Implemented wildcard function for www redirects and solved bugs

group_vars/all/00_general.yml

@@ -43,4 +43,4 @@ nginx_matomo_tracking:                false   # Activates matomo tracking on all
 # To enable, update your inventory file.
 # For detailed setup instructions, visit: 
 # https://github.com/kevinveenbirkenbach/cymais/tree/master/roles/nginx-docker-cert-deploy
-enable_one_letsencrypt_cert_for_all:  false    
+enable_wildcard_certificate:          false    

roles/docker-bigbluebutton/templates/env.j2

@@ -1,5 +1,5 @@
 ENABLE_COTURN=true
-{% set ssl_cert_folder = primary_domain if enable_one_letsencrypt_cert_for_all and primary_domain in domain else domain %}
+{% set ssl_cert_folder = primary_domain if enable_wildcard_certificate | bool and primary_domain in domain else domain %}
 COTURN_TLS_CERT_PATH=/etc/letsencrypt/live/{{ssl_cert_folder}}/fullchain.pem
 COTURN_TLS_KEY_PATH=/etc/letsencrypt/live/{{ssl_cert_folder}}/privkey.pem
 ENABLE_GREENLIGHT={{applications.bigbluebutton.enable_greenlight}}

roles/docker-ldap/vars/main.yml

@@ -9,6 +9,6 @@ ldap_localhost_port:          389
 oauth2_proxy_upstream_application_and_port: "{{ applications.ldap.webinterface }}:{% if applications.ldap.webinterface == 'phpldapadmin' %}8080{% else %}80{% endif %}"
 oauth2_proxy_active:                        true
 
-enable_one_letsencrypt_cert_for_all:  false # Activate dedicated Certificate
+enable_wildcard_certificate:  false # Activate dedicated Certificate
 
 ldap_network_enabled:                 true  # Activate LDAP network

roles/docker-mailu/vars/main.yml

@@ -2,4 +2,4 @@ application_id:                       "mailu"
 database_password:  	        "{{mailu_database_password}}"
 database_type:                "mariadb"
 cert_mount_directory:         "{{docker_compose_instance_directory}}/certs/"
-enable_one_letsencrypt_cert_for_all:  false
+enable_wildcard_certificate:  false

roles/letsencrypt/templates/ssl_credentials.j2

@@ -1,4 +1,4 @@
-{% set ssl_cert_folder = primary_domain if enable_one_letsencrypt_cert_for_all and primary_domain in domain else domain %}
+{% set ssl_cert_folder = primary_domain if enable_wildcard_certificate | bool and primary_domain in domain else domain %}
 ssl_certificate /etc/letsencrypt/live/{{ ssl_cert_folder }}/fullchain.pem;
 ssl_certificate_key /etc/letsencrypt/live/{{ ssl_cert_folder }}/privkey.pem;
 ssl_trusted_certificate /etc/letsencrypt/live/{{ ssl_cert_folder }}/chain.pem;

roles/nginx-docker-cert-deploy/README.md

@@ -23,7 +23,7 @@ This Ansible role simplifies the deployment of **Let's Encrypt certificates** in
 By default, each subdomain gets its own certificate. You can **enable a wildcard certificate** by setting:
 
 ```yaml
-enable_one_letsencrypt_cert_for_all: true
+enable_wildcard_certificate: true
 ```
 
 📌 **Pros & Cons of a Wildcard Certificate:**
@@ -58,7 +58,7 @@ If enabled, update your inventory file and follow the **manual wildcard certific
 ---
 
 ## **🔐 Wildcard Certificate Setup with Let's Encrypt**
-If you enabled `enable_one_letsencrypt_cert_for_all`, follow these steps to manually request a **wildcard certificate**.
+If you enabled `enable_wildcard_certificate`, follow these steps to manually request a **wildcard certificate**.
 
