kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-07-17 22:14:25 +02:00
Code Issues Packages Projects Releases Wiki Activity

Solved letsencrypt reference bugs

Browse Source
This commit is contained in:
Kevin Veen-Birkenbach 2025-07-09 00:07:12 +02:00
parent 563d5fd528
commit 8da2e41463
No known key found for this signature in database
GPG Key ID: 44D8F11FD62F878E
21 changed files with 112 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
roles/network-letsencrypt/templates/ssl_header.j2
View File

@ -12,4 +12,4 @@ ssl_session_tickets on;
add_header Strict-Transport-Security max-age=15768000;
ssl_stapling on;
ssl_stapling_verify on;
{% include 'roles/letsencrypt/templates/ssl_credentials.j2' %}
{% include 'roles/network-letsencrypt/templates/ssl_credentials.j2' %}

2
roles/service-openldap/templates/nginx.stream.conf.j2
View File

@ -2,5 +2,5 @@ server {
listen {{ports.public.ldaps.ldap}}ssl;
proxy_pass 127.0.0.1:{{ports.localhost.ldap.ldap}};
{% include 'roles/letsencrypt/templates/ssl_credentials.j2' %}
{% include 'roles/network-letsencrypt/templates/ssl_credentials.j2' %}
}

2
roles/web-app-collabora/templates/nginx.conf.j2
View File

@ -1,7 +1,7 @@
server {
server_name {{domain}};
{% include 'roles/letsencrypt/templates/ssl_header.j2' %}
{% include 'roles/network-letsencrypt/templates/ssl_header.j2' %}
{% include 'roles/webserver-injector-core/templates/global.includes.conf.j2'%}

2
roles/web-app-matrix/templates/nginx.conf.j2
View File

@ -5,7 +5,7 @@ server {
{% set http_port = ports.localhost.http.synapse %}
server_name {{domains.matrix.synapse}};
{% include 'roles/letsencrypt/templates/ssl_header.j2' %}
{% include 'roles/network-letsencrypt/templates/ssl_header.j2' %}
# For the federation port
listen 8448 ssl default_server;

2
roles/web-app-nextcloud/templates/nginx/host.conf.j2
View File

@ -4,7 +4,7 @@ server
{
server_name {{domain}};
{% include 'roles/letsencrypt/templates/ssl_header.j2' %}
{% include 'roles/network-letsencrypt/templates/ssl_header.j2' %}
{% include 'roles/webserver-injector-core/templates/global.includes.conf.j2'%}
# Remove X-Powered-By, which is an information leak

2
roles/web-app-peertube/templates/peertube.conf.j2
View File

@ -1,7 +1,7 @@
server {
server_name {{domain}};
{% include 'roles/letsencrypt/templates/ssl_header.j2' %}
{% include 'roles/network-letsencrypt/templates/ssl_header.j2' %}
{% include 'roles/webserver-injector-core/templates/global.includes.conf.j2'%}

2
roles/web-app-syncope/templates/proxy.conf
View File

@ -13,7 +13,7 @@ server
{{nginx_docker_reverse_proxy_extra_configuration}}
{% endif %}
{% include 'roles/letsencrypt/templates/ssl_header.j2' %}
{% include 'roles/network-letsencrypt/templates/ssl_header.j2' %}
{% for path in syncope_paths.values() %}
{% set location = web_protocol ~ '://' ~ domains | get_domain(application_id) ~ '/' ~ path ~ '/' %}

2
roles/web-redirect-domains/templates/redirect.domain.nginx.conf.j2
View File

@ -1,6 +1,6 @@
server {
server_name {{ domain }};
{% include 'roles/letsencrypt/templates/ssl_header.j2' %}
{% include 'roles/network-letsencrypt/templates/ssl_header.j2' %}
return 301 https://{{ target }}$request_uri;
}

2
roles/web-redirect-www/meta/main.yml
View File

@ -23,4 +23,4 @@ galaxy_info:
issue_tracker_url: "https://s.veen.world/cymaisissues"
documentation: "https://s.veen.world/cymais"
dependencies:
- nginx
- webserver-core

2
roles/web-service-files/templates/nginx.conf.j2
View File

@ -2,7 +2,7 @@ server
{
server_name {{domains | get_domain(application_id)}};
{% include 'roles/letsencrypt/templates/ssl_header.j2' %}
{% include 'roles/network-letsencrypt/templates/ssl_header.j2' %}
{% include 'roles/webserver-injector-core/templates/global.includes.conf.j2'%}

2
roles/web-service-html/templates/nginx.conf.j2
View File

@ -2,7 +2,7 @@ server
{
server_name {{domains | get_domain(application_id)}};
{% include 'roles/letsencrypt/templates/ssl_header.j2' %}
{% include 'roles/network-letsencrypt/templates/ssl_header.j2' %}
{% include 'roles/webserver-injector-core/templates/global.includes.conf.j2'%}

