Implemented role to recieve certs & do modification routines. Also optimized nextcloud

roles/nginx-https-get-cert/README.md

@@ -0,0 +1,39 @@
+# Let's Encrypt Certificate Role
+
+This Ansible role uses Certbot to obtain Let's Encrypt SSL/TLS certificates. It supports both dedicated and wildcard certificate requests based on domain conditions. It can also clean up (delete) dedicated certificates when cleanup mode is enabled.
+
+## Features
+
+- **Dedicated Certificate Request:**  
+  Requests a certificate for a given domain using Certbot's `certonly` command with the webroot plugin.
+
+- **Wildcard Certificate Request:**  
+  When enabled, obtains a wildcard certificate for the primary domain (including both the primary domain and all its direct subdomains).
+
+- **Certificate Cleanup:**  
+  Provides an option to delete dedicated certificates if cleanup mode is active.
+
+- **Run Once for Wildcard:**  
+  Ensures that the wildcard certificate task runs only once to prevent duplicate requests.
+
+## Tasks Overview
+
+- **Receive Dedicated Certificate:**  
+  Executes Certbot to request a dedicated certificate for `{{ domain }}` when a wildcard certificate is not applicable.
+
+- **Receive Wildcard Certificate:**  
+  Executes Certbot to request a wildcard certificate for `*{{ primary_domain }}` under the appropriate conditions.
+
+- **Cleanup Dedicated Certificate:**  
+  Runs Certbot's delete command to remove the dedicated certificate if cleanup mode is active.
+
+- **Run Once Flag:**  
+  Sets a fact to ensure that the wildcard certificate task is executed only once per playbook run.
+
+## Author
+
+This role is authored by [Kevin Veen-Birkenbach](https://www.veen.world).
+
+---
+
+Feel free to contribute or open issues if you have suggestions or encounter any problems with the role. Enjoy secure connections with Let's Encrypt and Ansible!

roles/nginx-https-get-cert/meta/main.yml

@@ -0,0 +1,2 @@
+dependencies:
+- nginx-https

roles/nginx-https-get-cert/tasks/main.yml

@@ -0,0 +1,43 @@
+- name: "recieve dedicated certificate for {{ domain }}"
+  command: >-
+    certbot certonly --agree-tos --email {{ administrator_email }}
+    --non-interactive --webroot -w /var/lib/letsencrypt/ -d {{ domain }}
+    {{ '--test-cert' if mode_test | bool else '' }}
+  when: 
+    - not enable_wildcard_certificate | bool or not (domain.split('.') | length == (primary_domain.split('.') | length + 1) and domain.endswith(primary_domain))
+      # Wildcard certificate should not be used
+      # OR: The domain is not a first-level subdomain of the primary domain
+
+- name: "recieve wildcard certificate for *{{ primary_domain }}"
+  command: >-
+    certbot certonly --agree-tos --email {{ administrator_email }}                                          
+    --non-interactive --webroot -w /var/lib/letsencrypt/ -d {{ primary_domain }} -d *.{{ primary_domain }}
+    {{ '--test-cert' if mode_test | bool else '' }}
+  when: 
+    - enable_wildcard_certificate | bool  
+      # Wildcard certificate is enabled
+    - domain.split('.') | length == (primary_domain.split('.') | length + 1) and domain.endswith(primary_domain)
+      # AND: The domain is a direct first-level subdomain of the primary domain
+    - run_once_recieve_certificate is not defined  
+      # Ensure this task runs only once for the wildcard certificate
+    - domain == primary_domain  
+      # The domain is the primary domain
+
+- name: "Cleanup dedicated cert for {{ domain }}"
+  command: >-
+    certbot delete --cert-name {{ domain }} --non-interactive
+  when: 
+    - mode_cleanup | bool  
+      # Cleanup mode is enabled
+    - enable_wildcard_certificate | bool  
+      # Wildcard certificate is enabled
+    - domain.split('.') | length == (primary_domain.split('.') | length + 1) and domain.endswith(primary_domain)
+      # AND: The domain is a direct first-level subdomain of the primary domain
+    - domain != primary_domain  
+      # The domain is not the primary domain
+  ignore_errors: true
+
+- name: run the recieve_certificate tasks once
+  set_fact:
+    run_once_recieve_certificate: true
+  when: run_once_recieve_certificate is not defined