Implemented certbot for cloudflare\hetzner, optimized documentation and solved bugs

roles/nginx-https-get-cert/README.md

@@ -1,39 +1,35 @@
-# Let's Encrypt Certificate Role
+# Nginx HTTPS Certificate Retrieval
 
-This Ansible role uses Certbot to obtain Let's Encrypt SSL/TLS certificates. It supports both dedicated and wildcard certificate requests based on domain conditions. It can also clean up (delete) dedicated certificates when cleanup mode is enabled.
+## 🔥 Description
 
-## Features
+This role automates the retrieval of [Let's Encrypt](https://letsencrypt.org/) SSL/TLS certificates using [Certbot](https://certbot.eff.org/) for domains served via Nginx. It supports both single-domain and wildcard certificates, and can use either the DNS or webroot ACME challenge methods.
 
-- **Dedicated Certificate Request:**  
-  Requests a certificate for a given domain using Certbot's `certonly` command with the webroot plugin.
+## 📖 Overview
 
-- **Wildcard Certificate Request:**  
-  When enabled, obtains a wildcard certificate for the primary domain (including both the primary domain and all its direct subdomains).
+Designed for Archlinux systems, this role handles issuing certificates per domain and optionally cleans up redundant certificates if wildcard certificates are used. It intelligently decides whether to issue a standard or wildcard certificate based on the domain structure and your configuration.
 
-- **Certificate Cleanup:**  
-  Provides an option to delete dedicated certificates if cleanup mode is active.
+### Key Features
+- **Single Domain and Wildcard Support:** Handles both individual domains and wildcard domains (`*.example.com`).
+- **DNS and Webroot Challenges:** Dynamically selects the correct ACME challenge method.
+- **Certificate Renewal Logic:** Skips renewal if the certificate is still valid.
+- **Optional Cleanup:** Deletes redundant domain certificates when wildcard certificates are used.
+- **Non-Interactive Operation:** Fully automated using `--non-interactive` and `--agree-tos`.
 
-- **Run Once for Wildcard:**  
-  Ensures that the wildcard certificate task runs only once to prevent duplicate requests.
+## 🎯 Purpose
 
-## Tasks Overview
+The Nginx HTTPS Certificate Retrieval role ensures that your Nginx-served domains have valid, automatically issued SSL/TLS certificates, improving web security without manual intervention.
 
-- **Receive Dedicated Certificate:**  
-  Executes Certbot to request a dedicated certificate for `{{ domain }}` when a wildcard certificate is not applicable.
+## 🚀 Features
 
-- **Receive Wildcard Certificate:**  
-  Executes Certbot to request a wildcard certificate for `*{{ primary_domain }}` under the appropriate conditions.
+- **ACME Challenge Selection:** Supports DNS plugins or webroot method automatically.
+- **Wildcard Certificate Management:** Issues wildcard certificates when configured, saving effort for subdomain-heavy deployments.
+- **Safe Cleanup:** Ensures that no unused certificates are left behind.
+- **Flexible Control:** Supports `mode_test` for staging environment testing and `mode_cleanup` for cert cleanup operations.
 
-- **Cleanup Dedicated Certificate:**  
-  Runs Certbot's delete command to remove the dedicated certificate if cleanup mode is active.
+## 🔗 Learn More
 
-- **Run Once Flag:**  
-  Sets a fact to ensure that the wildcard certificate task is executed only once per playbook run.
-
-## Author
-
-This role is authored by [Kevin Veen-Birkenbach](https://www.veen.world).
-
----
-
-Feel free to contribute or open issues if you have suggestions or encounter any problems with the role. Enjoy secure connections with Let's Encrypt and Ansible!
+- [Certbot Official Website](https://certbot.eff.org/)
+- [Let's Encrypt](https://letsencrypt.org/)
+- [Wildcard Certificates (Wikipedia)](https://en.wikipedia.org/wiki/Wildcard_certificate)
+- [HTTPS (Wikipedia)](https://en.wikipedia.org/wiki/HTTPS)
+- [ACME Protocol (Wikipedia)](https://en.wikipedia.org/wiki/Automated_Certificate_Management_Environment)

