Renamed server roles by osi they work on

2025-08-29 15:06:26 +02:00 · 2025-07-10 12:33:46 +02:00
parent c94d623f8f
commit 96268e7161
120 changed files with 167 additions and 167 deletions
--- a/roles/srv-proxy-6-6-tls-deploy/README.md
+++ b/roles/srv-proxy-6-6-tls-deploy/README.md
@@ -0,0 +1,67 @@
+# Nginx Docker Cert Deploy Role
+
+🎉 **Author**: [Kevin Veen-Birkenbach](https://www.veen.world)
+
+This Ansible role simplifies the deployment of **Let's Encrypt certificates** into **Docker Compose** setups with Nginx. It supports both **individual certificates per subdomain** and a **single wildcard certificate** for all subdomains.
+
+---
+
+## 🚀 **Features**
+- Automatically deploys **Let's Encrypt certificates** to Docker Compose setups.
+- Supports both **single-domain certificates** and **one wildcard certificate** for all subdomains.
+- **Copies certificates** to the target directory inside the container.
+- Automatically **reloads or restarts Nginx services** when certificates are updated.
+- **Configures and manages a `systemd` service** for automated certificate deployment.
+- **Includes a `systemd` timer** for scheduled renewals.
+- **Handles dependent services** like `alert-compose`.
+
+---
+
+## 🔧 **Tasks Overview**
+
+### **1️⃣ Main Tasks**
+1. **Add Deployment Script**  
+   - Copies `srv-proxy-6-6-tls-deploy.sh` to the administrator scripts directory.
+   
+2. **Create Certificate Directory**  
+   - Ensures `cert_mount_directory` exists with proper permissions.
+   
+3. **Configure `systemd` Service**  
+   - Deploys a `systemd` service file for the deployment process.
+   
+4. **Include `gen-timer` Role**  
+   - Schedules automatic certificate deployment using a `systemd` timer.
+
+### **2️⃣ Handlers**
+- **Restart Nginx Service**  
+  - Restarts `srv-proxy-6-6-tls-deploy` whenever a certificate update occurs.
+
+---
+
+## **🔧 Deploying Certificates into Docker Containers**
+The role **automates copying certificates** into Docker Compose setups.
+
+### **1️⃣ Deployment Script (`srv-proxy-6-6-tls-deploy.sh`)**
+This script:
+- **Copies certificates** to the correct container directory.
+- **Reloads Nginx** inside all running containers.
+- **Restarts containers if needed**.
+
+**Usage:**
+```sh
+sh srv-proxy-6-6-tls-deploy.sh primary_domain /path/to/docker/compose
+```
+
+---
+
+## 🎯 **Summary**
+| Feature | Description |
+|---------|------------|
+| **Single-domain & wildcard support** | Use individual certs or a wildcard certificate |
+| **Automated renewal** | Cronjob or systemd timer ensures auto-renewals |
+| **Docker-ready** | Deploys certificates directly into Docker containers |
+| **Supports Nginx & Mailu** | Compatible with multiple services |
+| **Systemd integration** | Automates deployment via `systemd` |
+
+🚀 **Now your Nginx setup is fully automated and secured with Let's Encrypt!** 🎉
+```
--- a/roles/srv-proxy-6-6-tls-deploy/SETUP.md
+++ b/roles/srv-proxy-6-6-tls-deploy/SETUP.md
@@ -0,0 +1,36 @@
+## **🔐 Wildcard Certificate Setup with Let's Encrypt**
+If you enabled `enable_wildcard_certificate`, follow these steps to manually request a **wildcard certificate**.
+
+### **1️⃣ Run the Certbot Command 🖥️**
+```sh
+certbot certonly --manual --preferred-challenges=dns --agree-tos \
+--email administrator@primary_domain -d primary_domain -d "*.primary_domain"
+```
+
+### **2️⃣ Add DNS TXT Record for Validation 📜**
+Certbot will prompt you to add a DNS TXT record:
+```
+Please create a TXT record under the name:
+_acme-challenge.primary_domain.