67
roles/webserver-https/README.md
View File

@ -1,2 +1,65 @@
# Nginx Https Server
This role loads the components to create an nginx server with https
# Webserver HTTPS Provisioning 🚀
## Description
The **webserver-https** role extends a basic Nginx installation by wiring in everything you need to serve content over HTTPS:
1. Ensures your Nginx server is configured for SSL/TLS.
2. Pulls in Lets Encrypt ACME challenge handling.
3. Applies global cleanup of unused domain configs.
This role is built on top of your existing `webserver-core` role, and it automates the end-to-end process of turning HTTP sites into secure HTTPS sites.
---
## Overview
When you apply **webserver-https**, it will:
1. **Include** the `webserver-core` role to install and configure Nginx.
2. **Clean up** any stale vHost files under `cleanup-domains`.
3. **Deploy** the Lets Encrypt challenge-and-redirect snippet from `network-letsencrypt`.
4. **Reload** Nginx automatically when any template changes.
All tasks are idempotent—once your certificates are in place and your configuration is set, Ansible will skip unchanged steps on subsequent runs.
---
## Features
- 🔒 **Automatic HTTPS Redirect**
Sets up port 80 → 443 redirect and serves `/.well-known/acme-challenge/` for Certbot.
- 🔑 **Lets Encrypt Integration**
Pulls in challenge configuration and CAA-record management for automatic certificate issuance and renewal.
- 🧹 **Domain Cleanup**
Removes obsolete or orphaned server blocks before enabling HTTPS.
- 🚦 **Handler-Safe**
Triggers an Nginx reload only when necessary, minimizing service interruptions.
---
## Requirements
- A working `webserver-core` setup.
- DNS managed via Cloudflare (for CAA record tasks) or equivalent ACME DNS flow.
- Variables:
- `certbot_webroot_path`
- `certbot_cert_path`
- `on_calendar_renew_lets_encrypt_certificates`
---
## License
This role is released under the **CyMaIS NonCommercial License (CNCL)**.
See [https://s.veen.world/cncl](https://s.veen.world/cncl) for details.
---
## Author
Developed and maintained by **Kevin Veen-Birkenbach**
Consulting & Coaching Solutions
[https://www.veen.world](https://www.veen.world)

31
roles/webserver-https/meta/main.yml
View File

@ -1,4 +1,29 @@
galaxy_info:
author: "Kevin Veen-Birkenbach"
description: "Configures Nginx to serve sites securely over HTTPS, integrates Lets Encrypt and cleans up stale domain configs."
company: |
Kevin Veen-Birkenbach
Consulting & Coaching Solutions
https://www.veen.world
license: "CyMaIS NonCommercial License (CNCL)"
license_url: "https://s.veen.world/cncl"
min_ansible_version: "2.9"
platforms:
- name: Archlinux
versions:
- rolling
galaxy_tags:
- nginx
- https
- tls
- letsencrypt
- security
- automation
repository: "https://s.veen.world/cymais"
documentation: "https://s.veen.world/cymais"
issue_tracker_url: "https://s.veen.world/cymaisissues"
dependencies:
- nginx
- cleanup-domains
- letsencrypt
- webserver-core
- cleanup-domains
- network-letsencrypt

2
roles/webserver-injector-css/meta/main.yml
View File

@ -26,4 +26,4 @@ galaxy_info:
issue_tracker_url: https://s.veen.world/cymaisissues
documentation: https://s.veen.world/cymais
dependencies:
- nginx
- webserver-core

2
roles/webserver-injector-iframe/meta/main.yml
View File

@ -25,4 +25,4 @@ galaxy_info:
- security
- postMessage
dependencies:
- nginx
- webserver-core

2
roles/webserver-injector-javascript/meta/main.yml
View File

@ -25,4 +25,4 @@ galaxy_info:
issue_tracker_url: "https://s.veen.world/cymaisissues"
dependencies:
- nginx
- webserver-core

2
roles/webserver-injector-matomo/meta/main.yml
View File

@ -1,3 +1,3 @@
dependencies:
# - web-app-matomo Don't activate this otherwise the plays take super long
- nginx
- webserver-core

2
roles/webserver-proxy-core/templates/vhost/basic.conf.j2
View File

@ -13,7 +13,7 @@ server
{{nginx_docker_reverse_proxy_extra_configuration}}
{% endif %}
{% include 'roles/letsencrypt/templates/ssl_header.j2' %}
{% include 'roles/network-letsencrypt/templates/ssl_header.j2' %}
{% if applications | is_feature_enabled('oauth2', application_id) %}
{% set acl = applications[application_id].oauth2_proxy.acl | default({}) %}

2
roles/webserver-proxy-core/templates/vhost/ws_generic.conf.j2
View File

@ -6,7 +6,7 @@ map $http_upgrade $connection_upgrade {
server {
server_name {{ domain }};
{% include 'roles/letsencrypt/templates/ssl_header.j2' %}
{% include 'roles/network-letsencrypt/templates/ssl_header.j2' %}
{% include 'roles/webserver-injector-core/templates/global.includes.conf.j2' %}
client_max_body_size {{ client_max_body_size | default('100m') }};

2
roles/webserver-proxy-domain/meta/main.yml
View File

@ -24,4 +24,4 @@ galaxy_info:
issue_tracker_url: https://s.veen.world/cymaisissues
documentation: https://s.veen.world/cymais
dependencies:
- nginx
- webserver-core

2
roles/webserver-tls-renew/meta/main.yml
View File

@ -28,6 +28,6 @@ galaxy_info:
documentation: "https://s.veen.world/cymais"
dependencies:
- generic-certbot
- nginx
- webserver-core
- alert-core
- cleanup-certs