Solved letsencrypt reference bugs

2025-11-04 12:18:17 +00:00 · 2025-07-09 00:07:12 +02:00
parent 563d5fd528
commit 8da2e41463
21 changed files with 112 additions and 24 deletions
--- a/roles/network-letsencrypt/templates/ssl_header.j2
+++ b/roles/network-letsencrypt/templates/ssl_header.j2
@@ -12,4 +12,4 @@ ssl_session_tickets on;
 add_header Strict-Transport-Security max-age=15768000;
 ssl_stapling on;
 ssl_stapling_verify on;
-{% include 'roles/letsencrypt/templates/ssl_credentials.j2' %}
+{% include 'roles/network-letsencrypt/templates/ssl_credentials.j2' %}
--- a/roles/service-openldap/templates/nginx.stream.conf.j2
+++ b/roles/service-openldap/templates/nginx.stream.conf.j2
@@ -2,5 +2,5 @@ server {
    listen {{ports.public.ldaps.ldap}}ssl;
    proxy_pass 127.0.0.1:{{ports.localhost.ldap.ldap}};
-    {% include 'roles/letsencrypt/templates/ssl_credentials.j2' %}
+    {% include 'roles/network-letsencrypt/templates/ssl_credentials.j2' %}
 }
--- a/roles/web-app-collabora/templates/nginx.conf.j2
+++ b/roles/web-app-collabora/templates/nginx.conf.j2
@@ -1,7 +1,7 @@
 server {
  server_name {{domain}};
-  {% include 'roles/letsencrypt/templates/ssl_header.j2' %}
+  {% include 'roles/network-letsencrypt/templates/ssl_header.j2' %}
  {% include 'roles/webserver-injector-core/templates/global.includes.conf.j2'%}
--- a/roles/web-app-matrix/templates/nginx.conf.j2
+++ b/roles/web-app-matrix/templates/nginx.conf.j2
@@ -5,7 +5,7 @@ server {
    {% set http_port = ports.localhost.http.synapse %}
    server_name {{domains.matrix.synapse}};
-    {% include 'roles/letsencrypt/templates/ssl_header.j2' %}
+    {% include 'roles/network-letsencrypt/templates/ssl_header.j2' %}
    # For the federation port
    listen 8448 ssl default_server;
--- a/roles/web-app-nextcloud/templates/nginx/host.conf.j2
+++ b/roles/web-app-nextcloud/templates/nginx/host.conf.j2
@@ -4,7 +4,7 @@ server
 {
  server_name {{domain}};
-  {% include 'roles/letsencrypt/templates/ssl_header.j2' %}
+  {% include 'roles/network-letsencrypt/templates/ssl_header.j2' %}
  {% include 'roles/webserver-injector-core/templates/global.includes.conf.j2'%}
  # Remove X-Powered-By, which is an information leak
--- a/roles/web-app-peertube/templates/peertube.conf.j2
+++ b/roles/web-app-peertube/templates/peertube.conf.j2
@@ -1,7 +1,7 @@
 server {
  server_name {{domain}};
-  {% include 'roles/letsencrypt/templates/ssl_header.j2' %}
+  {% include 'roles/network-letsencrypt/templates/ssl_header.j2' %}
  {% include 'roles/webserver-injector-core/templates/global.includes.conf.j2'%}
--- a/roles/web-app-syncope/templates/proxy.conf
+++ b/roles/web-app-syncope/templates/proxy.conf
@@ -13,7 +13,7 @@ server
    {{nginx_docker_reverse_proxy_extra_configuration}}
  {% endif %}
-  {% include 'roles/letsencrypt/templates/ssl_header.j2' %}
+  {% include 'roles/network-letsencrypt/templates/ssl_header.j2' %}
  {% for path in syncope_paths.values() %}
    {% set location =  web_protocol ~ '://' ~ domains | get_domain(application_id) ~ '/' ~ path ~ '/' %}
--- a/roles/web-redirect-domains/templates/redirect.domain.nginx.conf.j2
+++ b/roles/web-redirect-domains/templates/redirect.domain.nginx.conf.j2
@@ -1,6 +1,6 @@
 server {
  server_name {{ domain }};
-  {% include 'roles/letsencrypt/templates/ssl_header.j2' %}
