kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-03-12 12:42:39 +01:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: kevinveenbirkenbach:734d4f8ed3e3ea915442a4f2cae09007d98aaea8
Branches Tags
kevinveenbirkenbach:master
..
compare: kevinveenbirkenbach:b11879650c4e6519f473dfb65638db91a7f364bd
Branches Tags
kevinveenbirkenbach:master

No commits in common. "734d4f8ed3e3ea915442a4f2cae09007d98aaea8" and "b11879650c4e6519f473dfb65638db91a7f364bd" have entirely different histories.
734d4f8ed3 ... b11879650c

34 changed files with 142 additions and 228 deletions
Show Stats Expand all files Collapse all files

6
group_vars/all/00_general.yml
View File

@ -1,9 +1,7 @@
# General
pause_duration: "120" # Database delay to wait for the central database before continue tasks
ip4_address: "127.0.0.1" # Change thie in inventory to the ip address of your server
backups_folder_path: "/Backups/" # Path to the backups folder
timezone: "UTC"
locale: "locale"
## Domain
primary_domain_tld: "localhost" # Top Level Domain of the server
@ -43,4 +41,4 @@ nginx_matomo_tracking: false # Activates matomo tracking on all
# To enable, update your inventory file.
# For detailed setup instructions, visit:
# https://github.com/kevinveenbirkenbach/cymais/tree/master/roles/nginx-docker-cert-deploy
enable_wildcard_certificate: false
enable_one_letsencrypt_cert_for_all: false

4
group_vars/all/05_nginx.yml
View File

@ -5,8 +5,8 @@ nginx:
directories:
configuration: "/etc/nginx/conf.d/" # Configuration directory
http:
global: "/etc/nginx/conf.d/http/global/" # Contains global configurations which will be loaded into the http block
servers: "/etc/nginx/conf.d/http/servers/" # Contains one configuration per domain
global: "/etc/nginx/conf.d/http/global" # Contains global configurations which will be loaded into the http block
servers: "/etc/nginx/conf.d/http/servers" # Contains one configuration per domain
maps: "/etc/nginx/conf.d/http/maps/" # Contains mappings
streams: "/etc/nginx/conf.d/streams/" # Contains streams configuration e.g. for ldaps
well_known: "/usr/share/nginx/well-known/" # Path where well-known files are stored

4
group_vars/all/07_applications.yml
View File

@ -172,10 +172,6 @@ defaults_applications:
postgres:
database.version: "latest"
# Snipe-IT
snipe-it:
version: "latest"
## Taiga
taiga:
version: "latest"

1
group_vars/all/09_ports.yml
View File

@ -44,7 +44,6 @@ ports:
keycloak: 8032
ldap: 8033
phpmyadmin: 8034
snipe-it: 8035
bigbluebutton: 48087 # This port is predefined by bbb. @todo Try to change this to a 8XXX port
# Ports which are exposed to the World Wide Web
public:

10
group_vars/all/10_networks.yml
View File

@ -1,10 +0,0 @@
defaults_networks:
internet:
ip4: "127.0.0.1" # Change this in inventory to the ip address of your server
ip6: "::01" # Change this in inventory to the ip address of your server
local:
mailu:
dns: 192.168.203.254 # Address of the Mailu DNS server
subnet: 192.168.203.0/24 # Mailu Subnet

3
playbook.constructor.yml
View File

@ -11,9 +11,6 @@
- name: Merge application definitions
set_fact:
applications: "{{ defaults_applications | combine(applications | default({}, true), recursive=True) }}"
- name: Merge networks definitions
set_fact:
networks: "{{ defaults_networks | combine(networks | default({}, true), recursive=True) }}"
- name: update device
hosts: all

2
roles/docker-akaunting/templates/run.env.j2
View File

@ -1,6 +1,6 @@
# You should change this to match your reverse proxy DNS name and protocol
APP_URL=https://{{domain}}
LOCALE={{locale}}
LOCALE=en-US
# Don't change this unless you rename your database container or use rootless podman, in case of using rootless podman you should set it to 127.0.0.1 (NOT localhost)
DB_HOST={{database_host}}

