Implemented draft for wildcard certificate

group_vars/all/00_general.yml

@@ -19,17 +19,17 @@ test_email:             "test@{{primary_domain}}"
 # Server Tact Variables 
 
 ## Ours in which the server is "awake" (100% working). Rest of the time is reserved for maintanance
-hours_server_awake:                           "0..23"
+hours_server_awake:               "0..23"
 
 ## Random delay for systemd timers to avoid peak loads.
-randomized_delay_sec:                         "5min" 
+randomized_delay_sec:             "5min" 
 
 # Storage Space-Related Configurations          
-size_percent_maximum_backup:                  75  # Maximum storage space in percent for backups
-size_percent_cleanup_disc_space:              85  # Threshold for triggering cleanup actions
-size_percent_disc_space_warning:              90  # Warning threshold in percent for free disk space
+size_percent_maximum_backup:      75  # Maximum storage space in percent for backups
+size_percent_cleanup_disc_space:  85  # Threshold for triggering cleanup actions
+size_percent_disc_space_warning:  90  # Warning threshold in percent for free disk space
 
 # Runtime Variables for Process Control
-activate_all_timers:                          false   # Activates all timers, independend if the handlers had been triggered
-nginx_matomo_tracking:                        false   # Activates matomo tracking on all html pages
-
+activate_all_timers:                  false   # Activates all timers, independend if the handlers had been triggered
+nginx_matomo_tracking:                false   # Activates matomo tracking on all html pages
+enable_one_letsencrypt_cert_for_all:  true    # Activates one letsencrypt cert for all instead of one per subdomain

roles/docker-bigbluebutton/templates/nginx-proxy.conf.j2

@@ -1,11 +1,6 @@
 server {
-  listen 443 ssl default_server;
-  listen [::]:443 ssl default_server;
-  http2 on;
-  server_name {{domain}};
   
-  ssl_certificate /etc/letsencrypt/live/{{domain}}/fullchain.pem;
-  ssl_certificate_key /etc/letsencrypt/live/{{domain}}/privkey.pem;
+  {% include 'roles/letsencrypt/templates/ssl_header.j2' %}
 
   location / {
     proxy_http_version 1.1;

roles/docker-ldap/templates/nginx.stream.conf.j2

@@ -3,8 +3,7 @@ server {
     proxy_pass 127.0.0.1:{{ldap_localhost_port}};
 
     # SSL Configuration for LDAPS
-    ssl_certificate /etc/letsencrypt/live/{{domain}}/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/{{domain}}/privkey.pem;
+    {% include 'roles/letsencrypt/templates/ssl_credentials.j2' %}
     ssl_protocols TLSv1.2 TLSv1.3;
     ssl_ciphers HIGH:!aNULL:!MD5;
 }

roles/docker-ldap/vars/main.yml

@@ -8,3 +8,5 @@ ldap_localhost_port:          389
 # OAuth2 Proxy Configuration
 oauth2_proxy_upstream_application_and_port: "{{ ldap_webinterface }}:{% if ldap_webinterface == 'phpldapadmin' %}8080{% else %}80{% endif %}"
 oauth2_proxy_active:                        true
+
+enable_one_letsencrypt_cert_for_all:  false

roles/docker-mailu/vars/main.yml

@@ -1,4 +1,5 @@
-docker_compose_project_name:  "mailu"
-database_password:  	        "{{mailu_database_password}}"
-database_type:                "mariadb"
-cert_mount_directory:         "{{docker_compose_instance_directory}}/certs/"
+docker_compose_project_name:          "mailu"
+database_password:  	                "{{mailu_database_password}}"
+database_type:                        "mariadb"
+cert_mount_directory:                 "{{docker_compose_instance_directory}}/certs/"
+enable_one_letsencrypt_cert_for_all:  false

roles/docker-mastodon/templates/.env.production.j2

@@ -1,5 +1,5 @@
 LOCAL_DOMAIN={{domain}}
-ALTERNATE_DOMAINS="{{ domains_mastodon_alternates | join(',') }}"
+ALTERNATE_DOMAINS="{{ domains.mastodon_alternates | join(',') }}"
 SINGLE_USER_MODE={{mastodon_single_user_mode}}
 SECRET_KEY_BASE={{mastodon_secret_key_base}}
 OTP_SECRET={{mastodon_otp_secret}}

roles/letsencrypt/templates/ssl_credentials.j2

@@ -0,0 +1,4 @@
+{% set ssl_cert_folder = primary_domain if enable_one_letsencrypt_cert_for_all else domain %}
+ssl_certificate /etc/letsencrypt/live/{{ ssl_cert_folder }}/fullchain.pem;
+ssl_certificate_key /etc/letsencrypt/live/{{ ssl_cert_folder }}/privkey.pem;
+ssl_trusted_certificate /etc/letsencrypt/live/{{ ssl_cert_folder }}/chain.pem;

roles/letsencrypt/templates/ssl_header.j2

@@ -8,6 +8,5 @@ ssl_prefer_server_ciphers on;
 add_header Strict-Transport-Security max-age=15768000;
 ssl_stapling on;
 ssl_stapling_verify on;
-ssl_certificate /etc/letsencrypt/live/{{domain}}/fullchain.pem;
-ssl_certificate_key /etc/letsencrypt/live/{{domain}}/privkey.pem;
-ssl_trusted_certificate /etc/letsencrypt/live/{{domain}}/chain.pem;
+{% include 'roles/letsencrypt/templates/ssl_credentials.j2' %}
+

tasks/recieve-certbot-certificate.yml

@@ -3,3 +3,16 @@
     certbot certonly --agree-tos --email {{ administrator_email }}
     --non-interactive --webroot -w /var/lib/letsencrypt/ -d {{ domain }}
     {{ '--test-cert' if mode_test | bool else '' }}
+  when: not enable_one_letsencrypt_cert_for_all
+
+- name: "recieve certbot certificate for *{{ primary_domain }}"
+  command: >-
+    certbot certonly --agree-tos --email {{ administrator_email }}
+    --non-interactive --webroot -w /var/lib/letsencrypt/ -d {{ primary_domain }} -d *.{{ primary_domain }}
+    {{ '--test-cert' if mode_test | bool else '' }}
+  when: enable_one_letsencrypt_cert_for_all and run_once_recieve_certificate is not defined
+
+- name: run the recieve_certificate tasks once
+  set_fact:
+    run_once_recieve_certificate: true
+  when: run_once_recieve_certificate is not defined