Implemented draft for wildcard certificate

2025-08-29 15:06:26 +02:00 · 2025-01-29 15:52:40 +01:00
parent eaed9837d1
commit eb6fdd29d3
9 changed files with 40 additions and 27 deletions
--- a/roles/docker-bigbluebutton/templates/nginx-proxy.conf.j2
+++ b/roles/docker-bigbluebutton/templates/nginx-proxy.conf.j2
@@ -1,11 +1,6 @@
 server {
-  listen 443 ssl default_server;
-  listen [::]:443 ssl default_server;
-  http2 on;
-  server_name {{domain}};
-
-  ssl_certificate /etc/letsencrypt/live/{{domain}}/fullchain.pem;
-  ssl_certificate_key /etc/letsencrypt/live/{{domain}}/privkey.pem;
+  
+  {% include 'roles/letsencrypt/templates/ssl_header.j2' %}

  location / {
    proxy_http_version 1.1;
--- a/roles/docker-ldap/templates/nginx.stream.conf.j2
+++ b/roles/docker-ldap/templates/nginx.stream.conf.j2
@@ -3,8 +3,7 @@ server {
    proxy_pass 127.0.0.1:{{ldap_localhost_port}};

    # SSL Configuration for LDAPS
-    ssl_certificate /etc/letsencrypt/live/{{domain}}/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/{{domain}}/privkey.pem;
+    {% include 'roles/letsencrypt/templates/ssl_credentials.j2' %}
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
 }
--- a/roles/docker-ldap/vars/main.yml
+++ b/roles/docker-ldap/vars/main.yml
@@ -7,4 +7,6 @@ ldap_localhost_port:          389

 # OAuth2 Proxy Configuration
 oauth2_proxy_upstream_application_and_port: "{{ ldap_webinterface }}:{% if ldap_webinterface == 'phpldapadmin' %}8080{% else %}80{% endif %}"
-oauth2_proxy_active:                        true
+oauth2_proxy_active:                        true
+
+enable_one_letsencrypt_cert_for_all:  false
--- a/roles/docker-mailu/vars/main.yml
+++ b/roles/docker-mailu/vars/main.yml
@@ -1,4 +1,5 @@
-docker_compose_project_name:  "mailu"
-database_password:  	        "{{mailu_database_password}}"
-database_type:                "mariadb"
-cert_mount_directory:         "{{docker_compose_instance_directory}}/certs/"
+docker_compose_project_name:          "mailu"
+database_password:  	                "{{mailu_database_password}}"
+database_type:                        "mariadb"
+cert_mount_directory:                 "{{docker_compose_instance_directory}}/certs/"
+enable_one_letsencrypt_cert_for_all:  false
--- a/roles/docker-mastodon/templates/.env.production.j2
+++ b/roles/docker-mastodon/templates/.env.production.j2
@@ -1,5 +1,5 @@
 LOCAL_DOMAIN={{domain}}
-ALTERNATE_DOMAINS="{{ domains_mastodon_alternates | join(',') }}"
+ALTERNATE_DOMAINS="{{ domains.mastodon_alternates | join(',') }}"
 SINGLE_USER_MODE={{mastodon_single_user_mode}}
 SECRET_KEY_BASE={{mastodon_secret_key_base}}
 OTP_SECRET={{mastodon_otp_secret}}
--- a/roles/letsencrypt/templates/ssl_credentials.j2
+++ b/roles/letsencrypt/templates/ssl_credentials.j2
@@ -0,0 +1,4 @@
+{% set ssl_cert_folder = primary_domain if enable_one_letsencrypt_cert_for_all else domain %}
+ssl_certificate /etc/letsencrypt/live/{{ ssl_cert_folder }}/fullchain.pem;
+ssl_certificate_key /etc/letsencrypt/live/{{ ssl_cert_folder }}/privkey.pem;
+ssl_trusted_certificate /etc/letsencrypt/live/{{ ssl_cert_folder }}/chain.pem;
--- a/roles/letsencrypt/templates/ssl_header.j2
+++ b/roles/letsencrypt/templates/ssl_header.j2
@@ -8,6 +8,5 @@ ssl_prefer_server_ciphers on;
 add_header Strict-Transport-Security max-age=15768000;
 ssl_stapling on;
 ssl_stapling_verify on;
-ssl_certificate /etc/letsencrypt/live/{{domain}}/fullchain.pem;
-ssl_certificate_key /etc/letsencrypt/live/{{domain}}/privkey.pem;
-ssl_trusted_certificate /etc/letsencrypt/live/{{domain}}/chain.pem;
+{% include 'roles/letsencrypt/templates/ssl_credentials.j2' %}
+