mirror of
https://github.com/kevinveenbirkenbach/computer-playbook.git
synced 2025-07-17 22:14:25 +02:00
Solved letsencrypt reference bugs
This commit is contained in:
parent
563d5fd528
commit
8da2e41463
@ -12,4 +12,4 @@ ssl_session_tickets on;
|
||||
add_header Strict-Transport-Security max-age=15768000;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
{% include 'roles/letsencrypt/templates/ssl_credentials.j2' %}
|
||||
{% include 'roles/network-letsencrypt/templates/ssl_credentials.j2' %}
|
@ -2,5 +2,5 @@ server {
|
||||
listen {{ports.public.ldaps.ldap}}ssl;
|
||||
proxy_pass 127.0.0.1:{{ports.localhost.ldap.ldap}};
|
||||
|
||||
{% include 'roles/letsencrypt/templates/ssl_credentials.j2' %}
|
||||
{% include 'roles/network-letsencrypt/templates/ssl_credentials.j2' %}
|
||||
}
|
||||
|
@ -1,7 +1,7 @@
|
||||
server {
|
||||
server_name {{domain}};
|
||||
|
||||
{% include 'roles/letsencrypt/templates/ssl_header.j2' %}
|
||||
{% include 'roles/network-letsencrypt/templates/ssl_header.j2' %}
|
||||
|
||||
{% include 'roles/webserver-injector-core/templates/global.includes.conf.j2'%}
|
||||
|
||||
|
@ -5,7 +5,7 @@ server {
|
||||
{% set http_port = ports.localhost.http.synapse %}
|
||||
|
||||
server_name {{domains.matrix.synapse}};
|
||||
{% include 'roles/letsencrypt/templates/ssl_header.j2' %}
|
||||
{% include 'roles/network-letsencrypt/templates/ssl_header.j2' %}
|
||||
|
||||
# For the federation port
|
||||
listen 8448 ssl default_server;
|
||||
|
@ -4,7 +4,7 @@ server
|
||||
{
|
||||
server_name {{domain}};
|
||||
|
||||
{% include 'roles/letsencrypt/templates/ssl_header.j2' %}
|
||||
{% include 'roles/network-letsencrypt/templates/ssl_header.j2' %}
|
||||
|
||||
{% include 'roles/webserver-injector-core/templates/global.includes.conf.j2'%}
|
||||
# Remove X-Powered-By, which is an information leak
|
||||
|
@ -1,7 +1,7 @@
|
||||
server {
|
||||
server_name {{domain}};
|
||||
|
||||
{% include 'roles/letsencrypt/templates/ssl_header.j2' %}
|
||||
{% include 'roles/network-letsencrypt/templates/ssl_header.j2' %}
|
||||
|
||||
{% include 'roles/webserver-injector-core/templates/global.includes.conf.j2'%}
|
||||
|
||||
|
@ -13,7 +13,7 @@ server
|
||||
{{nginx_docker_reverse_proxy_extra_configuration}}
|
||||
{% endif %}
|
||||
|
||||
{% include 'roles/letsencrypt/templates/ssl_header.j2' %}
|
||||
{% include 'roles/network-letsencrypt/templates/ssl_header.j2' %}
|
||||
|
||||
{% for path in syncope_paths.values() %}
|
||||
{% set location = web_protocol ~ '://' ~ domains | get_domain(application_id) ~ '/' ~ path ~ '/' %}
|
||||
|
@ -1,6 +1,6 @@
|
||||
server {
|
||||
server_name {{ domain }};
|
||||
{% include 'roles/letsencrypt/templates/ssl_header.j2' %}
|
||||
{% include 'roles/network-letsencrypt/templates/ssl_header.j2' %}
|
||||
|
||||
return 301 https://{{ target }}$request_uri;
|
||||
}
|
||||
|
@ -23,4 +23,4 @@ galaxy_info:
|
||||
issue_tracker_url: "https://s.veen.world/cymaisissues"
|
||||
documentation: "https://s.veen.world/cymais"
|
||||
dependencies:
|
||||
- nginx
|
||||
- webserver-core
