Renamed webserver roles to more speakable names

roles/srv-tls-core/README.md

@@ -0,0 +1,35 @@
+# Nginx HTTPS Certificate Retrieval
+
+## 🔥 Description
+
+This role automates the retrieval of [Let's Encrypt](https://letsencrypt.org/) SSL/TLS certificates using [Certbot](https://certbot.eff.org/) for domains served via Nginx. It supports both single-domain and wildcard certificates, and can use either the DNS or webroot ACME challenge methods.
+
+## 📖 Overview
+
+Designed for Archlinux systems, this role handles issuing certificates per domain and optionally cleans up redundant certificates if wildcard certificates are used. It intelligently decides whether to issue a standard or wildcard certificate based on the domain structure and your configuration.
+
+### Key Features
+- **Single Domain and Wildcard Support:** Handles both individual domains and wildcard domains (`*.example.com`).
+- **DNS and Webroot Challenges:** Dynamically selects the correct ACME challenge method.
+- **Certificate Renewal Logic:** Skips renewal if the certificate is still valid.
+- **Optional Cleanup:** Deletes redundant domain certificates when wildcard certificates are used.
+- **Non-Interactive Operation:** Fully automated using `--non-interactive` and `--agree-tos`.
+
+## 🎯 Purpose
+
+The Nginx HTTPS Certificate Retrieval role ensures that your Nginx-served domains have valid, automatically issued SSL/TLS certificates, improving web security without manual intervention.
+
+## 🚀 Features
+
+- **ACME Challenge Selection:** Supports DNS plugins or webroot method automatically.
+- **Wildcard Certificate Management:** Issues wildcard certificates when configured, saving effort for subdomain-heavy deployments.
+- **Safe Cleanup:** Ensures that no unused certificates are left behind.
+- **Flexible Control:** Supports `MODE_TEST` for staging environment testing and `MODE_CLEANUP` for cert cleanup operations.
+
+## 🔗 Learn More
+
+- [Certbot Official Website](https://certbot.eff.org/)
+- [Let's Encrypt](https://letsencrypt.org/)
+- [Wildcard Certificates (Wikipedia)](https://en.wikipedia.org/wiki/Wildcard_certificate)
+- [HTTPS (Wikipedia)](https://en.wikipedia.org/wiki/HTTPS)
+- [ACME Protocol (Wikipedia)](https://en.wikipedia.org/wiki/Automated_Certificate_Management_Environment)

roles/srv-tls-core/meta/main.yml

@@ -0,0 +1,28 @@
+galaxy_info:
+  author: "Kevin Veen-Birkenbach"
+  description: |
+    Automates the retrieval of Let's Encrypt SSL/TLS certificates for Nginx domains using Certbot, supporting both single-domain and wildcard certificates with DNS and webroot ACME challenges.
+  license: "Infinito.Nexus NonCommercial License"
+  license_url: "https://s.infinito.nexus/license"
+  company: |
+    Kevin Veen-Birkenbach
+    Consulting & Coaching Solutions
+    https://www.veen.world
+  min_ansible_version: "2.9"
+  platforms:
+  - name: Archlinux
+    versions:
+    - rolling
+  galaxy_tags:
+  - nginx
+  - certbot
+  - letsencrypt
+  - ssl
+  - tls
+  - acme
+  - https
+  - wildcard
+  - automation
+  repository: "https://s.infinito.nexus/code"
+  issue_tracker_url: "https://s.infinito.nexus/issues"
+  documentation: "https://docs.infinito.nexus"

roles/srv-tls-core/tasks/flavors/dedicated.yml

@@ -0,0 +1,30 @@
+- name: "Check if certificate already exists for '{{ domain }}'"
+  cert_check_exists:
+    domain: "{{ domain }}"
+    cert_base_path: "{{ LETSENCRYPT_LIVE_PATH }}"
+  register: cert_check
+
+- name: "receive certificate for '{{ domain }}'"
+  command: >-
+    certbot certonly 
+    --agree-tos 
+    --email {{ users.administrator.email }}
+    --non-interactive 
+    {% if CERTBOT_ACME_CHALLENGE_METHOD != "webroot" %}
+    --dns-{{ CERTBOT_ACME_CHALLENGE_METHOD }}
+    --dns-{{ CERTBOT_ACME_CHALLENGE_METHOD }}-credentials {{ CERTBOT_CREDENTIALS_FILE }}
+    --dns-{{ CERTBOT_ACME_CHALLENGE_METHOD }}-propagation-seconds {{ CERTBOT_DNS_PROPAGATION_WAIT_SECONDS }}
+    {% else %}
+    --webroot 
+    -w {{ LETSENCRYPT_WEBROOT_PATH }}
+    {% endif %}
+    {% if wildcard_domain is defined and ( wildcard_domain | bool ) %}
+    -d {{ PRIMARY_DOMAIN }} 
+    -d *.{{ PRIMARY_DOMAIN }}
+    {% else %}
+    -d {{ domain }}
+    {% endif %}
+    {{ '--test-cert' if MODE_TEST | bool else '' }}
+  register: certbot_result
+  changed_when: "'Certificate not yet due for renewal' not in certbot_result.stdout"
+  when: not cert_check.exists

