Solved bugs and refactored

2025-08-29 15:06:26 +02:00 · 2025-02-15 17:43:36 +01:00
parent c7da4ddd8f
commit 62f9bab052
14 changed files with 74 additions and 26 deletions
--- a/roles/docker-attendize/tasks/main.yml
+++ b/roles/docker-attendize/tasks/main.yml
@@ -4,7 +4,8 @@
    name: docker-central-database

 - name: "include tasks to receive attendize certbot certificate"
-  include_tasks: recieve-certbot-certificate.yml
+  include_role: 
+    name: nginx-https-recieve-certificate
  vars:
    domain: "{{ item }}"
  loop:
--- a/roles/docker-mastodon/tasks/create-domains.yml
+++ b/roles/docker-mastodon/tasks/create-domains.yml
@@ -1,6 +1,7 @@
- name: "include task certbot-and-globals.yml"
-  include_tasks: certbot-and-globals.yml
-
+- name: "include role receive certbot certificate"
+  include_role: 
+    name: nginx-https-recieve-certificate
+    
 - name: configure {{domain}}.conf
  template: 
    src:  "mastodon.conf.j2" 
--- a/roles/docker-matrix-compose/tasks/main.yml
+++ b/roles/docker-matrix-compose/tasks/main.yml
@@ -3,8 +3,9 @@
  include_role: 
    name: docker-central-database

- name: "include task certbot-and-globals.yml"
-  include_tasks: certbot-and-globals.yml
+- name: "include role receive certbot certificate"
+  include_role: 
+    name: nginx-https-recieve-certificate
  vars:
    domain:     "{{domains.matrix_synapse}}"
    http_port:  "{{ports.localhost.http.matrix_synapse}}"
--- a/roles/docker-nextcloud/tasks/main.yml
+++ b/roles/docker-nextcloud/tasks/main.yml
@@ -3,8 +3,9 @@
  include_role: 
    name: docker-central-database

- name: "include task certbot-and-globals.yml"
-  include_tasks: certbot-and-globals.yml
+- name: "include role receive certbot certificate"
+  include_role: 
+    name: nginx-https-recieve-certificate

 - name: create nextcloud nginx proxy configuration file
  template: 
--- a/roles/docker-peertube/tasks/create-domains.yml
+++ b/roles/docker-peertube/tasks/create-domains.yml
@@ -1,5 +1,6 @@
- name: "include task certbot-and-globals.yml"
-  include_tasks: certbot-and-globals.yml
+- name: "include role receive certbot certificate"
+  include_role: 
+    name: nginx-https-recieve-certificate