|
@ -2,7 +2,7 @@ server
|
||||
{
|
||||
server_name {{domains | get_domain(application_id)}};
|
||||
|
||||
{% include 'roles/letsencrypt/templates/ssl_header.j2' %}
|
||||
{% include 'roles/network-letsencrypt/templates/ssl_header.j2' %}
|
||||
|
||||
{% include 'roles/webserver-injector-core/templates/global.includes.conf.j2'%}
|
||||
|
||||
|
@ -2,7 +2,7 @@ server
|
||||
{
|
||||
server_name {{domains | get_domain(application_id)}};
|
||||
|
||||
{% include 'roles/letsencrypt/templates/ssl_header.j2' %}
|
||||
{% include 'roles/network-letsencrypt/templates/ssl_header.j2' %}
|
||||
|
||||
{% include 'roles/webserver-injector-core/templates/global.includes.conf.j2'%}
|
||||
|
||||
|
@ -1,2 +1,65 @@
|
||||
# Nginx Https Server
|
||||
This role loads the components to create an nginx server with https
|
||||
# Webserver HTTPS Provisioning 🚀
|
||||
|
||||
## Description
|
||||
The **webserver-https** role extends a basic Nginx installation by wiring in everything you need to serve content over HTTPS:
|
||||
|
||||
1. Ensures your Nginx server is configured for SSL/TLS.
|
||||
2. Pulls in Let’s Encrypt ACME challenge handling.
|
||||
3. Applies global cleanup of unused domain configs.
|
||||
|
||||
This role is built on top of your existing `webserver-core` role, and it automates the end-to-end process of turning HTTP sites into secure HTTPS sites.
|
||||
|
||||
---
|
||||
|
||||
## Overview
|
||||
|
||||
When you apply **webserver-https**, it will:
|
||||
|
||||
1. **Include** the `webserver-core` role to install and configure Nginx.
|
||||
2. **Clean up** any stale vHost files under `cleanup-domains`.
|
||||
3. **Deploy** the Let’s Encrypt challenge-and-redirect snippet from `network-letsencrypt`.
|
||||
4. **Reload** Nginx automatically when any template changes.
|
||||
|
||||
All tasks are idempotent—once your certificates are in place and your configuration is set, Ansible will skip unchanged steps on subsequent runs.
|
||||
|
||||
---
|
||||
|
||||
## Features
|
||||
|
||||
- 🔒 **Automatic HTTPS Redirect**
|
||||
Sets up port 80 → 443 redirect and serves `/.well-known/acme-challenge/` for Certbot.
|
||||
|
||||
- 🔑 **Let’s Encrypt Integration**
|
||||
Pulls in challenge configuration and CAA-record management for automatic certificate issuance and renewal.
|
||||
|
||||
- 🧹 **Domain Cleanup**
|
||||
Removes obsolete or orphaned server blocks before enabling HTTPS.
|
||||
|
||||
- 🚦 **Handler-Safe**
|
||||
Triggers an Nginx reload only when necessary, minimizing service interruptions.
|
||||
|
||||
---
|
||||
|
||||
## Requirements
|
||||
|
||||
- A working `webserver-core` setup.
|
||||
- DNS managed via Cloudflare (for CAA record tasks) or equivalent ACME DNS flow.
|
||||
- Variables:
|
||||
- `certbot_webroot_path`
|
||||
- `certbot_cert_path`
|
||||
- `on_calendar_renew_lets_encrypt_certificates`
|
||||
|
||||
---
|
||||
|
||||
## License
|
||||
|
||||
This role is released under the **CyMaIS NonCommercial License (CNCL)**.
|
||||
See [https://s.veen.world/cncl](https://s.veen.world/cncl) for details.