9
roles/docker-bigbluebutton/templates/env.j2
View File

@ -1,7 +1,6 @@
ENABLE_COTURN=true
{% set ssl_cert_folder = primary_domain if enable_wildcard_certificate | bool and primary_domain in domain else domain %}
COTURN_TLS_CERT_PATH=/etc/letsencrypt/live/{{ssl_cert_folder}}/fullchain.pem
COTURN_TLS_KEY_PATH=/etc/letsencrypt/live/{{ssl_cert_folder}}/privkey.pem
COTURN_TLS_CERT_PATH=/etc/letsencrypt/live/{{ primary_domain if enable_one_letsencrypt_cert_for_all else domain }}/fullchain.pem
COTURN_TLS_KEY_PATH=/etc/letsencrypt/live/{{ primary_domain if enable_one_letsencrypt_cert_for_all else domain }}/privkey.pem
ENABLE_GREENLIGHT={{applications.bigbluebutton.enable_greenlight}}
# Enable Webhooks
@ -42,12 +41,12 @@ FSESL_PASSWORD={{bigbluebutton_fsesl_password}}
DOMAIN={{domain}}
EXTERNAL_IPv4={{networks.internet.ip4}}
EXTERNAL_IPv4={{ip4_address}}
EXTERNAL_IPv6=
# STUN SERVER
# stun.freeswitch.org
STUN_IP={{networks.internet.ip4}}
STUN_IP={{ip4_address}}
STUN_PORT=3478
# TURN SERVER

2
roles/docker-discourse/templates/discourse_application.yml.j2
View File

@ -34,7 +34,7 @@ env:
LC_ALL: en_US.UTF-8
LANG: en_US.UTF-8
LANGUAGE: en_US.UTF-8
#DISCOURSE_DEFAULT_LOCALE: {{locale}} # Deactivated because not right format was selected @todo find right format
# DISCOURSE_DEFAULT_LOCALE: en
## How many concurrent web requests are supported? Depends on memory and CPU cores.
## will be set automatically by bootstrap based on detected CPUs, or you can override

8
roles/docker-funkwhale/templates/docker-compose.yml.j2
View File

@ -14,7 +14,7 @@ services:
# flag:
# celery -A funkwhale_api.taskapp worker -l INFO --concurrency=4
restart: {{docker_restart_policy}}
image: funkwhale/api:${FUNKWHALE_VERSION}
image: funkwhale/api:${applications.funkwhale.version:-latest}
env_file: .env
command: celery -A funkwhale_api.taskapp worker -l INFO --concurrency=${CELERYD_CONCURRENCY-0}
environment:
@ -27,7 +27,7 @@ services:
celerybeat:
restart: {{docker_restart_policy}}
image: funkwhale/api:${FUNKWHALE_VERSION}
image: funkwhale/api:${applications.funkwhale.version:-latest}
env_file: .env
command: celery -A funkwhale_api.taskapp beat --pidfile= -l INFO
{% include 'templates/docker/container/depends-on-database-redis.yml.j2' %}
@ -35,7 +35,7 @@ services:
api:
restart: {{docker_restart_policy}}
image: funkwhale/api:${FUNKWHALE_VERSION}
image: funkwhale/api:${applications.funkwhale.version:-latest}
env_file: .env
volumes:
- "music:${MUSIC_DIRECTORY_PATH}:ro"
@ -48,7 +48,7 @@ services:
front:
restart: {{docker_restart_policy}}
image: funkwhale/front:${FUNKWHALE_VERSION}
image: funkwhale/front:${applications.funkwhale.version:-latest}
depends_on:
- api
env_file:

2
roles/docker-funkwhale/templates/env.j2
View File

@ -18,7 +18,7 @@
# -----------
MUSIC_DIRECTORY_PATH=/music
FUNKWHALE_VERSION={{applications.funkwhale.version}}
applications.funkwhale.version={{applications.funkwhale.version}}
# End of docker-only configuration