roles/nginx-https-get-cert/meta/main.yml

@@ -1,2 +1,31 @@
+---
+galaxy_info:
+  author: "Kevin Veen-Birkenbach"
+  description: |
+    Automates the retrieval of Let's Encrypt SSL/TLS certificates for Nginx domains using Certbot, supporting both single-domain and wildcard certificates with DNS and webroot ACME challenges.
+  license: "CyMaIS NonCommercial License (CNCL)"
+  license_url: "https://s.veen.world/cncl"
+  company: |
+    Kevin Veen-Birkenbach
+    Consulting & Coaching Solutions
+    https://www.veen.world
+  min_ansible_version: "2.9"
+  platforms:
+    - name: Archlinux
+      versions:
+        - rolling
+  galaxy_tags:
+    - nginx
+    - certbot
+    - letsencrypt
+    - ssl
+    - tls
+    - acme
+    - https
+    - wildcard
+    - automation
+  repository: "https://s.veen.world/cymais"
+  issue_tracker_url: "https://s.veen.world/cymaisissues"
+  documentation: "https://s.veen.world/cymais"
 dependencies:
-- nginx-https
+  - nginx-https

roles/nginx-https-get-cert/tasks/main.yml

@@ -1,8 +1,21 @@
-- name: "recieve dedicated certificate for {{ domain }}"
+- name: "receive dedicated certificate for {{ domain }}"
   command: >-
-    certbot certonly --agree-tos --email {{ users.administrator.email }}
-    --non-interactive --webroot -w /var/lib/letsencrypt/ -d {{ domain }}
+    certbot certonly 
+    --agree-tos 
+    --email {{ users.administrator.email }}
+    --non-interactive 
+    {% if certbot_acme_challenge_method != "webroot" %}
+    --dns-{{ certbot_acme_challenge_method }}
+    --dns-{{ certbot_acme_challenge_method }}-credentials {{ certbot_credentials_file }}
+    --dns-{{ certbot_acme_challenge_method }}-propagation-seconds 60
+    {% else %}
+    --webroot 
+    -w /var/lib/letsencrypt/ 
+    {% endif %}
+    -d {{ domain }}
     {{ '--test-cert' if mode_test | bool else '' }}
+  register: certbot_result
+  changed_when: "'Certificate not yet due for renewal' not in certbot_result.stdout"
   when: 
     - not enable_wildcard_certificate | bool or not (domain.split('.') | length == (primary_domain.split('.') | length + 1) and domain.endswith(primary_domain))
       # Wildcard certificate should not be used
@@ -10,17 +23,31 @@
 
 # The following should not work, checkout the Setup.md instructions. 
 # @see https://chatgpt.com/share/67efa9f0-1cdc-800f-8bce-62b00fc3e6a2
-- name: "recieve wildcard certificate *{{ primary_domain }} for {{domain}}"
+- name: "receive wildcard certificate *{{ primary_domain }} for {{domain}}"
   command: >-
-    certbot certonly --agree-tos --email {{ users.administrator.email }}                                          
-    --non-interactive --webroot -w /var/lib/letsencrypt/ -d {{ primary_domain }} -d *.{{ primary_domain }}
+    certbot certonly 
+    --agree-tos 
+    --email {{ users.administrator.email }}                                          
+    --non-interactive 
+    {% if certbot_acme_challenge_method != "webroot" %}
+    --dns-{{ certbot_acme_challenge_method }}
+    --dns-{{ certbot_acme_challenge_method }}-credentials {{ certbot_credentials_file }}
+    --dns-{{ certbot_acme_challenge_method }}-propagation-seconds 60
+    {% else %}
+    --webroot 
+    -w /var/lib/letsencrypt/ 
+    {% endif %}
+    -d {{ primary_domain }} 
+    -d *.{{ primary_domain }}
     {{ '--test-cert' if mode_test | bool else '' }}
+  register: certbot_result
+  changed_when: "'Certificate not yet due for renewal' not in certbot_result.stdout"
   when:
     - enable_wildcard_certificate | bool  
       # Wildcard certificate is enabled
     - domain.split('.') | length == (primary_domain.split('.') | length + 1) and domain.endswith(primary_domain)
       # AND: The domain is a direct first-level subdomain of the primary domain
-    - run_once_recieve_certificate is not defined  
+    - run_once_receive_certificate is not defined  
       # Ensure this task runs only once for the wildcard certificate
   ignore_errors: true
 
@@ -40,7 +67,7 @@
   failed_when: certbot_result.rc != 0 and ("No certificate found with name" not in certbot_result.stderr)
   changed_when: certbot_result.rc == 0 and ("No certificate found with name" not in certbot_result.stderr)
 
-- name: run the recieve_certificate tasks once
+- name: run the receive_certificate tasks once
   set_fact:
-    run_once_recieve_certificate: true
-  when: run_once_recieve_certificate is not defined
+    run_once_receive_certificate: true
+  when: run_once_receive_certificate is not defined