Optimized webport and certbot_dns_api_token

group_vars/all/00_general.yml

@@ -5,7 +5,7 @@ HOST_TIMEZONE:            "UTC"
 
 # https://en.wikipedia.org/wiki/ISO_639
 HOST_LL:                  "en"          # Some applications are case sensitive
-HOST_LL_CC:               "{{HOST_LL}}_{{HOST_LL | upper }}"
+HOST_LL_CC:               "{{HOST_LL}}_GB"
 
 HOST_DATE_FORMAT:         "YYYY-MM-DD"
 HOST_TIME_FORMAT:         "HH:mm"
@@ -17,7 +17,7 @@ HOST_DECIMAL_MARK:        ","
 deployment_mode:        "single"      # Use single, if you deploy on one server. Use cluster if you setup in cluster mode.
 
 web_protocol:           "https"       # Web protocol type. Use https or http. If you run local you need to change it to http
-web_port:               "{{ 443 if web_protocol == 'https' else 80 }}"  # Default port web applications will listen to
+WEB_PORT:               "{{ 443 if web_protocol == 'https' else 80 }}"  # Default port web applications will listen to
 
 ## Domain
 primary_domain_tld:     "localhost"                                     # Top Level Domain of the server
@@ -45,7 +45,7 @@ dns_provider:                             cloudflare              # The DNS Prov
 certbot_acme_challenge_method:            "cloudflare"
 certbot_credentials_dir:                  /etc/certbot
 certbot_credentials_file:                 "{{ certbot_credentials_dir }}/{{ certbot_acme_challenge_method }}.ini"
-# certbot_dns_api_token                                           # Define in inventory file
+certbot_dns_api_token:                    ""                      # Define in inventory file
 certbot_dns_propagation_wait_seconds:     40                      # How long should the script wait for DNS propagation before continuing
 certbot_flavor:                           san                     # Possible options: san (recommended, with a dns flavor like cloudflare, or hetzner), wildcard(doesn't function with www redirect), deicated
 certbot_webroot_path:                     "/var/lib/letsencrypt/" # Path used by Certbot to serve HTTP-01 ACME challenges

roles/srv-proxy-7-4-core/templates/location/proxy_basic.conf.j2

@@ -4,14 +4,14 @@ location {{location | default("/")}}
     {% include 'roles/web-app-oauth2-proxy/templates/following_directives.conf.j2'%}
   {% endif %}
 
-  proxy_pass http://127.0.0.1:{{http_port}}{{location | default("/")}};
+  proxy_pass http://127.0.0.1:{{ http_port }}{{ location | default("/") }};
 
   # headers
   proxy_set_header Host $host;
   proxy_set_header X-Real-IP $remote_addr;
   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   proxy_set_header X-Forwarded-Proto $scheme;
-  proxy_set_header X-Forwarded-Port 443;
+  proxy_set_header X-Forwarded-Port {{ WEB_PORT }};
   proxy_set_header Accept-Encoding "";
 
   {% include 'roles/srv-proxy-7-4-core/templates/headers/content_security_policy.conf.j2' %}

roles/srv-web-7-7-letsencrypt/tasks/set-caa-records.yml

@@ -1,4 +1,11 @@
 ---
+
+- name: "Validate certbot_dns_api_token"
+  fail:
+    msg: >
+      The variable "certbot_dns_api_token" must be defined and cannot be empty!
+  when: (certbot_dns_api_token | default('') | trim) == ''
+
 - name: "Ensure all CAA records are present"
   community.general.cloudflare_dns:
     api_token: "{{ certbot_dns_api_token }}"

roles/srv-web-7-7-letsencrypt/templates/ssl_header.j2

@@ -1,5 +1,5 @@
-listen 443 ssl http2;
-listen [::]:443 ssl http2;
+listen {{ WEB_PORT }} ssl http2;
+listen [::]:{{ WEB_PORT }} ssl http2;
 
 ssl_protocols TLSv1.2 TLSv1.3;
 ssl_ecdh_curve X25519:P-256;

roles/web-app-mailu/vars/mailu-dns.yml

@@ -36,6 +36,6 @@ mailu_dns_srv_records:
     priority: 20
     weight: 1
   autodiscover:
-    port: 443
+    port: "{{ WEB_PORT }}"
     priority: 20
     weight: 1

roles/web-app-matrix/templates/well-known.j2

@@ -1,3 +1,3 @@
 {
-    "m.server": "{{domains.matrix.synapse}}:443"
+    "m.server": "{{domains.matrix.synapse}}:{{ WEB_PORT }}"
 }