From bbabc58cf9a7f26664ff82b149106326b27f9c37 Mon Sep 17 00:00:00 2001
From: Kevin Veen-Birkenbach <kevin@veen.world>
Date: Tue, 15 Jul 2025 15:04:27 +0200
Subject: [PATCH] Optimized webport and certbot_dns_api_token

---
 group_vars/all/00_general.yml                              | 6 +++---
 .../templates/location/proxy_basic.conf.j2                 | 4 ++--
 roles/srv-web-7-7-letsencrypt/tasks/set-caa-records.yml    | 7 +++++++
 roles/srv-web-7-7-letsencrypt/templates/ssl_header.j2      | 4 ++--
 roles/web-app-mailu/vars/mailu-dns.yml                     | 2 +-
 roles/web-app-matrix/templates/well-known.j2               | 2 +-
 6 files changed, 16 insertions(+), 9 deletions(-)

diff --git a/group_vars/all/00_general.yml b/group_vars/all/00_general.yml
index ea2aa49b..d7390f14 100644
--- a/group_vars/all/00_general.yml
+++ b/group_vars/all/00_general.yml
@@ -5,7 +5,7 @@ HOST_TIMEZONE:            "UTC"
 
 # https://en.wikipedia.org/wiki/ISO_639
 HOST_LL:                  "en"          # Some applications are case sensitive
-HOST_LL_CC:               "{{HOST_LL}}_{{HOST_LL | upper }}"
+HOST_LL_CC:               "{{HOST_LL}}_GB"
 
 HOST_DATE_FORMAT:         "YYYY-MM-DD"
 HOST_TIME_FORMAT:         "HH:mm"
@@ -17,7 +17,7 @@ HOST_DECIMAL_MARK:        ","
 deployment_mode:        "single"      # Use single, if you deploy on one server. Use cluster if you setup in cluster mode.
 
 web_protocol:           "https"       # Web protocol type. Use https or http. If you run local you need to change it to http
-web_port:               "{{ 443 if web_protocol == 'https' else 80 }}"  # Default port web applications will listen to
+WEB_PORT:               "{{ 443 if web_protocol == 'https' else 80 }}"  # Default port web applications will listen to
 
 ## Domain
 primary_domain_tld:     "localhost"                                     # Top Level Domain of the server
@@ -45,7 +45,7 @@ dns_provider:                             cloudflare              # The DNS Prov
 certbot_acme_challenge_method:            "cloudflare"
 certbot_credentials_dir:                  /etc/certbot
 certbot_credentials_file:                 "{{ certbot_credentials_dir }}/{{ certbot_acme_challenge_method }}.ini"
-# certbot_dns_api_token                                           # Define in inventory file
+certbot_dns_api_token:                    ""                      # Define in inventory file
 certbot_dns_propagation_wait_seconds:     40                      # How long should the script wait for DNS propagation before continuing
 certbot_flavor:                           san                     # Possible options: san (recommended, with a dns flavor like cloudflare, or hetzner), wildcard(doesn't function with www redirect), deicated
 certbot_webroot_path:                     "/var/lib/letsencrypt/" # Path used by Certbot to serve HTTP-01 ACME challenges
diff --git a/roles/srv-proxy-7-4-core/templates/location/proxy_basic.conf.j2 b/roles/srv-proxy-7-4-core/templates/location/proxy_basic.conf.j2
index b9209735..ad4b2b74 100644
--- a/roles/srv-proxy-7-4-core/templates/location/proxy_basic.conf.j2
+++ b/roles/srv-proxy-7-4-core/templates/location/proxy_basic.conf.j2
@@ -4,14 +4,14 @@ location {{location | default("/")}}
     {% include 'roles/web-app-oauth2-proxy/templates/following_directives.conf.j2'%}
   {% endif %}
 
-  proxy_pass http://127.0.0.1:{{http_port}}{{location | default("/")}};
+  proxy_pass http://127.0.0.1:{{ http_port }}{{ location | default("/") }};
 
   # headers
   proxy_set_header Host $host;
   proxy_set_header X-Real-IP $remote_addr;
   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   proxy_set_header X-Forwarded-Proto $scheme;
-  proxy_set_header X-Forwarded-Port 443;
+  proxy_set_header X-Forwarded-Port {{ WEB_PORT }};
   proxy_set_header Accept-Encoding "";
 
   {% include 'roles/srv-proxy-7-4-core/templates/headers/content_security_policy.conf.j2' %}
diff --git a/roles/srv-web-7-7-letsencrypt/tasks/set-caa-records.yml b/roles/srv-web-7-7-letsencrypt/tasks/set-caa-records.yml
index 015cd4d0..920b9bec 100644
--- a/roles/srv-web-7-7-letsencrypt/tasks/set-caa-records.yml
+++ b/roles/srv-web-7-7-letsencrypt/tasks/set-caa-records.yml
@@ -1,4 +1,11 @@
 ---
+
+- name: "Validate certbot_dns_api_token"
+  fail:
+    msg: >
+      The variable "certbot_dns_api_token" must be defined and cannot be empty!
+  when: (certbot_dns_api_token | default('') | trim) == ''
+
 - name: "Ensure all CAA records are present"
   community.general.cloudflare_dns:
     api_token: "{{ certbot_dns_api_token }}"
diff --git a/roles/srv-web-7-7-letsencrypt/templates/ssl_header.j2 b/roles/srv-web-7-7-letsencrypt/templates/ssl_header.j2
index b355f7fb..c4e5849d 100644
--- a/roles/srv-web-7-7-letsencrypt/templates/ssl_header.j2
+++ b/roles/srv-web-7-7-letsencrypt/templates/ssl_header.j2
@@ -1,5 +1,5 @@
-listen 443 ssl http2;
-listen [::]:443 ssl http2;
+listen {{ WEB_PORT }} ssl http2;
+listen [::]:{{ WEB_PORT }} ssl http2;
 
 ssl_protocols TLSv1.2 TLSv1.3;
 ssl_ecdh_curve X25519:P-256;
diff --git a/roles/web-app-mailu/vars/mailu-dns.yml b/roles/web-app-mailu/vars/mailu-dns.yml
index 05ce39a0..b6127824 100644
--- a/roles/web-app-mailu/vars/mailu-dns.yml
+++ b/roles/web-app-mailu/vars/mailu-dns.yml
@@ -36,6 +36,6 @@ mailu_dns_srv_records:
     priority: 20
     weight: 1
   autodiscover:
-    port: 443
+    port: "{{ WEB_PORT }}"
     priority: 20
     weight: 1
\ No newline at end of file
diff --git a/roles/web-app-matrix/templates/well-known.j2 b/roles/web-app-matrix/templates/well-known.j2
index 3da3a9b8..2ae9946b 100644
--- a/roles/web-app-matrix/templates/well-known.j2
+++ b/roles/web-app-matrix/templates/well-known.j2
@@ -1,3 +1,3 @@
 {
-    "m.server": "{{domains.matrix.synapse}}:443"
+    "m.server": "{{domains.matrix.synapse}}:{{ WEB_PORT }}"
 }
\ No newline at end of file