+
+with the following value:
+9oVizYIYVGlZ3VtWQIKRS5UghyXiqGoUNlCtIE7LiA
+```
+➡ **Go to your DNS provider** and create a new **TXT record**:  
+   - **Host:** `_acme-challenge.primary_domain`  
+   - **Value:** `"9oVizYIYVGlZ3VtWQIKRS5UghyXiqGoUNlCtIE7LiA"`  
+   - **TTL:** Set to **300 seconds (or lowest possible)**  
+
+✅ **Verify the DNS record** before continuing:  
+```sh
+dig TXT _acme-challenge.primary_domain @8.8.8.8
+```
+
+### **3️⃣ Complete the Certificate Request ✅**
+Once the DNS changes have propagated, **press Enter** in the Certbot terminal.  
+If successful, Certbot will save the certificates under:  
+```
+/etc/letsencrypt/live/primary_domain/
+```
+- **fullchain.pem** → The certificate  
+- **privkey.pem** → The private key  
--- a/roles/srv-proxy-6-6-tls-deploy/files/srv-proxy-6-6-tls-deploy.sh
+++ b/roles/srv-proxy-6-6-tls-deploy/files/srv-proxy-6-6-tls-deploy.sh
@@ -0,0 +1,53 @@
+#!/bin/sh
+
+# Check if the necessary parameters are provided
+if [ "$#" -ne 2 ]; then
+    echo "Usage: $0 <ssl_cert_folder> <docker_compose_instance_directory>"
+    exit 1
+fi
+
+# Assign parameters
+ssl_cert_folder="$1"
+docker_compose_instance_directory="$2"
+docker_compose_cert_directory="$docker_compose_instance_directory/volumes/certs"
+
+# Copy certificates
+cp -RvL "/etc/letsencrypt/live/$ssl_cert_folder/"* "$docker_compose_cert_directory" || exit 1
+
+# This code is optimized for mailu
+cp -v "/etc/letsencrypt/live/$ssl_cert_folder/privkey.pem" "$docker_compose_cert_directory/key.pem" || exit 1
+cp -v "/etc/letsencrypt/live/$ssl_cert_folder/fullchain.pem" "$docker_compose_cert_directory/cert.pem" || exit 1
+
+# Set correct reading rights
+chmod a+r -v "$docker_compose_cert_directory/"*
+
+# Flag to track if any Nginx reload was successful
+nginx_reload_successful=false
+
+# Reload Nginx in all containers within the Docker Compose setup
+cd "$docker_compose_instance_directory" || exit 1
+
+# Iterate over all services
+for service in $(docker compose ps --services); do
+    echo "Checking service: $service"
+    # Check if Nginx exists in the container
+    if docker compose exec -T "$service" which nginx > /dev/null 2>&1; then
+        echo "Reloading Nginx for service: $service"
+        if docker compose exec -T "$service" nginx -s reload; then
+            nginx_reload_successful=true
+            echo "Successfully reloaded Nginx for service: $service"
+        else
+            echo "Failed to reload Nginx for service: $service" >&2
+        fi
+    else
+        echo "Nginx not found in service: $service, skipping."
+    fi
+done
+
+# Restart all containers if no Nginx reload was successful
+if [ "$nginx_reload_successful" = false ]; then
+    echo "No Nginx reload was successful. Restarting all Docker containers."
+    docker compose restart || exit 1
+else
+    echo "At least one Nginx reload was successful. No restart needed."
+fi
--- a/roles/srv-proxy-6-6-tls-deploy/handlers/main.yml
+++ b/roles/srv-proxy-6-6-tls-deploy/handlers/main.yml
@@ -0,0 +1,7 @@
+---
+- name: "restart srv-proxy-6-6-tls-deploy.cymais.service"
+  systemd:
+    name:           srv-proxy-6-6-tls-deploy.{{application_id}}.cymais.service
+    state:          restarted
+    enabled:        yes
+    daemon_reload:  yes
--- a/roles/srv-proxy-6-6-tls-deploy/meta/main.yml
+++ b/roles/srv-proxy-6-6-tls-deploy/meta/main.yml
@@ -0,0 +1,25 @@
+---
+galaxy_info:
+  author: "Kevin Veen-Birchenbach"
+  description: "Deploys Let’s Encrypt certificates into Docker Compose Nginx setups via systemd service and timer."