 - name: configure {{domain}}.conf
  template: 
--- a/roles/nginx-domain-redirect/tasks/main.yml
+++ b/roles/nginx-domain-redirect/tasks/main.yml
@@ -1,6 +1,7 @@
 ---
 - name: "include task receive certbot certificate"
-  include_tasks: recieve-certbot-certificate.yml
+  include_role: 
+    name: nginx-https-recieve-certificate
  vars:
    domain: "{{item.source}}"
  loop: "{{domain_mappings}}"
--- a/roles/nginx-https-recieve-certificate/README.md
+++ b/roles/nginx-https-recieve-certificate/README.md
@@ -0,0 +1,39 @@
+# Let's Encrypt Certificate Role
+
+This Ansible role uses Certbot to obtain Let's Encrypt SSL/TLS certificates. It supports both dedicated and wildcard certificate requests based on domain conditions. It can also clean up (delete) dedicated certificates when cleanup mode is enabled.
+
+## Features
+
+- **Dedicated Certificate Request:**  
+  Requests a certificate for a given domain using Certbot's `certonly` command with the webroot plugin.
+
+- **Wildcard Certificate Request:**  
+  When enabled, obtains a wildcard certificate for the primary domain (including both the primary domain and all its direct subdomains).
+
+- **Certificate Cleanup:**  
+  Provides an option to delete dedicated certificates if cleanup mode is active.
+
+- **Run Once for Wildcard:**  
+  Ensures that the wildcard certificate task runs only once to prevent duplicate requests.
+
+## Tasks Overview
+
+- **Receive Dedicated Certificate:**  
+  Executes Certbot to request a dedicated certificate for `{{ domain }}` when a wildcard certificate is not applicable.
+
+- **Receive Wildcard Certificate:**  
+  Executes Certbot to request a wildcard certificate for `*{{ primary_domain }}` under the appropriate conditions.
+
+- **Cleanup Dedicated Certificate:**  
+  Runs Certbot's delete command to remove the dedicated certificate if cleanup mode is active.
+
+- **Run Once Flag:**  
+  Sets a fact to ensure that the wildcard certificate task is executed only once per playbook run.
+
+## Author
+
+This role is authored by [Kevin Veen-Birkenbach](https://www.veen.world).
+
+---
+
+Feel free to contribute or open issues if you have suggestions or encounter any problems with the role. Enjoy secure connections with Let's Encrypt and Ansible!
--- a/roles/nginx-https-recieve-certificate/meta/main.yml
+++ b/roles/nginx-https-recieve-certificate/meta/main.yml
@@ -0,0 +1,2 @@
+dependencies:
+- nginx-https
--- a/roles/nginx-https-recieve-certificate/tasks/main.yml
+++ b/roles/nginx-https-recieve-certificate/tasks/main.yml
@@ -0,0 +1,43 @@
+- name: "recieve dedicated certificate for {{ domain }}"
+  command: >-
+    certbot certonly --agree-tos --email {{ administrator_email }}
+    --non-interactive --webroot -w /var/lib/letsencrypt/ -d {{ domain }}
+    {{ '--test-cert' if mode_test | bool else '' }}
+  when: 
+    - not enable_wildcard_certificate | bool or not (domain.split('.') | length == (primary_domain.split('.') | length + 1) and domain.endswith(primary_domain))
+      # Wildcard certificate should not be used
+      # OR: The domain is not a first-level subdomain of the primary domain
+
+- name: "recieve wildcard certificate for *{{ primary_domain }}"
+  command: >-
+    certbot certonly --agree-tos --email {{ administrator_email }}                                          
+    --non-interactive --webroot -w /var/lib/letsencrypt/ -d {{ primary_domain }} -d *.{{ primary_domain }}
+    {{ '--test-cert' if mode_test | bool else '' }}
+  when: 
+    - enable_wildcard_certificate | bool  
+      # Wildcard certificate is enabled
+    - domain.split('.') | length == (primary_domain.split('.') | length + 1) and domain.endswith(primary_domain)
+      # AND: The domain is a direct first-level subdomain of the primary domain
+    - run_once_recieve_certificate is not defined  
+      # Ensure this task runs only once for the wildcard certificate
+    - domain == primary_domain  
+      # The domain is the primary domain
+
+- name: "Cleanup dedicated cert for {{ domain }}"
+  command: >-
+    certbot delete --cert-name {{ domain }} --non-interactive
+  when: 
+    - mode_cleanup | bool  
+      # Cleanup mode is enabled
+    - enable_wildcard_certificate | bool  
+      # Wildcard certificate is enabled
+    - domain.split('.') | length == (primary_domain.split('.') | length + 1) and domain.endswith(primary_domain)
+      # AND: The domain is a direct first-level subdomain of the primary domain
+    - domain != primary_domain  
+      # The domain is not the primary domain
+  ignore_errors: true
+
+- name: run the recieve_certificate tasks once
+  set_fact:
+    run_once_recieve_certificate: true
+  when: run_once_recieve_certificate is not defined
--- a/roles/nginx/meta/main.yml
+++ b/roles/nginx/meta/main.yml
@@ -1,2 +1,3 @@
 dependencies:
  - health-nginx
+  - nginx-global
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@@ -33,11 +33,15 @@
  notify: restart nginx
  when: run_once_nginx is not defined

- name: "include task certbot-and-globals.yml"
-  include_tasks: certbot-and-globals.yml
-  vars:
-    domain: "{{primary_domain}}"
-  when: run_once_nginx is not defined
+# Activated due to the reason that certificate management should be part of role nginx-https
+# I don't know why this is activated here. 
+# Propably solved on 2025-02-15 . Please remove latest on 2025-12-31 if no errors appear or earlier
+#
+#- name: "include task certbot-and-globals.yml"
+#  include_tasks: certbot-and-globals.yml
+#  vars:
+#    domain: "{{primary_domain}}"
+#  when: run_once_nginx is not defined

 - name: flush nginx service
  meta: flush_handlers