Implemented wildcard function for www redirects and solved bugs

group_vars/all/00_general.yml

@@ -1,7 +1,9 @@
 # General
 pause_duration:         "120"         # Database delay to wait for the central database before continue tasks
-ip4_address:            "127.0.0.1"   # Change thie in inventory to the ip address of your server
+
 backups_folder_path:    "/Backups/"   # Path to the backups folder
+timezone:               "UTC"
+locale:                 "locale"
 
 ## Domain
 primary_domain_tld:     "localhost"                                     # Top Level Domain of the server
@@ -41,4 +43,4 @@ nginx_matomo_tracking:                false   # Activates matomo tracking on all
 # To enable, update your inventory file.
 # For detailed setup instructions, visit: 
 # https://github.com/kevinveenbirkenbach/cymais/tree/master/roles/nginx-docker-cert-deploy
-enable_one_letsencrypt_cert_for_all:  false    
+enable_wildcard_certificate:          false    

group_vars/all/05_nginx.yml

@@ -5,8 +5,8 @@ nginx:
   directories:
     configuration:  "/etc/nginx/conf.d/"              # Configuration directory
     http:
-      global:       "/etc/nginx/conf.d/http/global"   # Contains global configurations which will be loaded into the http block
+      global:       "/etc/nginx/conf.d/http/global/"  # Contains global configurations which will be loaded into the http block
-      servers:      "/etc/nginx/conf.d/http/servers"  # Contains one configuration per domain
+      servers:      "/etc/nginx/conf.d/http/servers/" # Contains one configuration per domain
       maps:         "/etc/nginx/conf.d/http/maps/"    # Contains mappings
     streams:        "/etc/nginx/conf.d/streams/"      # Contains streams configuration e.g. for ldaps
     well_known:     "/usr/share/nginx/well-known/"    # Path where well-known files are stored

group_vars/all/07_applications.yml

@@ -172,6 +172,10 @@ defaults_applications:
   postgres:
     database.version:  "latest"
 
+  # Snipe-IT
+  snipe-it:
+    version:           "latest"
+
   ## Taiga
   taiga:
     version:              "latest"

group_vars/all/09_ports.yml

@@ -44,6 +44,7 @@ ports:
       keycloak:       8032
       ldap:           8033
       phpmyadmin:     8034
+      snipe-it:       8035
       bigbluebutton:  48087 # This port is predefined by bbb. @todo Try to change this to a 8XXX port
   # Ports which are exposed to the World Wide Web
   public:

group_vars/all/10_networks.yml

@@ -0,0 +1,10 @@
+defaults_networks:
+  internet:
+    ip4:  "127.0.0.1"       # Change this in inventory to the ip address of your server
+    ip6:  "::01"            # Change this in inventory to the ip address of your server
+  local:
+    mailu:
+      dns:    192.168.203.254   # Address of the Mailu DNS server
+      subnet: 192.168.203.0/24  # Mailu Subnet
+
+  

playbook.constructor.yml

@@ -11,6 +11,9 @@
   - name: Merge application definitions
     set_fact:
       applications: "{{ defaults_applications | combine(applications | default({}, true), recursive=True) }}"
+  - name: Merge networks definitions
+    set_fact:
+      networks: "{{ defaults_networks | combine(networks | default({}, true), recursive=True) }}"
 
 - name: update device
   hosts:  all

roles/docker-akaunting/templates/run.env.j2

@@ -1,6 +1,6 @@
 # You should change this to match your reverse proxy DNS name and protocol
 APP_URL=https://{{domain}}
-LOCALE=en-US
+LOCALE={{locale}}
 
 # Don't change this unless you rename your database container or use rootless podman, in case of using rootless podman you should set it to 127.0.0.1 (NOT localhost)
 DB_HOST={{database_host}}

roles/docker-bigbluebutton/templates/env.j2

@@ -1,6 +1,7 @@
 ENABLE_COTURN=true
-COTURN_TLS_CERT_PATH=/etc/letsencrypt/live/{{ primary_domain if enable_one_letsencrypt_cert_for_all else domain }}/fullchain.pem
+{% set ssl_cert_folder = primary_domain if enable_wildcard_certificate | bool and primary_domain in domain else domain %}
-COTURN_TLS_KEY_PATH=/etc/letsencrypt/live/{{ primary_domain if enable_one_letsencrypt_cert_for_all else domain }}/privkey.pem
+COTURN_TLS_CERT_PATH=/etc/letsencrypt/live/{{ssl_cert_folder}}/fullchain.pem
+COTURN_TLS_KEY_PATH=/etc/letsencrypt/live/{{ssl_cert_folder}}/privkey.pem
 ENABLE_GREENLIGHT={{applications.bigbluebutton.enable_greenlight}}
 
