From 8da2e41463daf755ef4c9e043305a025fdaee6fc Mon Sep 17 00:00:00 2001 From: Kevin Veen-Birkenbach Date: Wed, 9 Jul 2025 00:07:12 +0200 Subject: [PATCH] Solved letsencrypt reference bugs --- .../templates/ssl_header.j2 | 2 +- .../templates/nginx.stream.conf.j2 | 2 +- .../web-app-collabora/templates/nginx.conf.j2 | 2 +- roles/web-app-matrix/templates/nginx.conf.j2 | 2 +- .../templates/nginx/host.conf.j2 | 2 +- .../templates/peertube.conf.j2 | 2 +- roles/web-app-syncope/templates/proxy.conf | 2 +- .../templates/redirect.domain.nginx.conf.j2 | 2 +- roles/web-redirect-www/meta/main.yml | 2 +- .../web-service-files/templates/nginx.conf.j2 | 2 +- .../web-service-html/templates/nginx.conf.j2 | 2 +- roles/webserver-https/README.md | 67 ++++++++++++++++++- roles/webserver-https/meta/main.yml | 31 ++++++++- roles/webserver-injector-css/meta/main.yml | 2 +- roles/webserver-injector-iframe/meta/main.yml | 2 +- .../meta/main.yml | 2 +- roles/webserver-injector-matomo/meta/main.yml | 2 +- .../templates/vhost/basic.conf.j2 | 2 +- .../templates/vhost/ws_generic.conf.j2 | 2 +- roles/webserver-proxy-domain/meta/main.yml | 2 +- roles/webserver-tls-renew/meta/main.yml | 2 +- 21 files changed, 112 insertions(+), 24 deletions(-) diff --git a/roles/network-letsencrypt/templates/ssl_header.j2 b/roles/network-letsencrypt/templates/ssl_header.j2 index 012b2ddf..e0fab1e6 100644 --- a/roles/network-letsencrypt/templates/ssl_header.j2 +++ b/roles/network-letsencrypt/templates/ssl_header.j2 @@ -12,4 +12,4 @@ ssl_session_tickets on; add_header Strict-Transport-Security max-age=15768000; ssl_stapling on; ssl_stapling_verify on; -{% include 'roles/letsencrypt/templates/ssl_credentials.j2' %} \ No newline at end of file +{% include 'roles/network-letsencrypt/templates/ssl_credentials.j2' %} \ No newline at end of file diff --git a/roles/service-openldap/templates/nginx.stream.conf.j2 b/roles/service-openldap/templates/nginx.stream.conf.j2 index 6ff239bd..8fd12a60 100644 --- a/roles/service-openldap/templates/nginx.stream.conf.j2 +++ b/roles/service-openldap/templates/nginx.stream.conf.j2 @@ -2,5 +2,5 @@ server { listen {{ports.public.ldaps.ldap}}ssl; proxy_pass 127.0.0.1:{{ports.localhost.ldap.ldap}}; - {% include 'roles/letsencrypt/templates/ssl_credentials.j2' %} + {% include 'roles/network-letsencrypt/templates/ssl_credentials.j2' %} } diff --git a/roles/web-app-collabora/templates/nginx.conf.j2 b/roles/web-app-collabora/templates/nginx.conf.j2 index 535516bd..913e119b 100644 --- a/roles/web-app-collabora/templates/nginx.conf.j2 +++ b/roles/web-app-collabora/templates/nginx.conf.j2 @@ -1,7 +1,7 @@ server { server_name {{domain}}; - {% include 'roles/letsencrypt/templates/ssl_header.j2' %} + {% include 'roles/network-letsencrypt/templates/ssl_header.j2' %} {% include 'roles/webserver-injector-core/templates/global.includes.conf.j2'%} diff --git a/roles/web-app-matrix/templates/nginx.conf.j2 b/roles/web-app-matrix/templates/nginx.conf.j2 index 9623d5e2..ef6db9cb 100644 --- a/roles/web-app-matrix/templates/nginx.conf.j2 +++ b/roles/web-app-matrix/templates/nginx.conf.j2 @@ -5,7 +5,7 @@ server { {% set http_port = ports.localhost.http.synapse %} server_name {{domains.matrix.synapse}}; - {% include 'roles/letsencrypt/templates/ssl_header.j2' %} + {% include 'roles/network-letsencrypt/templates/ssl_header.j2' %} # For the federation port listen 8448 ssl default_server; diff --git a/roles/web-app-nextcloud/templates/nginx/host.conf.j2 b/roles/web-app-nextcloud/templates/nginx/host.conf.j2 index 54a2784d..1b01d4f2 100644 --- a/roles/web-app-nextcloud/templates/nginx/host.conf.j2 +++ b/roles/web-app-nextcloud/templates/nginx/host.conf.j2 @@ -4,7 +4,7 @@ server { server_name {{domain}}; - {% include 'roles/letsencrypt/templates/ssl_header.j2' %} + {% include 'roles/network-letsencrypt/templates/ssl_header.j2' %} {% include 'roles/webserver-injector-core/templates/global.includes.conf.j2'%} # Remove X-Powered-By, which is an information leak diff --git a/roles/web-app-peertube/templates/peertube.conf.j2 b/roles/web-app-peertube/templates/peertube.conf.j2 index 07aa88fa..3c881d76 100644 --- a/roles/web-app-peertube/templates/peertube.conf.j2 +++ b/roles/web-app-peertube/templates/peertube.conf.j2 @@ -1,7 +1,7 @@ server { server_name {{domain}}; - {% include 'roles/letsencrypt/templates/ssl_header.j2' %} + {% include 'roles/network-letsencrypt/templates/ssl_header.j2' %} {% include 'roles/webserver-injector-core/templates/global.includes.conf.j2'%} diff --git a/roles/web-app-syncope/templates/proxy.conf b/roles/web-app-syncope/templates/proxy.conf index e425a9f0..29c4df3f 100644 --- a/roles/web-app-syncope/templates/proxy.conf +++ b/roles/web-app-syncope/templates/proxy.conf @@ -13,7 +13,7 @@ server {{nginx_docker_reverse_proxy_extra_configuration}} {% endif %} - {% include 'roles/letsencrypt/templates/ssl_header.j2' %} + {% include 'roles/network-letsencrypt/templates/ssl_header.j2' %} {% for path in syncope_paths.values() %} {% set location = web_protocol ~ '://' ~ domains | get_domain(application_id) ~ '/' ~ path ~ '/' %} diff --git a/roles/web-redirect-domains/templates/redirect.domain.nginx.conf.j2 b/roles/web-redirect-domains/templates/redirect.domain.nginx.conf.j2 index 7d7b9028..e6446fd6 100644 --- a/roles/web-redirect-domains/templates/redirect.domain.nginx.conf.j2 +++ b/roles/web-redirect-domains/templates/redirect.domain.nginx.conf.j2 @@ -1,6 +1,6 @@ server { server_name {{ domain }}; - {% include 'roles/letsencrypt/templates/ssl_header.j2' %} + {% include 'roles/network-letsencrypt/templates/ssl_header.j2' %} return 301 https://{{ target }}$request_uri; } diff --git a/roles/web-redirect-www/meta/main.yml b/roles/web-redirect-www/meta/main.yml index 26dffe38..100b0755 100644 --- a/roles/web-redirect-www/meta/main.yml +++ b/roles/web-redirect-www/meta/main.yml @@ -23,4 +23,4 @@ galaxy_info: issue_tracker_url: "https://s.veen.world/cymaisissues" documentation: "https://s.veen.world/cymais" dependencies: - - nginx \ No newline at end of file + - webserver-core \ No newline at end of file diff --git a/roles/web-service-files/templates/nginx.conf.j2 b/roles/web-service-files/templates/nginx.conf.j2 index 6aa54507..df8b9343 100644 --- a/roles/web-service-files/templates/nginx.conf.j2 +++ b/roles/web-service-files/templates/nginx.conf.j2 @@ -2,7 +2,7 @@ server { server_name {{domains | get_domain(application_id)}}; - {% include 'roles/letsencrypt/templates/ssl_header.j2' %} + {% include 'roles/network-letsencrypt/templates/ssl_header.j2' %} {% include 'roles/webserver-injector-core/templates/global.includes.conf.j2'%} diff --git a/roles/web-service-html/templates/nginx.conf.j2 b/roles/web-service-html/templates/nginx.conf.j2 index 21a43737..28e406cd 100644 --- a/roles/web-service-html/templates/nginx.conf.j2 +++ b/roles/web-service-html/templates/nginx.conf.j2 @@ -2,7 +2,7 @@ server { server_name {{domains | get_domain(application_id)}}; - {% include 'roles/letsencrypt/templates/ssl_header.j2' %} + {% include 'roles/network-letsencrypt/templates/ssl_header.j2' %} {% include 'roles/webserver-injector-core/templates/global.includes.conf.j2'%} diff --git a/roles/webserver-https/README.md b/roles/webserver-https/README.md index 2bb720f0..3087d225 