From 39668a428ca40553143ae3f241dab4f9a7f5d460 Mon Sep 17 00:00:00 2001 From: Kevin Veen-Birkenbach Date: Fri, 25 Apr 2025 21:57:06 +0200 Subject: [PATCH] Added nginx-domains-cleanup draft --- roles/nginx-domains-cleanup/README.md | 25 ++++++++++++++ roles/nginx-domains-cleanup/meta/main.yml | 24 +++++++++++++ roles/nginx-domains-cleanup/tasks/main.yml | 39 ++++++++++++++++++++++ 3 files changed, 88 insertions(+) create mode 100644 roles/nginx-domains-cleanup/README.md create mode 100644 roles/nginx-domains-cleanup/meta/main.yml create mode 100644 roles/nginx-domains-cleanup/tasks/main.yml diff --git a/roles/nginx-domains-cleanup/README.md b/roles/nginx-domains-cleanup/README.md new file mode 100644 index 00000000..c27d2124 --- /dev/null +++ b/roles/nginx-domains-cleanup/README.md @@ -0,0 +1,25 @@ +# nginx-domains-cleanup + +## Description + +This Ansible role removes Nginx configuration files and revokes and deletes Certbot certificates for domains marked as deprecated. + +## Overview + +Optimized for idempotent cleanup operations, this role: + +- Deletes Nginx server configuration files in `/etc/nginx/conf.d/http/servers/` for each domain listed in `deprecated_domains`. +- Revokes and deletes corresponding Certbot certificates. +- Ensures cleanup tasks execute only once per playbook run. +- Notifies Nginx to restart after removing configurations. + +## Purpose + +Streamline the decommissioning of outdated or deprecated domains by automating the removal of Nginx server blocks and their SSL certificates. + +## Features + +- **Nginx Cleanup:** Safely removes server configuration files. +- **Certbot Integration:** Revokes and deletes certificates without manual intervention. +- **Idempotent Execution:** Utilizes a `run_once` flag to prevent repeated runs. +- **Service Notification:** Triggers an Nginx restart handler upon cleanup. \ No newline at end of file diff --git a/roles/nginx-domains-cleanup/meta/main.yml b/roles/nginx-domains-cleanup/meta/main.yml new file mode 100644 index 00000000..eb64811a --- /dev/null +++ b/roles/nginx-domains-cleanup/meta/main.yml @@ -0,0 +1,24 @@ +galaxy_info: + author: "Kevin Veen-Birkenbach" + description: "Remove Nginx configuration files and revoke/delete Certbot certificates for deprecated domains" + license: "CyMaIS NonCommercial License (CNCL)" + license_url: "https://s.veen.world/cncl" + company: | + Kevin Veen-Birkenbach + Consulting & Coaching Solutions + https://www.veen.world + min_ansible_version: "2.9" + platforms: + - name: Archlinux + versions: + - rolling + galaxy_tags: + - nginx + - cleanup + - certbot + - domains + repository: "https://s.veen.world/cymais" + issue_tracker_url: "https://s.veen.world/cymaisissues" + documentation: "https://s.veen.world/cymais" +dependencies: + - nginx \ No newline at end of file diff --git a/roles/nginx-domains-cleanup/tasks/main.yml b/roles/nginx-domains-cleanup/tasks/main.yml new file mode 100644 index 00000000..4890d959 --- /dev/null +++ b/roles/nginx-domains-cleanup/tasks/main.yml @@ -0,0 +1,39 @@ +--- +- name: "Remove Nginx configuration for deprecated domains" + ansible.builtin.file: + path: "/etc/nginx/conf.d/http/servers/{{ item }}" + state: absent + loop: "{{ deprecated_domains }}" + loop_control: + label: "{{ item }}" + notify: restart nginx + when: + - mode_cleanup | bool + - run_once_nginx_domains_cleanup is not defined + +- name: "Revoke Certbot certificate for {{ item }}" + ansible.builtin.command: + cmd: "certbot revoke -n --cert-name {{ item }}" + become: true + loop: "{{ deprecated_domains }}" + loop_control: + label: "{{ item }}" + when: + - mode_cleanup | bool + - run_once_nginx_domains_cleanup is not defined + +- name: "Delete Certbot certificate for {{ item }}" + ansible.builtin.command: + cmd: "certbot delete -n --cert-name {{ item }}" + become: true + loop: "{{ deprecated_domains }}" + loop_control: + label: "{{ item }}" + when: + - mode_cleanup | bool + - run_once_nginx_domains_cleanup is not defined + +- name: run the nginx_domains_cleanup role once + set_fact: + run_once_nginx_domains_cleanup: true + when: run_once_nginx_domains_cleanup is not defined