 # Enable Webhooks
@@ -41,12 +42,12 @@ FSESL_PASSWORD={{bigbluebutton_fsesl_password}}
 
 DOMAIN={{domain}}
 
-EXTERNAL_IPv4={{ip4_address}}
+EXTERNAL_IPv4={{networks.internet.ip4}}
 EXTERNAL_IPv6=
 
 # STUN SERVER
 # stun.freeswitch.org
-STUN_IP={{ip4_address}}
+STUN_IP={{networks.internet.ip4}}
 STUN_PORT=3478
 
 # TURN SERVER

roles/docker-discourse/templates/discourse_application.yml.j2

@@ -34,7 +34,7 @@ env:
   LC_ALL: en_US.UTF-8
   LANG: en_US.UTF-8
   LANGUAGE: en_US.UTF-8
-  # DISCOURSE_DEFAULT_LOCALE: en
+  #DISCOURSE_DEFAULT_LOCALE: {{locale}} # Deactivated because not right format was selected @todo find right format
 
   ## How many concurrent web requests are supported? Depends on memory and CPU cores.
   ## will be set automatically by bootstrap based on detected CPUs, or you can override

roles/docker-funkwhale/templates/docker-compose.yml.j2

@@ -14,7 +14,7 @@ services:
     # flag:
     #   celery -A funkwhale_api.taskapp worker -l INFO --concurrency=4
     restart: {{docker_restart_policy}}
-    image: funkwhale/api:${applications.funkwhale.version:-latest}
+    image: funkwhale/api:${FUNKWHALE_VERSION}
     env_file: .env
     command: celery -A funkwhale_api.taskapp worker -l INFO --concurrency=${CELERYD_CONCURRENCY-0}
     environment:
@@ -27,7 +27,7 @@ services:
 
   celerybeat:
     restart: {{docker_restart_policy}}
-    image: funkwhale/api:${applications.funkwhale.version:-latest}
+    image: funkwhale/api:${FUNKWHALE_VERSION}
     env_file: .env
     command: celery -A funkwhale_api.taskapp beat --pidfile= -l INFO
 {% include 'templates/docker/container/depends-on-database-redis.yml.j2' %}
@@ -35,7 +35,7 @@ services:
 
   api:
     restart: {{docker_restart_policy}}
-    image: funkwhale/api:${applications.funkwhale.version:-latest}
+    image: funkwhale/api:${FUNKWHALE_VERSION}
     env_file: .env
     volumes:
       - "music:${MUSIC_DIRECTORY_PATH}:ro"
@@ -48,7 +48,7 @@ services:
 
   front:
     restart: {{docker_restart_policy}}
-    image: funkwhale/front:${applications.funkwhale.version:-latest}
+    image: funkwhale/front:${FUNKWHALE_VERSION}
     depends_on:
       - api
     env_file:

roles/docker-funkwhale/templates/env.j2

@@ -18,7 +18,7 @@
 # -----------
 MUSIC_DIRECTORY_PATH=/music
 
-applications.funkwhale.version={{applications.funkwhale.version}}
+FUNKWHALE_VERSION={{applications.funkwhale.version}}
 
 # End of docker-only configuration
 

roles/docker-keycloak/README.md

@@ -57,28 +57,6 @@ The role performs the following main tasks:
 3. **Start Docker containers:**
    - The role launches the Keycloak project using Docker Compose.
 