22
roles/docker-keycloak/README.md
View File

@ -57,6 +57,28 @@ The role performs the following main tasks:
3. **Start Docker containers:**
- The role launches the Keycloak project using Docker Compose.
## Example: Usage 🚀
Here is an example of how to use this role in a playbook:
```yaml
- name: Setup Keycloak with Docker
hosts: all
vars:
domain: "auth.example.com"
applications.keycloak.version: "21.1.0"
applications.keycloak.administrator_username: "admin"
keycloak_administrator_password: "securepassword"
database_host: "db.example.com"
database_name: "keycloak_db"
database_username: "keycloak_user"
database_password: "securedbpassword"
http_port: 8080
docker_restart_policy: "unless-stopped"
roles:
- docker-keycloak
```
## More Information 📚
For more details about Keycloak, check out:

2
roles/docker-ldap/vars/main.yml
View File

@ -9,6 +9,6 @@ ldap_localhost_port: 389
oauth2_proxy_upstream_application_and_port: "{{ applications.ldap.webinterface }}:{% if applications.ldap.webinterface == 'phpldapadmin' %}8080{% else %}80{% endif %}"
oauth2_proxy_active: true
enable_wildcard_certificate: false # Activate dedicated Certificate
enable_one_letsencrypt_cert_for_all: false # Activate dedicated Certificate
ldap_network_enabled: true # Activate LDAP network

6
roles/docker-mailu/tasks/main.yml
View File

@ -29,10 +29,10 @@
dest: "{{docker_compose_instance_directory}}docker-compose.yml"
notify: docker compose project setup
- name: add .env
- name: add mailu.env
template:
src: "env.j2"
dest: "{{docker_compose_instance_directory}}.env"
src: "mailu.env.j2"
dest: "{{docker_compose_instance_directory}}mailu.env"
notify: docker compose project setup
- name: flush docker service

