯 Purpose
+
+The Certbot role provides a ready-to-use, automated solution for SSL/TLS management in your infrastructure. Whether you're managing traditional servers or containerized environments, this role ensures your certificates are always in place and valid.
+
+## 🚀 Features
+
+- **Certbot Installation:** Ensures the latest version of Certbot is installed.
+- **DNS Plugin Installation:** Installs a matching plugin based on your configured ACME challenge method.
+- **Credential Directory Management:** Creates a secured `/etc/certbot` directory with proper permissions.
+- **API Token File Setup:** Manages API token files securely for DNS challenge authentication.
+
+## 🔗 Learn More
+
+- [Certbot Official Website](https://certbot.eff.org/)
+- [Let's Encrypt](https://letsencrypt.org/)
+- [ACME Challenge Types (Wikipedia)](https://en.wikipedia.org/wiki/Automated_Certificate_Management_Environment)

roles/sys-svc-certbot/meta/main.yml

@@ -0,0 +1,28 @@
+---
+galaxy_info:
+  author: "Kevin Veen-Birkenbach"
+  description: "Automates the installation and configuration of Certbot for SSL/TLS certificate management"
+  license: "Infinito.Nexus NonCommercial License"
+  license_url: "https://s.infinito.nexus/license"
+  company: |
+    Kevin Veen-Birkenbach
+    Consulting & Coaching Solutions
+    https://www.veen.world
+  min_ansible_version: "2.9"
+  platforms:
+    - name: Archlinux
+      versions:
+        - rolling
+  galaxy_tags:
+    - certbot
+    - ssl
+    - tls
+    - https
+    - encryption
+    - letsencrypt
+    - acme
+    - automation
+  repository: "https://s.infinito.nexus/code"
+  issue_tracker_url: "https://s.infinito.nexus/issues"
+  documentation: "https://docs.infinito.nexus"
+dependencies: []

roles/sys-svc-certbot/tasks/01_core.yml

@@ -0,0 +1,8 @@
+- name: install certbot
+  community.general.pacman:
+    name: certbot
+    state: present
+
+- name: "Include tasks for 'No-Webroot-ACME-CHALLENGE-METHOD'"
+  include_tasks: 02_no_webroot.yml
+  when: CERTBOT_ACME_CHALLENGE_METHOD != 'webroot'

roles/sys-svc-certbot/tasks/02_no_webroot.yml

@@ -0,0 +1,21 @@
+- name: install certbot DNS plugin
+  community.general.pacman:
+    name: "certbot-dns-{{ CERTBOT_ACME_CHALLENGE_METHOD }}"
+    state: present
+
+- name: Ensure /etc/certbot directory exists
+  file:
+    path:   "{{ CERTBOT_CREDENTIALS_DIR }}"
+    state:  directory
+    owner:  root
+    group:  root
+    mode:   '0755'
+
+- name: Install plugin credentials file
+  copy:
+    dest: "{{ CERTBOT_CREDENTIALS_FILE }}"
+    content: |
+      dns_{{ CERTBOT_ACME_CHALLENGE_METHOD }}_api_token = {{ CERTBOT_DNS_API_TOKEN }}
+    owner: root
+    group: root
+    mode: '0600'

roles/sys-svc-certbot/tasks/main.yml

@@ -0,0 +1,4 @@
+- block:
+    - include_tasks: 01_core.yml
+    - include_tasks: utils/run_once.yml
+  when: run_once_sys_svc_certbot is not defined