Implemented draft for wildcard certificate

group_vars/all/00_general.yml

@@ -32,4 +32,4 @@ size_percent_disc_space_warning:              90  # Warning threshold in percent
 # Runtime Variables for Process Control
 activate_all_timers:                  false   # Activates all timers, independend if the handlers had been triggered
 nginx_matomo_tracking:                false   # Activates matomo tracking on all html pages
-
+enable_one_letsencrypt_cert_for_all:  true    # Activates one letsencrypt cert for all instead of one per subdomain

roles/docker-bigbluebutton/templates/nginx-proxy.conf.j2

@@ -1,11 +1,6 @@
 server {
-  listen 443 ssl default_server;
-  listen [::]:443 ssl default_server;
-  http2 on;
-  server_name {{domain}};
   
-  ssl_certificate /etc/letsencrypt/live/{{domain}}/fullchain.pem;
+  {% include 'roles/letsencrypt/templates/ssl_header.j2' %}
-  ssl_certificate_key /etc/letsencrypt/live/{{domain}}/privkey.pem;
 
   location / {
     proxy_http_version 1.1;

roles/docker-ldap/templates/nginx.stream.conf.j2

@@ -3,8 +3,7 @@ server {
     proxy_pass 127.0.0.1:{{ldap_localhost_port}};
 
     # SSL Configuration for LDAPS
-    ssl_certificate /etc/letsencrypt/live/{{domain}}/fullchain.pem;
+    {% include 'roles/letsencrypt/templates/ssl_credentials.j2' %}
-    ssl_certificate_key /etc/letsencrypt/live/{{domain}}/privkey.pem;
     ssl_protocols TLSv1.2 TLSv1.3;
     ssl_ciphers HIGH:!aNULL:!MD5;
 }

roles/docker-ldap/vars/main.yml

@@ -8,3 +8,5 @@ ldap_localhost_port:          389
 # OAuth2 Proxy Configuration
 oauth2_proxy_upstream_application_and_port: "{{ ldap_webinterface }}:{% if ldap_webinterface == 'phpldapadmin' %}8080{% else %}80{% endif %}"
 oauth2_proxy_active:                        true
+
+enable_one_letsencrypt_cert_for_all:  false

roles/docker-mailu/vars/main.yml

@@ -2,3 +2,4 @@ docker_compose_project_name:  "mailu"
 database_password:  	                "{{mailu_database_password}}"
 database_type:                        "mariadb"
 cert_mount_directory:                 "{{docker_compose_instance_directory}}/certs/"
+enable_one_letsencrypt_cert_for_all:  false

roles/docker-mastodon/templates/.env.production.j2

@@ -1,5 +1,5 @@
 LOCAL_DOMAIN={{domain}}
-ALTERNATE_DOMAINS="{{ domains_mastodon_alternates | join(',') }}"
+ALTERNATE_DOMAINS="{{ domains.mastodon_alternates | join(',') }}"
 SINGLE_USER_MODE={{mastodon_single_user_mode}}
 SECRET_KEY_BASE={{mastodon_secret_key_base}}
 OTP_SECRET={{mastodon_otp_secret}}

roles/letsencrypt/templates/ssl_credentials.j2

@@ -0,0 +1,4 @@
+{% set ssl_cert_folder = primary_domain if enable_one_letsencrypt_cert_for_all else domain %}
+ssl_certificate /etc/letsencrypt/live/{{ ssl_cert_folder }}/fullchain.pem;
+ssl_certificate_key /etc/letsencrypt/live/{{ ssl_cert_folder }}/privkey.pem;
+ssl_trusted_certificate /etc/letsencrypt/live/{{ ssl_cert_folder }}/chain.pem;

roles/letsencrypt/templates/ssl_header.j2

@@ -8,6 +8,5 @@ ssl_prefer_server_ciphers on;
 add_header Strict-Transport-Security max-age=15768000;
 ssl_stapling on;
 ssl_stapling_verify on;
-ssl_certificate /etc/letsencrypt/live/{{domain}}/fullchain.pem;
+{% include 'roles/letsencrypt/templates/ssl_credentials.j2' %}
-ssl_certificate_key /etc/letsencrypt/live/{{domain}}/privkey.pem;
+
-ssl_trusted_certificate /etc/letsencrypt/live/{{domain}}/chain.pem;

tasks/recieve-certbot-certificate.yml

@@ -3,3 +3,16 @@
     certbot certonly --agree-tos --email {{ administrator_email }}
     --non-interactive --webroot -w /var/lib/letsencrypt/ -d {{ domain }}
     {{ '--test-cert' if mode_test | bool else '' }}
+  when: not enable_one_letsencrypt_cert_for_all
+
+- name: "recieve certbot certificate for *{{ primary_domain }}"
+  command: >-
+    certbot certonly --agree-tos --email {{ administrator_email }}
+    --non-interactive --webroot -w /var/lib/letsencrypt/ -d {{ primary_domain }} -d *.{{ primary_domain }}
+    {{ '--test-cert' if mode_test | bool else '' }}
+  when: enable_one_letsencrypt_cert_for_all and run_once_recieve_certificate is not defined
+
+- name: run the recieve_certificate tasks once
+  set_fact:
+    run_once_recieve_certificate: true
+  when: run_once_recieve_certificate is not defined