60
roles/docker-mailu/templates/docker-compose.yml.j2
View File

@ -7,29 +7,29 @@ services:
# Core services
resolver:
image: ghcr.io/mailu/unbound:{{applications.mailu.version}}
env_file: .env
env_file: mailu.env
restart: {{docker_restart_policy}}
{% include 'templates/docker/container/networks.yml.j2' %}
ipv4_address: {{networks.local.mailu.dns}}
ipv4_address: 192.168.203.254
logging:
driver: journald
front:
image: ghcr.io/mailu/nginx:{{applications.mailu.version}}
restart: {{docker_restart_policy}}
env_file: .env
env_file: mailu.env
logging:
driver: journald
ports:
- "127.0.0.1:{{ http_port }}:80"
- "{{networks.internet.ip4}}:25:25"
- "{{networks.internet.ip4}}:465:465"
- "{{networks.internet.ip4}}:587:587"
- "{{networks.internet.ip4}}:110:110"
- "{{networks.internet.ip4}}:995:995"
- "{{networks.internet.ip4}}:143:143"
- "{{networks.internet.ip4}}:993:993"
- "{{networks.internet.ip4}}:4190:4190"
- "{{ ip4_address }}:25:25"
- "{{ ip4_address }}:465:465"
- "{{ ip4_address }}:587:587"
- "{{ ip4_address }}:110:110"
- "{{ ip4_address }}:995:995"
- "{{ ip4_address }}:143:143"
- "{{ ip4_address }}:993:993"
- "{{ ip4_address }}:4190:4190"
volumes:
- "/etc/mailu/overrides/nginx:/overrides:ro"
- "{{cert_mount_directory}}:/certs:ro"
@ -40,12 +40,12 @@ services:
webmail:
radicale:
dns:
- {{networks.local.mailu.dns}}
- 192.168.203.254
admin:
image: ghcr.io/mailu/admin:{{applications.mailu.version}}
restart: {{docker_restart_policy}}
env_file: .env
env_file: mailu.env
volumes:
- "admin_data:/data"
- "dkim:/dkim"
@ -57,13 +57,13 @@ services:
logging:
driver: journald
dns:
- {{networks.local.mailu.dns}}
- 192.168.203.254
{% include 'templates/docker/container/networks.yml.j2' %}
imap:
image: ghcr.io/mailu/dovecot:{{applications.mailu.version}}
restart: {{docker_restart_policy}}
env_file: .env
env_file: mailu.env
volumes:
- "dovecot_mail:/mail"
- "/etc/mailu/overrides:/overrides:ro"
@ -71,7 +71,7 @@ services:
- front
- resolver
dns:
- {{networks.local.mailu.dns}}
- 192.168.203.254
logging:
driver: journald
{% include 'templates/docker/container/networks.yml.j2' %}
@ -79,7 +79,7 @@ services:
smtp:
image: ghcr.io/mailu/postfix:{{applications.mailu.version}}
restart: {{docker_restart_policy}}
env_file: .env
env_file: mailu.env
volumes:
- "/etc/mailu/overrides:/overrides:ro"
- "smtp_queue:/queue"
@ -87,7 +87,7 @@ services:
- front
- resolver
dns:
- {{networks.local.mailu.dns}}
- 192.168.203.254
logging:
driver: journald
{% include 'templates/docker/container/networks.yml.j2' %}
@ -99,14 +99,14 @@ services:
depends_on:
- resolver
dns:
- {{networks.local.mailu.dns}}
- 192.168.203.254
{% include 'templates/docker/container/networks.yml.j2' %}
noinet:
antispam:
image: ghcr.io/mailu/rspamd:{{applications.mailu.version}}
restart: {{docker_restart_policy}}
env_file: .env
env_file: mailu.env
volumes:
- "filter:/var/lib/rspamd"
- "dkim:/dkim"
@ -117,7 +117,7 @@ services:
- antivirus
- resolver
dns:
- {{networks.local.mailu.dns}}
- 192.168.203.254
logging:
driver: journald
{% include 'templates/docker/container/networks.yml.j2' %}
@ -128,13 +128,13 @@ services:
antivirus:
image: clamav/clamav-debian:latest
restart: {{docker_restart_policy}}
env_file: .env
env_file: mailu.env
volumes:
- "filter:/data"
depends_on:
- resolver
dns:
- {{networks.local.mailu.dns}}
- 192.168.203.254
logging:
driver: journald
{% include 'templates/docker/container/networks.yml.j2' %}
@ -142,7 +142,7 @@ services:
webdav:
image: ghcr.io/mailu/radicale:{{applications.mailu.version}}
restart: {{docker_restart_policy}}
env_file: .env
env_file: mailu.env
volumes:
- "webdav_data:/data"
logging:
@ -150,7 +150,7 @@ services:
depends_on:
- resolver
dns:
- {{networks.local.mailu.dns}}
- 192.168.203.254
{% include 'templates/docker/container/networks.yml.j2' %}
radicale:
@ -159,7 +159,7 @@ services:
volumes:
- "admin_data:/data"
restart: {{docker_restart_policy}}
env_file: .env
env_file: mailu.env
logging:
driver: journald
depends_on:
@ -168,13 +168,13 @@ services:
- imap
- resolver
dns:
- {{networks.local.mailu.dns}}
- 192.168.203.254
{% include 'templates/docker/container/networks.yml.j2' %}
webmail:
image: ghcr.io/mailu/webmail:{{applications.mailu.version}}
restart: {{docker_restart_policy}}
env_file: .env
env_file: mailu.env
volumes:
- "webmail_data:/data"
- "/etc/mailu/overrides:/overrides:ro"
@ -185,7 +185,7 @@ services:
logging:
driver: journald
dns:
- {{networks.local.mailu.dns}}
- 192.168.203.254
{% include 'templates/docker/container/networks.yml.j2' %}
webmail:
@ -204,7 +204,7 @@ services:
ipam:
driver: default
config:
- subnet: {{networks.local.mailu.subnet}}
- subnet: {{applications.mailu.subnet}}
radicale:
driver: bridge
webmail:

2
roles/docker-mailu/templates/env.j2 → roles/docker-mailu/templates/mailu.env.j2
View File

@ -15,7 +15,7 @@ LD_PRELOAD=/usr/lib/libhardened_malloc.so
SECRET_KEY={{mailu_secret_key}}
# Subnet of the docker network. This should not conflict with any networks to which your system is connected. (Internal and external!)
SUBNET={{networks.local.mailu.subnet}}
SUBNET={{applications.mailu.subnet}}
# Main mail domain
DOMAIN={{applications.mailu.domain}}