+  license: "CyMaIS NonCommercial License (CNCL)"
+  license_url: "https://s.veen.world/cncl"
+  company: |
+    Kevin Veen-Birchenbach
+    Consulting & Coaching Solutions
+    https://www.veen.world
+  galaxy_tags:
+    - nginx
+    - letsencrypt
+    - docker
+    - systemd
+  repository: "https://github.com/kevinveenbirkenbach/cymais"
+  issue_tracker_url: "https://github.com/kevinveenbirkenbach/cymais/issues"
+  documentation: "https://github.com/kevinveenbirkenbach/cymais/tree/main/roles/srv-proxy-6-6-tls-deploy"
+  min_ansible_version: "2.9"
+  platforms:
+    - name: Any
+      versions: [ all ]
+dependencies:
+  - alert-compose
+
--- a/roles/srv-proxy-6-6-tls-deploy/tasks/main.yml
+++ b/roles/srv-proxy-6-6-tls-deploy/tasks/main.yml
@@ -0,0 +1,32 @@
+- name: add srv-proxy-6-6-tls-deploy.sh
+  copy: 
+    src: "srv-proxy-6-6-tls-deploy.sh" 
+    dest: "{{nginx_docker_cert_deploy_script}}"
+  when: run_once_nginx_docker_cert_deploy is not defined
+  notify: restart srv-proxy-6-6-tls-deploy.cymais.service
+
+- name: run the nginx_docker_cert_deploy tasks once
+  set_fact:
+    run_once_backup_directory_validator: true
+  when: run_once_nginx_docker_cert_deploy is not defined
+
+- name: "create {{cert_mount_directory}}"
+  file:
+    path:     "{{cert_mount_directory}}"
+    state:    directory
+    mode:     0755
+  notify: restart srv-proxy-6-6-tls-deploy.cymais.service
+
+- name: configure srv-proxy-6-6-tls-deploy.cymais.service
+  template: 
+    src:  "srv-proxy-6-6-tls-deploy.service.j2"
+    dest: "/etc/systemd/system/srv-proxy-6-6-tls-deploy.{{application_id}}.cymais.service"
+  notify: restart srv-proxy-6-6-tls-deploy.cymais.service
+
+- name: "include role for gen-timer for {{service_name}}"
+  include_role:
+    name: gen-timer
+  vars:
+    on_calendar:  "{{on_calendar_deploy_certificates}}"
+    service_name: "srv-proxy-6-6-tls-deploy.{{application_id}}"
+    persistent:   "true"
--- a/roles/srv-proxy-6-6-tls-deploy/templates/srv-proxy-6-6-tls-deploy.service.j2
+++ b/roles/srv-proxy-6-6-tls-deploy/templates/srv-proxy-6-6-tls-deploy.service.j2
@@ -0,0 +1,7 @@
+[Unit]
+Description=Let's Encrypt deploy to {{docker_compose.directories.instance}}
+OnFailure=alert-compose.cymais@%n.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/bash {{path_administrator_scripts}}/srv-proxy-6-6-tls-deploy.sh {{ssl_cert_folder}} {{docker_compose.directories.instance}}
--- a/roles/srv-proxy-6-6-tls-deploy/vars/main.yml
+++ b/roles/srv-proxy-6-6-tls-deploy/vars/main.yml
@@ -0,0 +1 @@
+nginx_docker_cert_deploy_script:  "{{path_administrator_scripts}}srv-proxy-6-6-tls-deploy.sh"
				`@@ -0,0 +1 @@`
				`nginx_docker_cert_deploy_script: "{{path_administrator_scripts}}srv-proxy-6-6-tls-deploy.sh"`