100644 --- a/roles/webserver-https/README.md +++ b/roles/webserver-https/README.md @@ -1,2 +1,65 @@ -# Nginx Https Server -This role loads the components to create an nginx server with https \ No newline at end of file +# Webserver HTTPS Provisioning 🚀 + +## Description +The **webserver-https** role extends a basic Nginx installation by wiring in everything you need to serve content over HTTPS: + +1. Ensures your Nginx server is configured for SSL/TLS. +2. Pulls in Let’s Encrypt ACME challenge handling. +3. Applies global cleanup of unused domain configs. + +This role is built on top of your existing `webserver-core` role, and it automates the end-to-end process of turning HTTP sites into secure HTTPS sites. + +--- + +## Overview + +When you apply **webserver-https**, it will: + +1. **Include** the `webserver-core` role to install and configure Nginx. +2. **Clean up** any stale vHost files under `cleanup-domains`. +3. **Deploy** the Let’s Encrypt challenge-and-redirect snippet from `network-letsencrypt`. +4. **Reload** Nginx automatically when any template changes. + +All tasks are idempotent—once your certificates are in place and your configuration is set, Ansible will skip unchanged steps on subsequent runs. + +--- + +## Features + +- 🔒 **Automatic HTTPS Redirect** + Sets up port 80 → 443 redirect and serves `/.well-known/acme-challenge/` for Certbot. + +- 🔑 **Let’s Encrypt Integration** + Pulls in challenge configuration and CAA-record management for automatic certificate issuance and renewal. + +- 🧹 **Domain Cleanup** + Removes obsolete or orphaned server blocks before enabling HTTPS. + +- 🚦 **Handler-Safe** + Triggers an Nginx reload only when necessary, minimizing service interruptions. + +--- + +## Requirements + +- A working `webserver-core` setup. +- DNS managed via Cloudflare (for CAA record tasks) or equivalent ACME DNS flow. +- Variables: + - `certbot_webroot_path` + - `certbot_cert_path` + - `on_calendar_renew_lets_encrypt_certificates` + +--- + +## License + +This role is released under the **CyMaIS NonCommercial License (CNCL)**. +See [https://s.veen.world/cncl](https://s.veen.world/cncl) for details. + +--- + +## Author + +Developed and maintained by **Kevin Veen-Birkenbach** +Consulting & Coaching Solutions +[https://www.veen.world](https://www.veen.world) diff --git a/roles/webserver-https/meta/main.yml b/roles/webserver-https/meta/main.yml index fa850772..b68c6667 100644 --- a/roles/webserver-https/meta/main.yml +++ b/roles/webserver-https/meta/main.yml @@ -1,4 +1,29 @@ +galaxy_info: + author: "Kevin Veen-Birkenbach" + description: "Configures Nginx to serve sites securely over HTTPS, integrates Let’s Encrypt and cleans up stale domain configs." + company: | + Kevin Veen-Birkenbach + Consulting & Coaching Solutions + https://www.veen.world + license: "CyMaIS NonCommercial License (CNCL)" + license_url: "https://s.veen.world/cncl" + min_ansible_version: "2.9" + platforms: + - name: Archlinux + versions: + - rolling + galaxy_tags: + - nginx + - https + - tls + - letsencrypt + - security + - automation + repository: "https://s.veen.world/cymais" + documentation: "https://s.veen.world/cymais" + issue_tracker_url: "https://s.veen.world/cymaisissues" + dependencies: -- nginx -- cleanup-domains -- letsencrypt \ No newline at end of file + - webserver-core + - cleanup-domains + - network-letsencrypt \ No newline at end of file diff --git a/roles/webserver-injector-css/meta/main.yml b/roles/webserver-injector-css/meta/main.yml index 6081d545..60b7bd2a 100644 --- a/roles/webserver-injector-css/meta/main.yml +++ b/roles/webserver-injector-css/meta/main.yml @@ -26,4 +26,4 @@ galaxy_info: issue_tracker_url: https://s.veen.world/cymaisissues documentation: https://s.veen.world/cymais dependencies: - - nginx \ No newline at end of file + - webserver-core \ No newline at end of file diff --git a/roles/webserver-injector-iframe/meta/main.yml b/roles/webserver-injector-iframe/meta/main.yml index 24cf628c..fb0db805 100644 --- a/roles/webserver-injector-iframe/meta/main.yml +++ b/roles/webserver-injector-iframe/meta/main.yml @@ -25,4 +25,4 @@ galaxy_info: - security - postMessage dependencies: - - nginx \ No newline at end of file + - webserver-core \ No newline at end of file diff --git a/roles/webserver-injector-javascript/meta/main.yml b/roles/webserver-injector-javascript/meta/main.yml index b70d0241..d5a84719 100644 --- a/roles/webserver-injector-javascript/meta/main.yml +++ b/roles/webserver-injector-javascript/meta/main.yml @@ -25,4 +25,4 @@ galaxy_info: issue_tracker_url: "https://s.veen.world/cymaisissues" dependencies: - - nginx + - webserver-core diff --git a/roles/webserver-injector-matomo/meta/main.yml b/roles/webserver-injector-matomo/meta/main.yml index 666eff9a..0845a092 100644 --- a/roles/webserver-injector-matomo/meta/main.yml +++ b/roles/webserver-injector-matomo/meta/main.yml @@ -1,3 +1,3 @@ dependencies: # - web-app-matomo Don't activate this otherwise the plays take super long - - nginx \ No newline at end of file + - webserver-core \ No newline at end of file diff --git a/roles/webserver-proxy-core/templates/vhost/basic.conf.j2 b/roles/webserver-proxy-core/templates/vhost/basic.conf.j2 index 02a091e8..93e16a8e 100644 --- a/roles/webserver-proxy-core/templates/vhost/basic.conf.j2 +++ b/roles/webserver-proxy-core/templates/vhost/basic.conf.j2 @@ -13,7 +13,7 @@ server {{nginx_docker_reverse_proxy_extra_configuration}} {% endif %} - {% include 'roles/letsencrypt/templates/ssl_header.j2' %} + {% include 'roles/network-letsencrypt/templates/ssl_header.j2' %} {% if applications | is_feature_enabled('oauth2', application_id) %} {% set acl = applications[application_id].oauth2_proxy.acl | default({}) %} diff --git a/roles/webserver-proxy-core/templates/vhost/ws_generic.conf.j2 b/roles/webserver-proxy-core/templates/vhost/ws_generic.conf.j2 index 380af16a..cc830a25 100644 --- a/roles/webserver-proxy-core/templates/vhost/ws_generic.conf.j2 +++ b/roles/webserver-proxy-core/templates/vhost/ws_generic.conf.j2 @@ -6,7 +6,7 @@ map $http_upgrade $connection_upgrade { server { server_name {{ domain }}; - {% include 'roles/letsencrypt/templates/ssl_header.j2' %} + {% include 'roles/network-letsencrypt/templates/ssl_header.j2' %} {% include 'roles/webserver-injector-core/templates/global.includes.conf.j2' %} client_max_body_size {{ client_max_body_size | default('100m') }}; diff --git a/roles/webserver-proxy-domain/meta/main.yml b/roles/webserver-proxy-domain/meta/main.yml index faa29776..bc79348d 100644 --- a/roles/webserver-proxy-domain/meta/main.yml +++ b/roles/webserver-proxy-domain/meta/main.yml @@ -24,4 +24,4 @@ galaxy_info: issue_tracker_url: https://s.veen.world/cymaisissues documentation: https://s.veen.world/cymais dependencies: - - nginx \ No newline at end of file + - webserver-core \ No newline at end of file diff --git a/roles/webserver-tls-renew/meta/main.yml b/roles/webserver-tls-renew/meta/main.yml index fa7540da..ba502904 100644 --- a/roles/webserver-tls-renew/meta/main.yml +++ b/roles/webserver-tls-renew/meta/main.yml @@ -28,6 +28,6 @@ galaxy_info: documentation: "https://s.veen.world/cymais" dependencies: - generic-certbot - - nginx + - webserver-core - alert-core - cleanup-certs