diff --git a/group_vars/all/03_domains.yml b/group_vars/all/03_domains.yml index a78b9918..d5eaeb88 100644 --- a/group_vars/all/03_domains.yml +++ b/group_vars/all/03_domains.yml @@ -38,7 +38,7 @@ defaults_domains: wordpress: ["wordpress.{{primary_domain}}","blog.{{primary_domain}}"] ## Domain Redirects -redirect_domain_mappings: +defaults_redirect_domain_mappings: - { source: "akaunting.{{primary_domain}}", target: "{{domains.akaunting}}" } - { source: "bbb.{{primary_domain}}", target: "{{domains.bigbluebutton}}" } - { source: "discourse.{{primary_domain}}", target: "{{domains.discourse}}" } diff --git a/playbook.constructor.yml b/playbook.constructor.yml index a667dd9c..106072ea 100644 --- a/playbook.constructor.yml +++ b/playbook.constructor.yml @@ -8,6 +8,9 @@ - name: Merge domain definitions set_fact: domains: "{{ defaults_domains | combine(domains | default({}, true), recursive=True) }}" + - name: Merge redirect domain definitions + set_fact: + redirect_domain_mappings: "{{ defaults_redirect_domain_mappings | combine(redirect_domain_mappings | default({}, true), recursive=True) }}" - name: Merge application definitions set_fact: applications: "{{ defaults_applications | combine(applications | default({}, true), recursive=True) }}" diff --git a/roles/nginx-domain-redirect/tasks/main.yml b/roles/nginx-domain-redirect/tasks/main.yml index 15666757..9fd9a6c3 100644 --- a/roles/nginx-domain-redirect/tasks/main.yml +++ b/roles/nginx-domain-redirect/tasks/main.yml @@ -5,12 +5,16 @@ domain: "{{item.source}}" loop: "{{domain_mappings}}" +- name: The domains for which a www. redirect will be implemented + debug: + var: domain_mappings + when: mode_debug | bool + - name: configure nginx redirect configurations vars: - domain: "{{item.source}}" - target_domain: "{{item.target}}" + item: "{{item}}" template: src: redirect.domain.nginx.conf.j2 - dest: "{{nginx.directories.http.servers}}{{ domain }}.conf" - loop: "{{domain_mappings}}" + dest: "{{nginx.directories.http.servers}}{{item.source}}.conf" + loop: "{{domain_mappings}}" notify: restart nginx diff --git a/roles/nginx-domain-redirect/templates/redirect.domain.nginx.conf.j2 b/roles/nginx-domain-redirect/templates/redirect.domain.nginx.conf.j2 index 946f7249..63a3ef5e 100644 --- a/roles/nginx-domain-redirect/templates/redirect.domain.nginx.conf.j2 +++ b/roles/nginx-domain-redirect/templates/redirect.domain.nginx.conf.j2 @@ -1,5 +1,8 @@ server { + {% set domain = item.source %} + {% set target = item.target %} server_name {{domain}}; {% include 'roles/letsencrypt/templates/ssl_header.j2' %} - return 301 https://{{target_domain}}$request_uri; + + return 301 https://{{target}}$request_uri; } diff --git a/roles/nginx-www-redirect/tasks/main.yml b/roles/nginx-www-redirect/tasks/main.yml index 6be72b1c..a571142d 100644 --- a/roles/nginx-www-redirect/tasks/main.yml +++ b/roles/nginx-www-redirect/tasks/main.yml @@ -42,7 +42,7 @@ domain: "{{primary_domain}}" template: src: www.wildcard.conf.j2 - dest: "{{nginx_www_wildcart_configuration}}" + dest: "{{nginx_www_wildcard_configuration}}" notify: restart nginx when: enable_wildcard_certificate | bool @@ -65,21 +65,30 @@ # Cleanup -- name: Cleanup dedicated nginx configurations for www redirect configuration - file: - path: "{{ nginx.directories.http.servers }}{{ item.source }}.conf" - state: absent - loop: "{{ filtered_domains_with_primary_domain | map('regex_replace', '^(.*)$', '{ source: \"www.\\1\", target: \"\\1\" }') | map('from_yaml') | list }}" - notify: restart nginx - when: - - enable_wildcard_certificate | bool - - mode_cleanup +# Deactivated due to complexity +#- name: Cleanup dedicated nginx configurations for www redirect configuration +# file: +# path: "{{ nginx.directories.http.servers }}{{ item.source }}.conf" +# state: absent +# # Filter: Only first-level subdomains of primary_domain +# # Exclude the primary domain itself +# # Transform for www redirection +# loop: "{{ filtered_domains_with_primary_domain +# | select('regex_search', '^[^.]