Huge role refactoring/cleanup. Other commits will propably follow. Because some bugs will exist. Still important for longrun and also for auto docs/help/slideshow generation

roles/webserver-tls-renew/README.md

@@ -0,0 +1,33 @@
+# Nginx Certbot Automation
+
+## 🔥 Description
+
+This role automates the setup of an automatic [Let's Encrypt](https://letsencrypt.org/) certificate renewal system for Nginx using [Certbot](https://certbot.eff.org/). It ensures that SSL/TLS certificates are renewed seamlessly in the background and that Nginx reloads automatically after successful renewals.
+
+## 📖 Overview
+
+Optimized for Archlinux systems, this role installs the `certbot-nginx` package, configures a dedicated `systemd` service for certificate renewal, and integrates with a `generic-timer` to schedule periodic renewals. After a renewal, Nginx is reloaded to apply the updated certificates immediately.
+
+### Key Features
+- **Automatic Renewal:** Schedules unattended certificate renewals using generic-timers.
+- **Seamless Nginx Reload:** Reloads the Nginx service automatically after successful renewals.
+- **Systemd Integration:** Manages renewal operations reliably with `systemd` and `alert-core`.
+- **Quiet and Safe Operation:** Uses `--quiet` and `--agree-tos` flags to ensure non-interactive renewals.
+
+## 🎯 Purpose
+
+The Nginx Certbot Automation role ensures that Let's Encrypt SSL/TLS certificates stay valid without manual intervention. It enhances the security and reliability of web services by automating certificate lifecycle management.
+
+## 🚀 Features
+
+- **Certbot-Nginx Package Installation:** Installs required certbot plugins for Nginx.
+- **Custom Systemd Service:** Configures a lightweight, dedicated renewal service.
+- **Timer Setup:** Uses generic-timer to run certbot renewals periodically.
+- **Failure Notification:** Integrated with `alert-core` for alerting on failures.
+
+## 🔗 Learn More
+
+- [Certbot Official Website](https://certbot.eff.org/)
+- [Let's Encrypt](https://letsencrypt.org/)
+- [Systemd (Wikipedia)](https://en.wikipedia.org/wiki/Systemd)
+- [HTTPS (Wikipedia)](https://en.wikipedia.org/wiki/HTTPS)

roles/webserver-tls-renew/handlers/main.yml

@@ -0,0 +1,6 @@
+- name: "reload certbot service"
+  systemd:
+    name: webserver-tls-renew.cymais.service
+    state: reloaded
+    enabled: yes
+    daemon_reload: yes

roles/webserver-tls-renew/meta/main.yml

@@ -0,0 +1,33 @@
+---
+galaxy_info:
+  author: "Kevin Veen-Birkenbach"
+  description: |
+    Automates Let's Encrypt SSL/TLS certificate renewals for Nginx using Certbot and systemd services with automatic reloads after successful renewals.
+  license: "CyMaIS NonCommercial License (CNCL)"
+  license_url: "https://s.veen.world/cncl"
+  company: |
+    Kevin Veen-Birkenbach
+    Consulting & Coaching Solutions
+    https://www.veen.world
+  min_ansible_version: "2.9"
+  platforms:
+    - name: Archlinux
+      versions:
+        - rolling
+  galaxy_tags:
+    - nginx
+    - certbot
+    - ssl
+    - tls
+    - letsencrypt
+    - https
+    - systemd
+    - automation
+  repository: "https://s.veen.world/cymais"
+  issue_tracker_url: "https://s.veen.world/cymaisissues"
+  documentation: "https://s.veen.world/cymais"
+dependencies:
+  - generic-certbot
+  - nginx
+  - alert-core
+  - cleanup-certs

roles/webserver-tls-renew/tasks/main.yml

@@ -0,0 +1,31 @@
+- name: install certbot
+  pacman:
+    name:
+      - certbot-nginx
+    state: present
+  when: run_once_nginx_certbot is not defined
+
+- name: configure webserver-tls-renew.cymais.service
+  template: 
+    src:  webserver-tls-renew.service.j2
+    dest: /etc/systemd/system/webserver-tls-renew.cymais.service
+  notify: reload certbot service
+  when: run_once_nginx_certbot is not defined
+
+- name: set service_name to the name of the current role
+  set_fact:
+    service_name: "{{ role_name }}"
+  when: run_once_nginx_certbot is not defined
+
+- name: "include role for generic-timer for {{service_name}}"
+  include_role:
+    name: generic-timer
+  vars:
+    on_calendar:  "{{on_calendar_renew_lets_encrypt_certificates}}"
+    persistent:   "true"
+  when: run_once_nginx_certbot is not defined
+
+- name: run the nginx_certbot tasks once
+  set_fact:
+    run_once_nginx_certbot: true
+  when: run_once_nginx_certbot is not defined

roles/webserver-tls-renew/templates/webserver-tls-renew.service.j2

@@ -0,0 +1,8 @@
+[Unit]
+Description=Let's Encrypt renewal
+OnFailure=alert-core.cymais@%n.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/certbot renew --quiet --agree-tos
+ExecStartPost=/bin/systemctl reload nginx.service