Implemented SAN via Letsencrypt and Certbot

roles/letsencrypt/README.md

@@ -0,0 +1,24 @@
+# Let’s Encrypt SSL for Nginx 🔐
+
+## Description
+Automates obtaining, configuring, and renewing Let’s Encrypt SSL certificates for Nginx with Certbot. Keeps your sites secure with minimal fuss! 🌐
+
+## Overview
+This Ansible role sets up the necessary Nginx configuration and Certbot integration to:
+- Redirect HTTP traffic to HTTPS  
+- Serve the ACME challenge for certificate issuance  
+- Apply strong SSL/TLS defaults  
+- Schedule automatic renewals  
+
+It’s idempotent: configuration and certificate tasks only run when needed. ✅
+
+## Purpose
+Ensure all your Nginx-hosted sites use free, trusted SSL certificates from Let’s Encrypt—all managed automatically via Ansible. 🎯
+
+## Features
+- **Automatic Certificate Issuance**: Uses Certbot’s webroot plugin to request and install certificates. 📜  
+- **Nginx Redirect**: Creates a temporary HTTP → HTTPS redirect block. ↪️  
+- **ACME‐Challenge Handling**: Configures `/.well-known/acme-challenge/` for Certbot validation. 🔍  
+- **Secure SSL Defaults**: Includes modern cipher suites, HSTS, OCSP stapling, and session settings. 🔒  
+- **Auto‐Renewal**: Leverages system scheduling (cron or systemd timer) to renew certs before expiration. 🔄  
+- **One‐Time Setup**: Tasks guarded by a “run once” fact to avoid re-applying unchanged templates. 🏃‍♂️  

roles/letsencrypt/meta/main.yml

@@ -1,2 +1,26 @@
+---
+galaxy_info:
+  author: "Kevin Veen-Birkenbach"
+  description: "An Ansible role to automate Let’s Encrypt SSL certificate issuance and renewal for Nginx"
+  license: "CyMaIS NonCommercial License (CNCL)"
+  license_url: "https://s.veen.world/cncl"
+  company: |
+    Kevin Veen-Birkenbach
+    Consulting & Coaching Solutions
+    https://www.veen.world
+  min_ansible_version: "2.9"
+  platforms:
+    - name: Archlinux
+      versions:
+        - rolling
+  galaxy_tags:
+    - letsencrypt
+    - nginx
+    - ssl
+    - certificate
+    - security
+  repository: "https://s.veen.world/cymais"
+  issue_tracker_url: "https://s.veen.world/cymaisissues"
+  documentation: "https://s.veen.world/cymais"
 dependencies:
-- nginx-certbot
+  - nginx-certbot

roles/letsencrypt/templates/letsencrypt.conf.j2

@@ -9,7 +9,7 @@ server
   #letsencrypt
   location ^~ /.well-known/acme-challenge/ {
     allow all;
-    root /var/lib/letsencrypt/;
+    root {{ certbot_webroot_path }};
     default_type "text/plain";
     try_files $uri =404;
   }

roles/letsencrypt/templates/ssl_credentials.j2

@@ -1,4 +1,3 @@
-{% set ssl_cert_folder = primary_domain if enable_wildcard_certificate | bool and primary_domain in domain else domain %}
-ssl_certificate /etc/letsencrypt/live/{{ ssl_cert_folder }}/fullchain.pem;
-ssl_certificate_key /etc/letsencrypt/live/{{ ssl_cert_folder }}/privkey.pem;
-ssl_trusted_certificate /etc/letsencrypt/live/{{ ssl_cert_folder }}/chain.pem;
+ssl_certificate         {{ certbot_cert_path }}/{{ ssl_cert_folder }}/fullchain.pem;
+ssl_certificate_key     {{ certbot_cert_path }}/{{ ssl_cert_folder }}/privkey.pem;
+ssl_trusted_certificate {{ certbot_cert_path }}/{{ ssl_cert_folder }}/chain.pem;