Solved mapping bugs

2025-02-23 04:49:40 +01:00 · 2025-02-03 22:08:16 +01:00 · 2025-02-03 22:08:16 +01:00 · 7781083161
commit 7781083161
parent 8a6adf3958
7 changed files with 61 additions and 31 deletions
--- a/group_vars/all/03_domains.yml
+++ b/group_vars/all/03_domains.yml
@ -38,7 +38,7 @@ defaults_domains:
  wordpress:              ["wordpress.{{primary_domain}}","blog.{{primary_domain}}"]

 ## Domain Redirects
-redirect_domain_mappings:
+defaults_redirect_domain_mappings:
 - { source: "akaunting.{{primary_domain}}",   target: "{{domains.akaunting}}" }
 - { source: "bbb.{{primary_domain}}",         target: "{{domains.bigbluebutton}}" }
 - { source: "discourse.{{primary_domain}}",   target: "{{domains.discourse}}" }
--- a/playbook.constructor.yml
+++ b/playbook.constructor.yml
@ -8,6 +8,9 @@
  - name: Merge domain definitions
    set_fact:
      domains: "{{ defaults_domains | combine(domains | default({}, true), recursive=True) }}"
+  - name: Merge redirect domain definitions
+    set_fact:
+      redirect_domain_mappings: "{{ defaults_redirect_domain_mappings | combine(redirect_domain_mappings | default({}, true), recursive=True) }}"
  - name: Merge application definitions
    set_fact:
      applications: "{{ defaults_applications | combine(applications | default({}, true), recursive=True) }}"
--- a/roles/nginx-domain-redirect/tasks/main.yml
+++ b/roles/nginx-domain-redirect/tasks/main.yml
@ -5,12 +5,16 @@
    domain: "{{item.source}}"
  loop: "{{domain_mappings}}"

+- name: The domains for which a www. redirect will be implemented
+  debug:
+    var: domain_mappings
+  when: mode_debug | bool
+
 - name: configure nginx redirect configurations
  vars:
-    domain: "{{item.source}}"
-    target_domain: "{{item.target}}"
+    item: "{{item}}"
  template: 
    src:  redirect.domain.nginx.conf.j2
-    dest: "{{nginx.directories.http.servers}}{{ domain }}.conf"
-  loop: "{{domain_mappings}}"
+    dest: "{{nginx.directories.http.servers}}{{item.source}}.conf"
+  loop:   "{{domain_mappings}}"
  notify: restart nginx
--- a/roles/nginx-domain-redirect/templates/redirect.domain.nginx.conf.j2
+++ b/roles/nginx-domain-redirect/templates/redirect.domain.nginx.conf.j2
@ -1,5 +1,8 @@
 server {
+  {% set domain = item.source %}
+  {% set target = item.target %}
  server_name {{domain}};
  {% include 'roles/letsencrypt/templates/ssl_header.j2' %}
-  return 301 https://{{target_domain}}$request_uri;
+
+  return 301 https://{{target}}$request_uri;
 }
--- a/roles/nginx-www-redirect/tasks/main.yml
+++ b/roles/nginx-www-redirect/tasks/main.yml
@ -42,7 +42,7 @@
    domain: "{{primary_domain}}"
  template: 
    src:  www.wildcard.conf.j2
-    dest: "{{nginx_www_wildcart_configuration}}"
+    dest: "{{nginx_www_wildcard_configuration}}"
  notify: restart nginx
  when: enable_wildcard_certificate | bool