10
roles/docker-mailu/vars/main.yml
View File

@ -1,5 +1,5 @@
application_id: "mailu"
database_password: "{{mailu_database_password}}"
database_type: "mariadb"
cert_mount_directory: "{{docker_compose_instance_directory}}/certs/"
enable_wildcard_certificate: false
application_id: "mailu"
database_password: "{{mailu_database_password}}"
database_type: "mariadb"
cert_mount_directory: "{{docker_compose_instance_directory}}/certs/"
enable_one_letsencrypt_cert_for_all: false

2
roles/docker-matrix-ansible/templates/hosts.yml.j2
View File

@ -1,7 +1,7 @@
matrix_servers:
hosts:
{{inventory_hostname}}:
ansible_host: "{{networks.internet.ip4}}"
ansible_host: "{{ip4_address}}"
ansible_ssh_user: administrator
become: true
become_user: root

2
roles/docker-matrix-compose/tasks/main.yml
View File

@ -24,7 +24,7 @@
src: "templates/nginx.conf.j2"
dest: "{{nginx.directories.http.servers}}{{domains.matrix_synapse}}.conf"
vars:
# domain: "{{domains.matrix_synapse}}" This does not seem to work @todo Check how to solve without declaring set_fact, seems a bug at templates
domain: "{{domains.matrix_synapse}}"
http_port: "{{ports.localhost.http_ports.matrix_synapse}}"
notify: restart nginx

3
roles/docker-matrix-compose/templates/nginx.conf.j2
View File

@ -1,7 +1,4 @@
server {
# Somehow .j2 doesn't interpretate the passed variable right. For this reasons this redeclaration is necessary
{% set domain = domains.matrix_synapse %}
server_name {{domain}};
{% include 'roles/letsencrypt/templates/ssl_header.j2' %}

4
roles/docker-pixelfed/templates/env.j2
View File

@ -15,8 +15,8 @@ ENFORCE_EMAIL_VERIFICATION=false
PF_MAX_USERS=1000
OAUTH_ENABLED=true
APP_TIMEZONE={{timezone}}
APP_LOCALE={{locale}}
APP_TIMEZONE=UTC
APP_LOCALE=en
## Pixelfed Tweaks
LIMIT_ACCOUNT_SIZE=true

18
roles/docker-snipe-it/templates/docker-compose.yml Normal file
View File

@ -0,0 +1,18 @@
volumes:
db_data:
storage:
services:
app:
image: snipe/snipe-it:${APP_VERSION}
restart: unless-stopped
volumes:
- storage:/var/lib/snipeit
ports:
- "${APP_PORT:-8000}:80"
depends_on:
db:
condition: service_healthy
restart: true
env_file:
- .env

26
roles/docker-snipe-it/templates/docker-compose.yml.j2
View File

@ -1,26 +0,0 @@
volumes:
db_data:
storage:
{% include 'templates/docker/services/redis.yml.j2' %}
{% include 'templates/docker/services/' + database_type + '.yml.j2' %}
services:
app:
image: snipe/snipe-it:${APP_VERSION}
restart: {{docker_restart_policy}}
volumes:
- data:/var/lib/snipeit
ports:
- "${APP_PORT}:80"
{% include 'templates/docker/container/depends-on-database-redis.yml.j2' %}
env_file:
- .env # Will also be read, without this parameter
{% include 'templates/docker/container/networks.yml.j2' %}
{% include 'templates/docker/compose/volumes.yml.j2' %}
redis:
data:
{% include 'templates/docker/compose/networks.yml.j2' %}

60
roles/docker-snipe-it/templates/env.j2 → roles/docker-snipe-it/templates/env
View File

