Shortened webserver to srv-web-

roles/srv-web-tls-core/README.md

@@ -0,0 +1,35 @@
+# Nginx HTTPS Certificate Retrieval
+
+## 🔥 Description
+
+This role automates the retrieval of [Let's Encrypt](https://letsencrypt.org/) SSL/TLS certificates using [Certbot](https://certbot.eff.org/) for domains served via Nginx. It supports both single-domain and wildcard certificates, and can use either the DNS or webroot ACME challenge methods.
+
+## 📖 Overview
+
+Designed for Archlinux systems, this role handles issuing certificates per domain and optionally cleans up redundant certificates if wildcard certificates are used. It intelligently decides whether to issue a standard or wildcard certificate based on the domain structure and your configuration.
+
+### Key Features
+- **Single Domain and Wildcard Support:** Handles both individual domains and wildcard domains (`*.example.com`).
+- **DNS and Webroot Challenges:** Dynamically selects the correct ACME challenge method.
+- **Certificate Renewal Logic:** Skips renewal if the certificate is still valid.
+- **Optional Cleanup:** Deletes redundant domain certificates when wildcard certificates are used.
+- **Non-Interactive Operation:** Fully automated using `--non-interactive` and `--agree-tos`.
+
+## 🎯 Purpose
+
+The Nginx HTTPS Certificate Retrieval role ensures that your Nginx-served domains have valid, automatically issued SSL/TLS certificates, improving web security without manual intervention.
+
+## 🚀 Features
+
+- **ACME Challenge Selection:** Supports DNS plugins or webroot method automatically.
+- **Wildcard Certificate Management:** Issues wildcard certificates when configured, saving effort for subdomain-heavy deployments.
+- **Safe Cleanup:** Ensures that no unused certificates are left behind.
+- **Flexible Control:** Supports `mode_test` for staging environment testing and `mode_cleanup` for cert cleanup operations.
+
+## 🔗 Learn More
+
+- [Certbot Official Website](https://certbot.eff.org/)
+- [Let's Encrypt](https://letsencrypt.org/)
+- [Wildcard Certificates (Wikipedia)](https://en.wikipedia.org/wiki/Wildcard_certificate)
+- [HTTPS (Wikipedia)](https://en.wikipedia.org/wiki/HTTPS)
+- [ACME Protocol (Wikipedia)](https://en.wikipedia.org/wiki/Automated_Certificate_Management_Environment)

roles/srv-web-tls-core/meta/main.yml

@@ -0,0 +1,31 @@
+---
+galaxy_info:
+  author: "Kevin Veen-Birkenbach"
+  description: |
+    Automates the retrieval of Let's Encrypt SSL/TLS certificates for Nginx domains using Certbot, supporting both single-domain and wildcard certificates with DNS and webroot ACME challenges.
+  license: "CyMaIS NonCommercial License (CNCL)"
+  license_url: "https://s.veen.world/cncl"
+  company: |
+    Kevin Veen-Birkenbach
+    Consulting & Coaching Solutions
+    https://www.veen.world
+  min_ansible_version: "2.9"
+  platforms:
+    - name: Archlinux
+      versions:
+        - rolling
+  galaxy_tags:
+    - nginx
+    - certbot
+    - letsencrypt
+    - ssl
+    - tls
+    - acme
+    - https
+    - wildcard
+    - automation
+  repository: "https://s.veen.world/cymais"
+  issue_tracker_url: "https://s.veen.world/cymaisissues"
+  documentation: "https://s.veen.world/cymais"
+dependencies:
+  - srv-web-https

roles/srv-web-tls-core/tasks/flavors/dedicated.yml

@@ -0,0 +1,30 @@
+- name: "Check if certificate already exists for {{ domain }}"
+  cert_check_exists:
+    domain: "{{ domain }}"
+    cert_base_path: "{{ certbot_cert_path }}"
+  register: cert_check
+
+- name: "receive certificate for {{ domain }}"
+  command: >-
+    certbot certonly 
+    --agree-tos 
+    --email {{ users.administrator.email }}
+    --non-interactive 
+    {% if certbot_acme_challenge_method != "webroot" %}
+    --dns-{{ certbot_acme_challenge_method }}
+    --dns-{{ certbot_acme_challenge_method }}-credentials {{ certbot_credentials_file }}
+    --dns-{{ certbot_acme_challenge_method }}-propagation-seconds {{ certbot_dns_propagation_wait_seconds }}
+    {% else %}
+    --webroot 
+    -w {{ certbot_webroot_path }}
+    {% endif %}
+    {% if wildcard_domain is defined and ( wildcard_domain | bool ) %}
+    -d {{ primary_domain }} 
+    -d *.{{ primary_domain }}
+    {% else %}
+    -d {{ domain }}
+    {% endif %}
+    {{ '--test-cert' if mode_test | bool else '' }}
+  register: certbot_result
+  changed_when: "'Certificate not yet due for renewal' not in certbot_result.stdout"
+  when: not cert_check.exists