roles/srv-tls-core/tasks/flavors/san.yml

@@ -0,0 +1,31 @@
+- block:
+    - name: Install certbundle
+      include_role:
+        name: pkgmgr-install
+      vars:
+        package_name: certbundle
+
+    - name: Generate SAN certificate with certbundle
+      command: >-
+        certbundle
+        --domains "{{ current_play_domains_all | join(',') }}"
+        --certbot-email "{{ users.administrator.email }}"
+        --certbot-acme-challenge-method "{{ CERTBOT_ACME_CHALLENGE_METHOD }}"
+        --chunk-size 100
+        {% if CERTBOT_ACME_CHALLENGE_METHOD != 'webroot' %}
+        --certbot-credentials-file "{{ CERTBOT_CREDENTIALS_FILE }}"
+        --certbot-dns-propagation-seconds "{{ CERTBOT_DNS_PROPAGATION_WAIT_SECONDS }}"
+        {% else %}
+        --letsencrypt-webroot-path "{{ LETSENCRYPT_WEBROOT_PATH }}"
+        {% endif %}
+        {{ '--mode-test' if MODE_TEST | bool else '' }}
+      register: certbundle_result
+      changed_when: "'Certificate not yet due for renewal' not in certbundle_result.stdout"
+      failed_when: >
+        certbundle_result.rc != 0
+        and 'too many certificates' not in certbundle_result.stderr
+
+    - name: run the san tasks once
+      set_fact:
+        run_once_san_certs: true
+  when: run_once_san_certs is not defined

roles/srv-tls-core/tasks/flavors/wildcard.yml

@@ -0,0 +1,19 @@
+- name: "Load wildcard certificate for domain"
+  include_tasks: "dedicated.yml"
+  vars:
+    wildcard_domain: true
+  when: 
+    - domain.split('.') | length == (PRIMARY_DOMAIN.split('.') | length + 1) and domain.endswith(PRIMARY_DOMAIN)
+    - run_once_receive_certificate is not defined  
+
+- name: "Load dedicated certificate for domain"
+  include_tasks: "dedicated.yml"
+  vars:
+    wildcard_domain: false
+  when: 
+    - not (domain.split('.') | length == (PRIMARY_DOMAIN.split('.') | length + 1) and domain.endswith(PRIMARY_DOMAIN))
+
+- name: run the receive_certificate tasks once
+  set_fact:
+    run_once_receive_certificate: true
+  when: run_once_receive_certificate is not defined

roles/srv-tls-core/tasks/main.yml

@@ -0,0 +1,45 @@
+- block:
+  - name: Include dependency 'srv-https-stack'
+    include_role:
+      name: srv-https-stack
+    when: run_once_srv_https_stack is not defined
+  - include_tasks: utils/run_once.yml
+  when: run_once_srv_tls_core is not defined
+
+- name: "Include flavor '{{ CERTBOT_FLAVOR }}' for '{{ domain }}'"
+  include_tasks: "{{ role_path }}/tasks/flavors/{{ CERTBOT_FLAVOR }}.yml"
+
+#- name: "Cleanup dedicated cert for '{{ domain }}'"
+#  command: >-
+#    certbot delete --cert-name {{ domain }} --non-interactive
+#  when: 
+#    - MODE_CLEANUP | bool
+#      # Cleanup mode is enabled
+#    - CERTBOT_FLAVOR != 'dedicated'
+#      # Wildcard certificate is enabled
+#    - domain.split('.') | length == (PRIMARY_DOMAIN.split('.') | length + 1) and domain.endswith(PRIMARY_DOMAIN)
+#      # AND: The domain is a direct first-level subdomain of the primary domain
+#    - domain != PRIMARY_DOMAIN  
+#      # The domain is not the primary domain
+#  register: certbot_result
+#  failed_when: certbot_result.rc != 0 and ("No certificate found with name" not in certbot_result.stderr)
+#  changed_when: certbot_result.rc == 0 and ("No certificate found with name" not in certbot_result.stderr)
+
+- name: "Find SSL cert folder for '{{ domain }}'"
+  cert_folder_find:
+    domain: "{{ domain }}"
+    cert_base_path: "{{ LETSENCRYPT_LIVE_PATH }}"
+    debug: "{{ MODE_DEBUG | bool }}"
+  register: cert_folder_result
+  delegate_to: "{{ inventory_hostname }}"
+  changed_when: false
+
+- name: "Set ssl_cert_folder fact to '{{ cert_folder_result.folder }}'"
+  set_fact:
+    ssl_cert_folder: "{{ cert_folder_result.folder }}"
+  changed_when: false
+
+- name: "Ensure ssl_cert_folder is set for domain {{ domain }}"
+  fail:
+    msg: "No certificate folder found for domain {{ domain }}"
+  when: ssl_cert_folder is undefined or ssl_cert_folder is none