@ -1,8 +1,8 @@
# --------------------------------------------
# REQUIRED: DOCKER SPECIFIC SETTINGS
# --------------------------------------------
APP_VERSION={{applications.snape-it.version}}
APP_PORT={{ports.localhost.http_ports.snipe-it}}
APP_VERSION=
APP_PORT=8000
# --------------------------------------------
# REQUIRED: BASIC APP SETTINGS
@ -11,10 +11,10 @@ APP_ENV=production
APP_DEBUG=false
# Please regenerate the APP_KEY value by calling `docker compose run --rm app php artisan key:generate --show`. Copy paste the value here
APP_KEY=base64:3ilviXqB9u6DX1NRcyWGJ+sjySF+H18CPDGb3+IVwMQ=
APP_URL=https://{{domain}}
APP_URL=http://localhost:8000
# https://en.wikipedia.org/wiki/List_of_tz_database_time_zones - TZ identifier
APP_TIMEZONE='{{timezone}}'
APP_LOCALE={{locale}}
APP_TIMEZONE='UTC'
APP_LOCALE=en-US
MAX_RESULTS=500
# --------------------------------------------
@ -27,16 +27,16 @@ PUBLIC_FILESYSTEM_DISK=local_public
# REQUIRED: DATABASE SETTINGS
# --------------------------------------------
DB_CONNECTION=mysql
DB_HOST={{database_host}}
DB_PORT={{database_port}}
DB_DATABASE={{database_name}}
DB_USERNAME={{database_username}}
DB_PASSWORD={{pixelfed_database_password}}
#MYSQL_ROOT_PASSWORD=
#DB_PREFIX=null
#DB_DUMP_PATH='/usr/bin'
#DB_CHARSET=utf8mb4
#DB_COLLATION=utf8mb4_unicode_ci
DB_HOST=db
DB_PORT='3306'
DB_DATABASE=snipeit
DB_USERNAME=snipeit
DB_PASSWORD=changeme1234
MYSQL_ROOT_PASSWORD=changeme1234
DB_PREFIX=null
DB_DUMP_PATH='/usr/bin'
DB_CHARSET=utf8mb4
DB_COLLATION=utf8mb4_unicode_ci
# --------------------------------------------
# OPTIONAL: SSL DATABASE SETTINGS
@ -52,17 +52,17 @@ DB_SSL_VERIFY_SERVER=null
# --------------------------------------------
# REQUIRED: OUTGOING MAIL SERVER SETTINGS
# --------------------------------------------
MAIL_MAILER = smtp
MAIL_HOST = {{system_email.host}} # SMTP server address
MAIL_PORT = {{system_email.host}} # SMTP server address
MAIL_USERNAME = {{system_email.username}} # user to connect the SMTP server
MAIL_PASSWORD = {{system_email.password}} # SMTP user's password
MAIL_TLS_VERIFY_PEER = EMAIL_USE_TLS={{ system_email.tls | lower | capitalize }} # use TLS (secure) connection with the SMTP server
MAIL_FROM_ADDR = {{system_email.from}} # default email address for the automated emails
MAIL_FROM_NAME = 'Snipe-IT'
MAIL_REPLYTO_ADDR = {{system_email.from}} # default email address for the automated emails
MAIL_REPLYTO_NAME = 'Snipe-IT'
MAIL_AUTO_EMBED_METHOD = 'attachment'
MAIL_MAILER=smtp
MAIL_HOST=mailhog
MAIL_PORT=1025
MAIL_USERNAME=null
MAIL_PASSWORD=null
MAIL_TLS_VERIFY_PEER=true
MAIL_FROM_ADDR=you@example.com
MAIL_FROM_NAME='Snipe-IT'
MAIL_REPLYTO_ADDR=you@example.com
MAIL_REPLYTO_NAME='Snipe-IT'
MAIL_AUTO_EMBED_METHOD='attachment'
# --------------------------------------------
# REQUIRED: DATA PROTECTION
@ -97,12 +97,12 @@ API_TOKEN_EXPIRATION_YEARS=40
# --------------------------------------------
# OPTIONAL: SECURITY HEADER SETTINGS
# --------------------------------------------
APP_TRUSTED_PROXIES=172.17.0.1 # Docker Gateway
APP_TRUSTED_PROXIES=192.168.1.1,10.0.0.1,172.16.0.0/12
ALLOW_IFRAMING=false
REFERRER_POLICY=same-origin
ENABLE_CSP=true
ENABLE_CSP=false
CORS_ALLOWED_ORIGINS=null
ENABLE_HSTS=false # Certificates managed by nginx
ENABLE_HSTS=false
# --------------------------------------------
# OPTIONAL: CACHE SETTINGS
@ -115,7 +115,7 @@ CACHE_PREFIX=snipeit
# --------------------------------------------
# OPTIONAL: REDIS SETTINGS
# --------------------------------------------
REDIS_HOST=redis
REDIS_HOST=null
REDIS_PASSWORD=null
REDIS_PORT=6379