+\\.' ~ primary_domain ~ '$') +# | reject('equalto', primary_domain) +# | map('regex_replace', '^(.*)$', '{ source: \"www.\\1\", target: \"\\1\" }') +# | map('from_yaml') +# | list }}" +# notify: restart nginx +# when: +# - enable_wildcard_certificate | bool # Wildcard certificate must be enabled +# - mode_cleanup | bool # Cleanup mode must be enabled -- name: Cleanup {{nginx_www_wildcart_configuration}} +- name: Cleanup {{nginx_www_wildcard_configuration}} file: - path: "{{nginx_www_wildcart_configuration}}" + path: "{{nginx_www_wildcard_configuration}}" state: absent notify: restart nginx when: - not enable_wildcard_certificate | bool - - mode_cleanup + - mode_cleanup | bool diff --git a/roles/nginx-www-redirect/vars/main.yml b/roles/nginx-www-redirect/vars/main.yml index 48219d4d..fb54e48c 100644 --- a/roles/nginx-www-redirect/vars/main.yml +++ b/roles/nginx-www-redirect/vars/main.yml @@ -1 +1 @@ -nginx_www_wildcart_configuration: "{{nginx.directories.http.global}}www.wildcard.conf" \ No newline at end of file +nginx_www_wildcard_configuration: "{{nginx.directories.http.global}}www.wildcard.conf" \ No newline at end of file diff --git a/tasks/recieve-certbot-certificate.yml b/tasks/recieve-certbot-certificate.yml index 0a1b894f..001f2f58 100644 --- a/tasks/recieve-certbot-certificate.yml +++ b/tasks/recieve-certbot-certificate.yml @@ -1,28 +1,39 @@ -- name: "recieve certbot certificate for {{ domain }}" +- name: "recieve dedicated certificate for {{ domain }}" command: >- certbot certonly --agree-tos --email {{ administrator_email }} --non-interactive --webroot -w /var/lib/letsencrypt/ -d {{ domain }} {{ '--test-cert' if mode_test | bool else '' }} - when: not enable_wildcard_certificate | bool or primary_domain not in domain + when: + - not enable_wildcard_certificate | bool + # Wildcard certificate should not be used + - not (domain.split('.') | length == (primary_domain.split('.') | length + 1) and domain.endswith(primary_domain)) + # OR: The domain is not a first-level subdomain of the primary domain -- name: "recieve certbot certificate for *{{ primary_domain }}" +- name: "recieve wildcard certificate for *{{ primary_domain }}" command: >- - certbot certonly --agree-tos --email {{ administrator_email }} + certbot certonly --agree-tos --email {{ administrator_email }} --non-interactive --webroot -w /var/lib/letsencrypt/ -d {{ primary_domain }} -d *.{{ primary_domain }} {{ '--test-cert' if mode_test | bool else '' }} when: - - enable_wildcard_certificate | bool - - primary_domain in domain - - run_once_recieve_certificate is not defined + - enable_wildcard_certificate | bool + # Wildcard certificate is enabled + - domain.split('.') | length == (primary_domain.split('.') | length + 1) and domain.endswith(primary_domain) + # AND: The domain is a direct first-level subdomain of the primary domain + - run_once_recieve_certificate is not defined + # Ensure this task runs only once for the wildcard certificate - name: "Cleanup dedicated cert for {{ domain }}" command: >- certbot delete --cert-name {{ domain }} --non-interactive when: - - mode_cleanup | bool - - enable_wildcard_certificate | bool - - primary_domain in domain - - domain != primary_domain + - mode_cleanup | bool + # Cleanup mode is enabled + - enable_wildcard_certificate | bool + # Wildcard certificate is enabled + - domain.split('.') | length == (primary_domain.split('.') | length + 1) and domain.endswith(primary_domain) + # AND: The domain is a direct first-level subdomain of the primary domain + - domain != primary_domain + # The domain is not the primary domain ignore_errors: true - name: run the recieve_certificate tasks once