 ### **1️⃣ Run the Certbot Command 🖥️**
 ```sh

roles/nginx-matomo-tracking/templates/matomo-tracking.conf.j2

@@ -1,5 +1,5 @@
 # Deactivate CSP header
-more_set_headers "Content-Security-Policy: ";
+add_header Content-Security-Policy: "";
 
 # sub filters to integrate matomo tracking code in nginx websites
 sub_filter '</head>' '<script>{{matomo_tracking_code_one_liner}}</script></head>';

roles/nginx-www-redirect/meta/main.yml

@@ -0,0 +1,2 @@
+dependencies:
+  - nginx

roles/nginx-www-redirect/tasks/main.yml

@@ -5,6 +5,8 @@
     patterns: '*.*.conf'
   register: conf_files
 
+# Filter all domains
+
 - name: Filter domain names and remove .conf extension and path
   set_fact:
     filtered_domains: "{{ conf_files.files | map(attribute='path') | map('regex_search', domain_regex) | select('string') | map('regex_replace', path_regex, '') | map('regex_replace', '.conf$', '') | list }}"
@@ -15,9 +17,69 @@
 - name: The domains for which a www. redirect will be implemented
   debug:
     var: filtered_domains
+  when: mode_debug | bool
 
-- name: Include nginx-domain-redirect role with dynamic domain mappings
+# Routine for domains with primary domain included
+
+- name: Set filtered_domains_with_primary_domain
+  set_fact:
+    filtered_domains_with_primary_domain: "{{ filtered_domains | select('search', primary_domain + '$') | list }}"
+
+- name: Debug with primary domain
+  debug:
+    var: filtered_domains_with_primary_domain
+  when: mode_debug | bool
+
+- name: Include nginx-domain-redirect role with dynamic domain mappings for domains with {{primary_domain}} included
   include_role:
     name: nginx-domain-redirect
   vars:
-    domain_mappings: "{{ filtered_domains | map('regex_replace', '^(.*)$', '{ source: \"www.\\1\", target: \"\\1\" }') | map('from_yaml') | list }}"
+    domain_mappings: "{{ filtered_domains_with_primary_domain | map('regex_replace', '^(.*)$', '{ source: \"www.\\1\", target: \"\\1\" }') | map('from_yaml') | list }}"
+  when: not enable_wildcard_certificate | bool
+
+- name: Include wildcard www. redirect for domains with {{primary_domain}} included
+  vars:
+    domain: "{{primary_domain}}"
+  template: 
+    src:  www.wildcard.conf.j2
+    dest: "{{nginx_www_wildcart_configuration}}"
+  notify: restart nginx
+  when: enable_wildcard_certificate | bool
+
+# Routine for domains without the primary domain included
+
+- name: Set filtered_domains_without_primary_domain
+  set_fact:
+    filtered_domains_without_primary_domain: "{{ filtered_domains | reject('search', primary_domain + '$') | list }}"
+
+- name: Debug domains without primary domain
+  debug:
+    var: filtered_domains_without_primary_domain
+  when: mode_debug | bool
+
+- name: Include nginx-domain-redirect role with dynamic domain mappings for domains without primary domain
+  include_role:
+    name: nginx-domain-redirect
+  vars:
+    domain_mappings: "{{ filtered_domains_without_primary_domain | map('regex_replace', '^(.*)$', '{ source: \"www.\\1\", target: \"\\1\" }') | map('from_yaml') | list }}"
+
+
+# Cleanup
+- name: Cleanup dedicated nginx configurations for www redirect configuration
+  file:
+    path: "{{ nginx.directories.http.servers }}{{ item.source }}.conf"
+    state: absent
+  loop: "{{ filtered_domains_with_primary_domain | map('regex_replace', '^(.*)$', '{ source: \"www.\\1\", target: \"\\1\" }') | map('from_yaml') | list }}"
+  notify: restart nginx
+  when: 
+    - enable_wildcard_certificate | bool
+    - mode_cleanup
+
+- name: Cleanup {{nginx_www_wildcart_configuration}}
+  file:
+    path: "{{nginx_www_wildcart_configuration}}"
+    state: absent
+  notify: restart nginx
+  when: 
+    - not enable_wildcard_certificate | bool
+    - mode_cleanup

roles/nginx-www-redirect/templates/www.wildcard.conf.j2

@@ -0,0 +1,6 @@
+server {
+    server_name ~^www\.(?<domain>.+)$;
+    {% include 'roles/letsencrypt/templates/ssl_header.j2' %}
+
+    return 301 https://$domain$request_uri;
+}

roles/nginx-www-redirect/vars/main.yml

@@ -0,0 +1 @@
+nginx_www_wildcart_configuration: "{{nginx.directories.http.global}}www.wildcard.conf"

roles/nginx/templates/nginx.conf.j2

@@ -34,8 +34,9 @@ http
   gzip_types application/atom+xml application/javascript application/xml+rss application/x-javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy text/javascript text/xml;
 
   types_hash_max_size 4096;  
-  include {{nginx.directories.http.maps}}*.conf;
-  include {{nginx.directories.http.servers}}*.conf;
+  {% for dir in nginx.directories.http.values() %}
+  include {{ dir }}*.conf;
+  {% endfor %}
 }
 
 # For port proxies

tasks/recieve-certbot-certificate.yml

@@ -3,7 +3,7 @@
     certbot certonly --agree-tos --email {{ administrator_email }}
     --non-interactive --webroot -w /var/lib/letsencrypt/ -d {{ domain }}
     {{ '--test-cert' if mode_test | bool else '' }}
-  when: not enable_one_letsencrypt_cert_for_all
+  when: not enable_wildcard_certificate | bool or primary_domain not in domain
 
 - name: "recieve certbot certificate for *{{ primary_domain }}"
   command: >-
@@ -11,7 +11,7 @@
     --non-interactive --webroot -w /var/lib/letsencrypt/ -d {{ primary_domain }} -d *.{{ primary_domain }}
     {{ '--test-cert' if mode_test | bool else '' }}
   when: 
-    - enable_one_letsencrypt_cert_for_all
+    - enable_wildcard_certificate | bool
     - primary_domain in domain
     - run_once_recieve_certificate is not defined
 
@@ -19,8 +19,8 @@
   command: >-
     certbot delete --cert-name {{ domain }} --non-interactive
   when: 
-    - mode_cleanup
-    - enable_one_letsencrypt_cert_for_all
+    - mode_cleanup | bool
+    - enable_wildcard_certificate | bool
     - primary_domain in domain
     - domain != primary_domain
   ignore_errors: true