2
roles/letsencrypt/templates/ssl_credentials.j2
View File

@ -1,4 +1,4 @@
{% set ssl_cert_folder = primary_domain if enable_wildcard_certificate | bool and primary_domain in domain else domain %}
{% set ssl_cert_folder = primary_domain if enable_one_letsencrypt_cert_for_all else domain %}
ssl_certificate /etc/letsencrypt/live/{{ ssl_cert_folder }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ ssl_cert_folder }}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/{{ ssl_cert_folder }}/chain.pem;

4
roles/nginx-docker-cert-deploy/README.md
View File

@ -23,7 +23,7 @@ This Ansible role simplifies the deployment of **Let's Encrypt certificates** in
By default, each subdomain gets its own certificate. You can **enable a wildcard certificate** by setting:
```yaml
enable_wildcard_certificate: true
enable_one_letsencrypt_cert_for_all: true
```
📌 **Pros & Cons of a Wildcard Certificate:**
@ -58,7 +58,7 @@ If enabled, update your inventory file and follow the **manual wildcard certific
---
## **🔐 Wildcard Certificate Setup with Let's Encrypt**
If you enabled `enable_wildcard_certificate`, follow these steps to manually request a **wildcard certificate**.
If you enabled `enable_one_letsencrypt_cert_for_all`, follow these steps to manually request a **wildcard certificate**.
### **1⃣ Run the Certbot Command 🖥️**
```sh

2
roles/nginx-matomo-tracking/templates/matomo-tracking.conf.j2
View File

@ -1,5 +1,5 @@
# Deactivate CSP header
add_header Content-Security-Policy: "";
more_set_headers "Content-Security-Policy: ";
# sub filters to integrate matomo tracking code in nginx websites
sub_filter '</head>' '<script>{{matomo_tracking_code_one_liner}}</script></head>';

2
roles/nginx-www-redirect/meta/main.yml
View File

@ -1,2 +0,0 @@
dependencies:
- nginx

66
roles/nginx-www-redirect/tasks/main.yml
View File

@ -5,8 +5,6 @@
patterns: '*.*.conf'
register: conf_files
# Filter all domains
- name: Filter domain names and remove .conf extension and path
set_fact:
filtered_domains: "{{ conf_files.files | map(attribute='path') | map('regex_search', domain_regex) | select('string') | map('regex_replace', path_regex, '') | map('regex_replace', '.conf$', '') | list }}"
@ -17,69 +15,9 @@
- name: The domains for which a www. redirect will be implemented
debug:
var: filtered_domains
when: mode_debug | bool
# Routine for domains with primary domain included
- name: Set filtered_domains_with_primary_domain
set_fact:
filtered_domains_with_primary_domain: "{{ filtered_domains | select('search', primary_domain + '$') | list }}"
- name: Debug with primary domain
debug:
var: filtered_domains_with_primary_domain
when: mode_debug | bool
- name: Include nginx-domain-redirect role with dynamic domain mappings for domains with {{primary_domain}} included
- name: Include nginx-domain-redirect role with dynamic domain mappings
include_role:
name: nginx-domain-redirect
vars:
domain_mappings: "{{ filtered_domains_with_primary_domain | map('regex_replace', '^(.*)$', '{ source: \"www.\\1\", target: \"\\1\" }') | map('from_yaml') | list }}"
when: not enable_wildcard_certificate | bool
- name: Include wildcard www. redirect for domains with {{primary_domain}} included
vars:
domain: "{{primary_domain}}"
template:
src: www.wildcard.conf.j2
dest: "{{nginx_www_wildcart_configuration}}"
notify: restart nginx
when: enable_wildcard_certificate | bool
# Routine for domains without the primary domain included
- name: Set filtered_domains_without_primary_domain
set_fact:
filtered_domains_without_primary_domain: "{{ filtered_domains | reject('search', primary_domain + '$') | list }}"
