Implemented role to recieve certs & do modification routines. Also optimized nextcloud

2025-08-29 15:06:26 +02:00 · 2025-02-21 09:28:01 +01:00
parent 0805929d41
commit 8c951f6a19
15 changed files with 40 additions and 49 deletions
--- a/roles/nginx-https-get-cert/tasks/main.yml
+++ b/roles/nginx-https-get-cert/tasks/main.yml
@@ -0,0 +1,43 @@
+- name: "recieve dedicated certificate for {{ domain }}"
+  command: >-
+    certbot certonly --agree-tos --email {{ administrator_email }}
+    --non-interactive --webroot -w /var/lib/letsencrypt/ -d {{ domain }}
+    {{ '--test-cert' if mode_test | bool else '' }}
+  when: 
+    - not enable_wildcard_certificate | bool or not (domain.split('.') | length == (primary_domain.split('.') | length + 1) and domain.endswith(primary_domain))
+      # Wildcard certificate should not be used
+      # OR: The domain is not a first-level subdomain of the primary domain
+
+- name: "recieve wildcard certificate for *{{ primary_domain }}"
+  command: >-
+    certbot certonly --agree-tos --email {{ administrator_email }}                                          
+    --non-interactive --webroot -w /var/lib/letsencrypt/ -d {{ primary_domain }} -d *.{{ primary_domain }}
+    {{ '--test-cert' if mode_test | bool else '' }}
+  when: 
+    - enable_wildcard_certificate | bool  
+      # Wildcard certificate is enabled
+    - domain.split('.') | length == (primary_domain.split('.') | length + 1) and domain.endswith(primary_domain)
+      # AND: The domain is a direct first-level subdomain of the primary domain
+    - run_once_recieve_certificate is not defined  
+      # Ensure this task runs only once for the wildcard certificate
+    - domain == primary_domain  
+      # The domain is the primary domain
+
+- name: "Cleanup dedicated cert for {{ domain }}"
+  command: >-
+    certbot delete --cert-name {{ domain }} --non-interactive
+  when: 
+    - mode_cleanup | bool  
+      # Cleanup mode is enabled
+    - enable_wildcard_certificate | bool  
+      # Wildcard certificate is enabled
+    - domain.split('.') | length == (primary_domain.split('.') | length + 1) and domain.endswith(primary_domain)
+      # AND: The domain is a direct first-level subdomain of the primary domain
+    - domain != primary_domain  
+      # The domain is not the primary domain
+  ignore_errors: true
+
+- name: run the recieve_certificate tasks once
+  set_fact:
+    run_once_recieve_certificate: true
+  when: run_once_recieve_certificate is not defined