+  {% include 'roles/network-letsencrypt/templates/ssl_header.j2' %}
  return 301 https://{{ target }}$request_uri;
 }
--- a/roles/web-redirect-www/meta/main.yml
+++ b/roles/web-redirect-www/meta/main.yml
@@ -23,4 +23,4 @@ galaxy_info:
  issue_tracker_url: "https://s.veen.world/cymaisissues"
  documentation: "https://s.veen.world/cymais"
 dependencies:
-  - nginx
+  - webserver-core
--- a/roles/web-service-files/templates/nginx.conf.j2
+++ b/roles/web-service-files/templates/nginx.conf.j2
@@ -2,7 +2,7 @@ server
 {
  server_name {{domains | get_domain(application_id)}};
-  {% include 'roles/letsencrypt/templates/ssl_header.j2' %}
+  {% include 'roles/network-letsencrypt/templates/ssl_header.j2' %}
  {% include 'roles/webserver-injector-core/templates/global.includes.conf.j2'%}
--- a/roles/web-service-html/templates/nginx.conf.j2
+++ b/roles/web-service-html/templates/nginx.conf.j2
@@ -2,7 +2,7 @@ server
 {
  server_name {{domains | get_domain(application_id)}};
-  {% include 'roles/letsencrypt/templates/ssl_header.j2' %}
+  {% include 'roles/network-letsencrypt/templates/ssl_header.j2' %}
  {% include 'roles/webserver-injector-core/templates/global.includes.conf.j2'%}
--- a/roles/webserver-https/README.md
+++ b/roles/webserver-https/README.md
@@ -1,2 +1,65 @@
-# Nginx Https Server
+# Webserver HTTPS Provisioning 🚀
-This role loads the components to create an nginx server with https
+
 ## Description
 The **webserver-https** role extends a basic Nginx installation by wiring in everything you need to serve content over HTTPS:
 1. Ensures your Nginx server is configured for SSL/TLS.
 2. Pulls in Let’s Encrypt ACME challenge handling.
 3. Applies global cleanup of unused domain configs.
 This role is built on top of your existing `webserver-core` role, and it automates the end-to-end process of turning HTTP sites into secure HTTPS sites.
 ---
 ## Overview
 When you apply **webserver-https**, it will:
 1. **Include** the `webserver-core` role to install and configure Nginx.  
 2. **Clean up** any stale vHost files under `cleanup-domains`.  
 3. **Deploy** the Let’s Encrypt challenge-and-redirect snippet from `network-letsencrypt`.  
 4. **Reload** Nginx automatically when any template changes.
 All tasks are idempotent—once your certificates are in place and your configuration is set, Ansible will skip unchanged steps on subsequent runs.
 ---
 ## Features
 - 🔒 **Automatic HTTPS Redirect**  
  Sets up port 80 → 443 redirect and serves `/.well-known/acme-challenge/` for Certbot.
 - 🔑 **Let’s Encrypt Integration**  
  Pulls in challenge configuration and CAA-record management for automatic certificate issuance and renewal.
 - 🧹 **Domain Cleanup**  
  Removes obsolete or orphaned server blocks before enabling HTTPS.
 - 🚦 **Handler-Safe**  
  Triggers an Nginx reload only when necessary, minimizing service interruptions.
 ---
 ## Requirements
 - A working `webserver-core` setup.
 - DNS managed via Cloudflare (for CAA record tasks) or equivalent ACME DNS flow.
 - Variables:
  - `certbot_webroot_path`  
  - `certbot_cert_path`  
  - `on_calendar_renew_lets_encrypt_certificates`
 ---
 ## License
 This role is released under the **CyMaIS NonCommercial License (CNCL)**.
 See [https://s.veen.world/cncl](https://s.veen.world/cncl) for details.