roles/srv-web-tls-core/tasks/flavors/san.yml

@@ -0,0 +1,32 @@
+- name: Install certbundle
+  include_role:
+    name: pkgmgr-install
+  vars:
+    package_name: certbundle
+  when: run_once_san_certs is not defined
+
+- name: Generate SAN certificate with certbundle
+  command: >-
+    certbundle
+    --domains "{{ current_play_domains_all | join(',') }}"
+    --certbot-email "{{ users.administrator.email }}"
+    --certbot-acme-challenge-method "{{ certbot_acme_challenge_method }}"
+    --chunk-size 100
+    {% if certbot_acme_challenge_method != 'webroot' %}
+    --certbot-credentials-file "{{ certbot_credentials_file }}"
+    --certbot-dns-propagation-seconds "{{ certbot_dns_propagation_wait_seconds }}"
+    {% else %}
+    --certbot-webroot-path "{{ certbot_webroot_path }}"
+    {% endif %}
+    {{ '--mode-test' if mode_test | bool else '' }}
+  register: certbundle_result
+  changed_when: "'Certificate not yet due for renewal' not in certbundle_result.stdout"
+  failed_when: >
+    certbundle_result.rc != 0
+    and 'too many certificates' not in certbundle_result.stderr
+  when: run_once_san_certs is not defined
+
+- name: run the san tasks once
+  set_fact:
+    run_once_san_certs: true
+  when: run_once_san_certs is not defined

roles/srv-web-tls-core/tasks/flavors/wildcard.yml

@@ -0,0 +1,19 @@
+- name: "Load wildcard certificate for domain"
+  include_tasks: "dedicated.yml"
+  vars:
+    wildcard_domain: true
+  when: 
+    - domain.split('.') | length == (primary_domain.split('.') | length + 1) and domain.endswith(primary_domain)
+    - run_once_receive_certificate is not defined  
+
+- name: "Load dedicated certificate for domain"
+  include_tasks: "dedicated.yml"
+  vars:
+    wildcard_domain: false
+  when: 
+    - not (domain.split('.') | length == (primary_domain.split('.') | length + 1) and domain.endswith(primary_domain))
+
+- name: run the receive_certificate tasks once
+  set_fact:
+    run_once_receive_certificate: true
+  when: run_once_receive_certificate is not defined

roles/srv-web-tls-core/tasks/main.yml

@@ -0,0 +1,37 @@
+- name: "Include flavor"
+  include_tasks: "{{ role_path }}/tasks/flavors/{{ certbot_flavor }}.yml"
+
+#- name: "Cleanup dedicated cert for {{ domain }}"
+#  command: >-
+#    certbot delete --cert-name {{ domain }} --non-interactive
+#  when: 
+#    - mode_cleanup | bool
+#      # Cleanup mode is enabled
+#    - certbot_flavor != 'dedicated'
+#      # Wildcard certificate is enabled
+#    - domain.split('.') | length == (primary_domain.split('.') | length + 1) and domain.endswith(primary_domain)
+#      # AND: The domain is a direct first-level subdomain of the primary domain
+#    - domain != primary_domain  
+#      # The domain is not the primary domain
+#  register: certbot_result
+#  failed_when: certbot_result.rc != 0 and ("No certificate found with name" not in certbot_result.stderr)
+#  changed_when: certbot_result.rc == 0 and ("No certificate found with name" not in certbot_result.stderr)
+
+- name: Find SSL cert folder for domain
+  cert_folder_find:
+    domain: "{{ domain }}"
+    cert_base_path: "{{ certbot_cert_path }}"
+    debug: "{{ enable_debug | default(false) }}"
+  register: cert_folder_result
+  delegate_to: "{{ inventory_hostname }}"
+  changed_when: false
+
+- name: Set fact
+  set_fact:
+    ssl_cert_folder: "{{ cert_folder_result.folder }}"
+  changed_when: false
+
+- name: Ensure ssl_cert_folder is set
+  fail:
+    msg: "No certificate folder found for domain {{ domain }}"
+  when: ssl_cert_folder is undefined or ssl_cert_folder is none