@ -65,21 +65,30 @@


 # Cleanup
- name: Cleanup dedicated nginx configurations for www redirect configuration
-  file:
-    path: "{{ nginx.directories.http.servers }}{{ item.source }}.conf"
-    state: absent
-  loop: "{{ filtered_domains_with_primary_domain | map('regex_replace', '^(.*)$', '{ source: \"www.\\1\", target: \"\\1\" }') | map('from_yaml') | list }}"
-  notify: restart nginx
-  when: 
-    - enable_wildcard_certificate | bool
-    - mode_cleanup
+# Deactivated due to complexity
+#- name: Cleanup dedicated nginx configurations for www redirect configuration
+#  file:
+#    path: "{{ nginx.directories.http.servers }}{{ item.source }}.conf"
+#    state: absent
+#  # Filter: Only first-level subdomains of primary_domain
+#  # Exclude the primary domain itself
+#  # Transform for www redirection
+#  loop: "{{ filtered_domains_with_primary_domain 
+#            | select('regex_search', '^[^.]+\\.' ~ primary_domain ~ '$') 
+#            | reject('equalto', primary_domain)  
+#            | map('regex_replace', '^(.*)$', '{ source: \"www.\\1\", target: \"\\1\" }')  
+#            | map('from_yaml') 
+#            | list }}"
+#  notify: restart nginx
+#  when: 
+#    - enable_wildcard_certificate | bool  # Wildcard certificate must be enabled
+#    - mode_cleanup | bool                 # Cleanup mode must be enabled

- name: Cleanup {{nginx_www_wildcart_configuration}}
+- name: Cleanup {{nginx_www_wildcard_configuration}}
  file:
-    path: "{{nginx_www_wildcart_configuration}}"
+    path: "{{nginx_www_wildcard_configuration}}"
    state: absent
  notify: restart nginx
  when: 
    - not enable_wildcard_certificate | bool
-    - mode_cleanup
+    - mode_cleanup | bool
--- a/roles/nginx-www-redirect/vars/main.yml
+++ b/roles/nginx-www-redirect/vars/main.yml
@ -1 +1 @@
-nginx_www_wildcart_configuration: "{{nginx.directories.http.global}}www.wildcard.conf"
+nginx_www_wildcard_configuration: "{{nginx.directories.http.global}}www.wildcard.conf"
--- a/tasks/recieve-certbot-certificate.yml
+++ b/tasks/recieve-certbot-certificate.yml
@ -1,28 +1,39 @@
- name: "recieve certbot certificate for {{ domain }}"
+- name: "recieve dedicated certificate for {{ domain }}"
  command: >-
    certbot certonly --agree-tos --email {{ administrator_email }}
    --non-interactive --webroot -w /var/lib/letsencrypt/ -d {{ domain }}
    {{ '--test-cert' if mode_test | bool else '' }}
-  when: not enable_wildcard_certificate | bool or primary_domain not in domain
+  when: 
+    - not enable_wildcard_certificate | bool  
+      # Wildcard certificate should not be used
+    - not (domain.split('.') | length == (primary_domain.split('.') | length + 1) and domain.endswith(primary_domain))
+      # OR: The domain is not a first-level subdomain of the primary domain

- name: "recieve certbot certificate for *{{ primary_domain }}"
+- name: "recieve wildcard certificate for *{{ primary_domain }}"
  command: >-
    certbot certonly --agree-tos --email {{ administrator_email }}                                          
    --non-interactive --webroot -w /var/lib/letsencrypt/ -d {{ primary_domain }} -d *.{{ primary_domain }}
    {{ '--test-cert' if mode_test | bool else '' }}
  when: 
    - enable_wildcard_certificate | bool  
-    - primary_domain in domain
+      # Wildcard certificate is enabled
+    - domain.split('.') | length == (primary_domain.split('.') | length + 1) and domain.endswith(primary_domain)
+      # AND: The domain is a direct first-level subdomain of the primary domain
    - run_once_recieve_certificate is not defined  
+      # Ensure this task runs only once for the wildcard certificate

 - name: "Cleanup dedicated cert for {{ domain }}"
  command: >-
    certbot delete --cert-name {{ domain }} --non-interactive
  when: 
    - mode_cleanup | bool  
+      # Cleanup mode is enabled
    - enable_wildcard_certificate | bool  
-    - primary_domain in domain
+      # Wildcard certificate is enabled
+    - domain.split('.') | length == (primary_domain.split('.') | length + 1) and domain.endswith(primary_domain)
+      # AND: The domain is a direct first-level subdomain of the primary domain
    - domain != primary_domain  
+      # The domain is not the primary domain
  ignore_errors: true

 - name: run the recieve_certificate tasks once