- name: Debug domains without primary domain
debug:
var: filtered_domains_without_primary_domain
when: mode_debug | bool
- name: Include nginx-domain-redirect role with dynamic domain mappings for domains without primary domain
include_role:
name: nginx-domain-redirect
vars:
domain_mappings: "{{ filtered_domains_without_primary_domain | map('regex_replace', '^(.*)$', '{ source: \"www.\\1\", target: \"\\1\" }') | map('from_yaml') | list }}"
# Cleanup
- name: Cleanup dedicated nginx configurations for www redirect configuration
file:
path: "{{ nginx.directories.http.servers }}{{ item.source }}.conf"
state: absent
loop: "{{ filtered_domains_with_primary_domain | map('regex_replace', '^(.*)$', '{ source: \"www.\\1\", target: \"\\1\" }') | map('from_yaml') | list }}"
notify: restart nginx
when:
- enable_wildcard_certificate | bool
- mode_cleanup
- name: Cleanup {{nginx_www_wildcart_configuration}}
file:
path: "{{nginx_www_wildcart_configuration}}"
state: absent
notify: restart nginx
when:
- not enable_wildcard_certificate | bool
- mode_cleanup
domain_mappings: "{{ filtered_domains | map('regex_replace', '^(.*)$', '{ source: \"www.\\1\", target: \"\\1\" }') | map('from_yaml') | list }}"

6
roles/nginx-www-redirect/templates/www.wildcard.conf.j2
View File

@ -1,6 +0,0 @@
server {
server_name ~^www\.(?<domain>.+)$;
{% include 'roles/letsencrypt/templates/ssl_header.j2' %}
return 301 https://$domain$request_uri;
}

1
roles/nginx-www-redirect/vars/main.yml
View File

@ -1 +0,0 @@
nginx_www_wildcart_configuration: "{{nginx.directories.http.global}}www.wildcard.conf"

2
roles/nginx/tasks/main.yml
View File

@ -23,7 +23,7 @@
state: directory
mode: '0755'
recurse: yes
loop: "{{ nginx.directories.http.values() | list + [nginx.directories.streams] }}"
loop: "{{ nginx.directories.http + nginx.directories.streams }}"
when: run_once_nginx is not defined
- name: create nginx config file

5
roles/nginx/templates/nginx.conf.j2
View File

@ -34,9 +34,8 @@ http
gzip_types application/atom+xml application/javascript application/xml+rss application/x-javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy text/javascript text/xml;
types_hash_max_size 4096;
{% for dir in nginx.directories.http.values() %}
include {{ dir }}*.conf;
{% endfor %}
include {{nginx.directories.http.maps}}*.conf;
include {{nginx.directories.http.servers}}*.conf;
}
# For port proxies

12
tasks/recieve-certbot-certificate.yml
View File

@ -3,25 +3,21 @@
certbot certonly --agree-tos --email {{ administrator_email }}
--non-interactive --webroot -w /var/lib/letsencrypt/ -d {{ domain }}
{{ '--test-cert' if mode_test | bool else '' }}
when: not enable_wildcard_certificate | bool or primary_domain not in domain
when: not enable_one_letsencrypt_cert_for_all
- name: "recieve certbot certificate for *{{ primary_domain }}"
command: >-
certbot certonly --agree-tos --email {{ administrator_email }}
--non-interactive --webroot -w /var/lib/letsencrypt/ -d {{ primary_domain }} -d *.{{ primary_domain }}
{{ '--test-cert' if mode_test | bool else '' }}
when:
- enable_wildcard_certificate | bool
- primary_domain in domain
- run_once_recieve_certificate is not defined
when: enable_one_letsencrypt_cert_for_all and run_once_recieve_certificate is not defined
- name: "Cleanup dedicated cert for {{ domain }}"
command: >-
certbot delete --cert-name {{ domain }} --non-interactive
when:
- mode_cleanup | bool
- enable_wildcard_certificate | bool
- primary_domain in domain
- mode_cleanup
- enable_one_letsencrypt_cert_for_all
- domain != primary_domain
ignore_errors: true