|
||||
|
||||
---
|
||||
|
||||
## Author
|
||||
|
||||
Developed and maintained by **Kevin Veen-Birkenbach**
|
||||
Consulting & Coaching Solutions
|
||||
[https://www.veen.world](https://www.veen.world)
|
||||
|
@ -1,4 +1,29 @@
|
||||
dependencies:
|
||||
galaxy_info:
|
||||
author: "Kevin Veen-Birkenbach"
|
||||
description: "Configures Nginx to serve sites securely over HTTPS, integrates Let’s Encrypt and cleans up stale domain configs."
|
||||
company: |
|
||||
Kevin Veen-Birkenbach
|
||||
Consulting & Coaching Solutions
|
||||
https://www.veen.world
|
||||
license: "CyMaIS NonCommercial License (CNCL)"
|
||||
license_url: "https://s.veen.world/cncl"
|
||||
min_ansible_version: "2.9"
|
||||
platforms:
|
||||
- name: Archlinux
|
||||
versions:
|
||||
- rolling
|
||||
galaxy_tags:
|
||||
- nginx
|
||||
- cleanup-domains
|
||||
- https
|
||||
- tls
|
||||
- letsencrypt
|
||||
- security
|
||||
- automation
|
||||
repository: "https://s.veen.world/cymais"
|
||||
documentation: "https://s.veen.world/cymais"
|
||||
issue_tracker_url: "https://s.veen.world/cymaisissues"
|
||||
|
||||
dependencies:
|
||||
- webserver-core
|
||||
- cleanup-domains
|
||||
- network-letsencrypt
|
@ -26,4 +26,4 @@ galaxy_info:
|
||||
issue_tracker_url: https://s.veen.world/cymaisissues
|
||||
documentation: https://s.veen.world/cymais
|
||||
dependencies:
|
||||
- nginx
|
||||
- webserver-core
|
@ -25,4 +25,4 @@ galaxy_info:
|
||||
- security
|
||||
- postMessage
|
||||
dependencies:
|
||||
- nginx
|
||||
- webserver-core
|
@ -25,4 +25,4 @@ galaxy_info:
|
||||
issue_tracker_url: "https://s.veen.world/cymaisissues"
|
||||
|
||||
dependencies:
|
||||
- nginx
|
||||
- webserver-core
|
||||
|
@ -1,3 +1,3 @@
|
||||
dependencies:
|
||||
# - web-app-matomo Don't activate this otherwise the plays take super long
|
||||
- nginx
|
||||
- webserver-core
|
@ -13,7 +13,7 @@ server
|
||||
{{nginx_docker_reverse_proxy_extra_configuration}}
|
||||
{% endif %}
|
||||
|
||||
{% include 'roles/letsencrypt/templates/ssl_header.j2' %}
|
||||
{% include 'roles/network-letsencrypt/templates/ssl_header.j2' %}
|
||||
|
||||
{% if applications | is_feature_enabled('oauth2', application_id) %}
|
||||
{% set acl = applications[application_id].oauth2_proxy.acl | default({}) %}
|
||||
|
@ -6,7 +6,7 @@ map $http_upgrade $connection_upgrade {
|
||||
server {
|
||||
server_name {{ domain }};
|
||||
|
||||
{% include 'roles/letsencrypt/templates/ssl_header.j2' %}
|
||||
{% include 'roles/network-letsencrypt/templates/ssl_header.j2' %}
|
||||
{% include 'roles/webserver-injector-core/templates/global.includes.conf.j2' %}
|
||||
|
||||
client_max_body_size {{ client_max_body_size | default('100m') }};
|
||||
|
@ -24,4 +24,4 @@ galaxy_info:
|
||||
issue_tracker_url: https://s.veen.world/cymaisissues
|
||||
documentation: https://s.veen.world/cymais
|
||||
dependencies:
|
||||
- nginx
|
||||
- webserver-core
|
@ -28,6 +28,6 @@ galaxy_info:
|
||||
documentation: "https://s.veen.world/cymais"
|
||||
dependencies:
|
||||
- generic-certbot
|
||||
- nginx
|
||||
- webserver-core
|
||||
- alert-core
|
||||
- cleanup-certs
|
||||
|
Loading…
x
Reference in New Issue
Block a user