 ---
 ## Author
 Developed and maintained by **Kevin Veen-Birkenbach**
 Consulting & Coaching Solutions
 [https://www.veen.world](https://www.veen.world)
--- a/roles/webserver-https/meta/main.yml
+++ b/roles/webserver-https/meta/main.yml
@@ -1,4 +1,29 @@
 galaxy_info:
  author: "Kevin Veen-Birkenbach"
  description: "Configures Nginx to serve sites securely over HTTPS, integrates Let’s Encrypt and cleans up stale domain configs."
  company: |
    Kevin Veen-Birkenbach  
    Consulting & Coaching Solutions  
    https://www.veen.world
  license: "CyMaIS NonCommercial License (CNCL)"
  license_url: "https://s.veen.world/cncl"
  min_ansible_version: "2.9"
  platforms:
    - name: Archlinux
      versions:
        - rolling
  galaxy_tags:
    - nginx
    - https
    - tls
    - letsencrypt
    - security
    - automation
  repository: "https://s.veen.world/cymais"
  documentation: "https://s.veen.world/cymais"
  issue_tracker_url: "https://s.veen.world/cymaisissues"
 dependencies:
- nginx
+  - webserver-core
- cleanup-domains
+  - cleanup-domains
- letsencrypt
+  - network-letsencrypt
--- a/roles/webserver-injector-css/meta/main.yml
+++ b/roles/webserver-injector-css/meta/main.yml
@@ -26,4 +26,4 @@ galaxy_info:
  issue_tracker_url: https://s.veen.world/cymaisissues
  documentation: https://s.veen.world/cymais
 dependencies:
-  - nginx
+  - webserver-core
--- a/roles/webserver-injector-iframe/meta/main.yml
+++ b/roles/webserver-injector-iframe/meta/main.yml
@@ -25,4 +25,4 @@ galaxy_info:
    - security
    - postMessage
 dependencies:
-  - nginx
+  - webserver-core
--- a/roles/webserver-injector-javascript/meta/main.yml
+++ b/roles/webserver-injector-javascript/meta/main.yml
@@ -25,4 +25,4 @@ galaxy_info:
  issue_tracker_url: "https://s.veen.world/cymaisissues"
 dependencies:
-  - nginx
+  - webserver-core
--- a/roles/webserver-injector-matomo/meta/main.yml
+++ b/roles/webserver-injector-matomo/meta/main.yml
@@ -1,3 +1,3 @@
 dependencies:
  # - web-app-matomo Don't activate this otherwise the plays take super long
-  - nginx
+  - webserver-core
--- a/roles/webserver-proxy-core/templates/vhost/basic.conf.j2
+++ b/roles/webserver-proxy-core/templates/vhost/basic.conf.j2
@@ -13,7 +13,7 @@ server
    {{nginx_docker_reverse_proxy_extra_configuration}}
  {% endif %}
-  {% include 'roles/letsencrypt/templates/ssl_header.j2' %}
+  {% include 'roles/network-letsencrypt/templates/ssl_header.j2' %}
  {% if applications | is_feature_enabled('oauth2', application_id) %}
    {% set acl = applications[application_id].oauth2_proxy.acl | default({}) %}
--- a/roles/webserver-proxy-core/templates/vhost/ws_generic.conf.j2
+++ b/roles/webserver-proxy-core/templates/vhost/ws_generic.conf.j2
@@ -6,7 +6,7 @@ map $http_upgrade $connection_upgrade {
 server {
  server_name {{ domain }};
-  {% include 'roles/letsencrypt/templates/ssl_header.j2' %}
+  {% include 'roles/network-letsencrypt/templates/ssl_header.j2' %}
  {% include 'roles/webserver-injector-core/templates/global.includes.conf.j2' %}
  client_max_body_size {{ client_max_body_size | default('100m') }};
--- a/roles/webserver-proxy-domain/meta/main.yml
+++ b/roles/webserver-proxy-domain/meta/main.yml
@@ -24,4 +24,4 @@ galaxy_info:
  issue_tracker_url: https://s.veen.world/cymaisissues
  documentation: https://s.veen.world/cymais
 dependencies:
-  - nginx
+  - webserver-core
--- a/roles/webserver-tls-renew/meta/main.yml
+++ b/roles/webserver-tls-renew/meta/main.yml
@@ -28,6 +28,6 @@ galaxy_info:
  documentation: "https://s.veen.world/cymais"
 dependencies:
  - generic-certbot
-  - nginx
+  - webserver-core
  - alert-core
  - cleanup-certs