Removed unecessary application_id s

roles/srv-web-7-7-letsencrypt/README.md

@@ -0,0 +1,24 @@
+# Let’s Encrypt SSL for Nginx 🔐
+
+## Description
+Automates obtaining, configuring, and renewing Let’s Encrypt SSL certificates for Nginx with Certbot. Keeps your sites secure with minimal fuss! 🌐
+
+## Overview
+This Ansible role sets up the necessary Nginx configuration and Certbot integration to:
+- Redirect HTTP traffic to HTTPS  
+- Serve the ACME challenge for certificate issuance  
+- Apply strong SSL/TLS defaults  
+- Schedule automatic renewals  
+
+It’s idempotent: configuration and certificate tasks only run when needed. ✅
+
+## Purpose
+Ensure all your Nginx-hosted sites use free, trusted SSL certificates from Let’s Encrypt—all managed automatically via Ansible. 🎯
+
+## Features
+- **Automatic Certificate Issuance**: Uses Certbot’s webroot plugin to request and install certificates. 📜  
+- **Nginx Redirect**: Creates a temporary HTTP → HTTPS redirect block. ↪️  
+- **ACME‐Challenge Handling**: Configures `/.well-known/acme-challenge/` for Certbot validation. 🔍  
+- **Secure SSL Defaults**: Includes modern cipher suites, HSTS, OCSP stapling, and session settings. 🔒  
+- **Auto‐Renewal**: Leverages system scheduling (cron or systemd timer) to renew certs before expiration. 🔄  
+- **One‐Time Setup**: Tasks guarded by a “run once” fact to avoid re-applying unchanged templates. 🏃‍♂️  

roles/srv-web-7-7-letsencrypt/TODO.md

@@ -0,0 +1,2 @@
+# Todos
+- Implement issuewild and iodef -> Not possible yet due to API issues

roles/srv-web-7-7-letsencrypt/meta/main.yml

@@ -0,0 +1,26 @@
+---
+galaxy_info:
+  author: "Kevin Veen-Birkenbach"
+  description: "An Ansible role to automate Let’s Encrypt SSL certificate issuance and renewal for Nginx"
+  license: "CyMaIS NonCommercial License (CNCL)"
+  license_url: "https://s.veen.world/cncl"
+  company: |
+    Kevin Veen-Birkenbach
+    Consulting & Coaching Solutions
+    https://www.veen.world
+  min_ansible_version: "2.9"
+  platforms:
+    - name: Archlinux
+      versions:
+        - rolling
+  galaxy_tags:
+    - letsencrypt
+    - nginx
+    - ssl
+    - certificate
+    - security
+  repository: "https://s.veen.world/cymais"
+  issue_tracker_url: "https://s.veen.world/cymaisissues"
+  documentation: "https://s.veen.world/cymais"
+dependencies:
+  - srv-web-6-6-tls-renew

roles/srv-web-7-7-letsencrypt/tasks/main.yml

@@ -0,0 +1,21 @@
+- name: create nginx letsencrypt config file
+  template: 
+    src:  "letsencrypt.conf.j2"
+    dest: "{{nginx.directories.http.global}}letsencrypt.conf"
+  notify: restart nginx
+  when: run_once_letsencrypt is not defined
+
+- name: "Set CAA records for all base domains"
+  include_tasks: set-caa-records.yml
+  when:
+    - dns_provider == 'cloudflare'
+    - run_once_letsencrypt is not defined
+
+- name: flush nginx service
+  meta: flush_handlers
+  when: run_once_letsencrypt is not defined
+
+- name: run the letsencrypt logic just once
+  set_fact:
+    run_once_letsencrypt: true
+  when: run_once_letsencrypt is not defined

roles/srv-web-7-7-letsencrypt/tasks/set-caa-records.yml

@@ -0,0 +1,15 @@
+---
+- name: "Ensure all CAA records are present"
+  community.general.cloudflare_dns:
+    api_token: "{{ certbot_dns_api_token }}"
+    zone:     "{{ item.0 }}"
+    record:   "@"
+    type:     CAA
+    flag:     0
+    tag:      "{{ item.1.tag }}"
+    value:    "{{ item.1.value }}"
+    ttl:      1
+    state:    present
+  loop: "{{ base_sld_domains | product(caa_entries) | list }}"
+  loop_control:
+    label: "{{ item.0 }} → {{ item.1.tag }}"

roles/srv-web-7-7-letsencrypt/templates/letsencrypt.conf.j2

@@ -0,0 +1,16 @@
+server
+{
+  listen 80;
+  listen [::]:80;
+  location /
+  {
+    return 301 https://$host$request_uri;
+  }
+  #letsencrypt
+  location ^~ /.well-known/acme-challenge/ {
+    allow all;
+    root {{ certbot_webroot_path }};
+    default_type "text/plain";
+    try_files $uri =404;
+  }
+}

roles/srv-web-7-7-letsencrypt/templates/ssl_credentials.j2

@@ -0,0 +1,3 @@
+ssl_certificate         {{ certbot_cert_path }}/{{ ssl_cert_folder }}/fullchain.pem;
+ssl_certificate_key     {{ certbot_cert_path }}/{{ ssl_cert_folder }}/privkey.pem;
+ssl_trusted_certificate {{ certbot_cert_path }}/{{ ssl_cert_folder }}/chain.pem;

roles/srv-web-7-7-letsencrypt/templates/ssl_header.j2

@@ -0,0 +1,15 @@
+listen 443 ssl http2;
+listen [::]:443 ssl http2;
+
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_ecdh_curve X25519:P-256;
+ssl_prefer_server_ciphers on;
+ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';
+
+ssl_session_timeout 1d;
+ssl_session_cache shared:SSL:50m;
+ssl_session_tickets on;
+add_header Strict-Transport-Security max-age=15768000;
+ssl_stapling on;
+ssl_stapling_verify on;
+{% include 'roles/srv-web-7-7-letsencrypt/templates/ssl_credentials.j2' %}

roles/srv-web-7-7-letsencrypt/vars/main.yml

@@ -0,0 +1,4 @@
+caa_entries:
+- tag: issue
+  value: letsencrypt.org
+base_sld_domains: '{{ current_play_domains_all | generate_base_sld_domains }}'