-## Example: Usage 🚀
-
-Here is an example of how to use this role in a playbook:
-
-```yaml
-- name: Setup Keycloak with Docker
-  hosts: all
-  vars:
-    domain: "auth.example.com"
-    applications.keycloak.version: "21.1.0"
-    applications.keycloak.administrator_username: "admin"
-    keycloak_administrator_password: "securepassword"
-    database_host: "db.example.com"
-    database_name: "keycloak_db"
-    database_username: "keycloak_user"
-    database_password: "securedbpassword"
-    http_port: 8080
-    docker_restart_policy: "unless-stopped"
-  roles:
-    - docker-keycloak
-```
-
 ## More Information 📚
 
 For more details about Keycloak, check out:

roles/docker-ldap/vars/main.yml

@@ -9,6 +9,6 @@ ldap_localhost_port:          389
 oauth2_proxy_upstream_application_and_port: "{{ applications.ldap.webinterface }}:{% if applications.ldap.webinterface == 'phpldapadmin' %}8080{% else %}80{% endif %}"
 oauth2_proxy_active:                        true
 
-enable_one_letsencrypt_cert_for_all:  false # Activate dedicated Certificate
+enable_wildcard_certificate:  false # Activate dedicated Certificate
 
 ldap_network_enabled:                 true  # Activate LDAP network

roles/docker-mailu/tasks/main.yml

@@ -29,10 +29,10 @@
     dest: "{{docker_compose_instance_directory}}docker-compose.yml"
   notify: docker compose project setup
 
-- name: add mailu.env
+- name: add .env
   template: 
-    src:  "mailu.env.j2" 
+    src:  "env.j2" 
-    dest: "{{docker_compose_instance_directory}}mailu.env"
+    dest: "{{docker_compose_instance_directory}}.env"
   notify: docker compose project setup
 
 - name: flush docker service

roles/docker-mailu/templates/docker-compose.yml.j2

@@ -7,29 +7,29 @@ services:
   # Core services
   resolver:
     image: ghcr.io/mailu/unbound:{{applications.mailu.version}}
-    env_file: mailu.env
+    env_file: .env
     restart: {{docker_restart_policy}}
 {% include 'templates/docker/container/networks.yml.j2' %}
-        ipv4_address: 192.168.203.254
+        ipv4_address: {{networks.local.mailu.dns}}
     logging:
       driver: journald
 
   front:
     image: ghcr.io/mailu/nginx:{{applications.mailu.version}}
     restart: {{docker_restart_policy}}
-    env_file: mailu.env
+    env_file: .env
     logging:
       driver: journald
     ports:
       - "127.0.0.1:{{ http_port }}:80"
-      - "{{ ip4_address }}:25:25"
+      - "{{networks.internet.ip4}}:25:25"
-      - "{{ ip4_address }}:465:465"
+      - "{{networks.internet.ip4}}:465:465"
-      - "{{ ip4_address }}:587:587"
+      - "{{networks.internet.ip4}}:587:587"
-      - "{{ ip4_address }}:110:110"
+      - "{{networks.internet.ip4}}:110:110"
-      - "{{ ip4_address }}:995:995"
+      - "{{networks.internet.ip4}}:995:995"
-      - "{{ ip4_address }}:143:143"
+      - "{{networks.internet.ip4}}:143:143"
-      - "{{ ip4_address }}:993:993"
+      - "{{networks.internet.ip4}}:993:993"
-      - "{{ ip4_address }}:4190:4190"
+      - "{{networks.internet.ip4}}:4190:4190"
     volumes:
       - "/etc/mailu/overrides/nginx:/overrides:ro"
       - "{{cert_mount_directory}}:/certs:ro"
@@ -40,12 +40,12 @@ services:
       webmail:
       radicale:
     dns:
-      - 192.168.203.254
+      - {{networks.local.mailu.dns}}
       
   admin:
     image: ghcr.io/mailu/admin:{{applications.mailu.version}}
     restart: {{docker_restart_policy}}
-    env_file: mailu.env
+    env_file: .env
     volumes:
       - "admin_data:/data"
       - "dkim:/dkim"
@@ -57,13 +57,13 @@ services:
     logging:
       driver: journald
     dns:
-      - 192.168.203.254
+      - {{networks.local.mailu.dns}}
 {% include 'templates/docker/container/networks.yml.j2' %}
 
   imap:
     image: ghcr.io/mailu/dovecot:{{applications.mailu.version}}
     restart: {{docker_restart_policy}}
-    env_file: mailu.env
+    env_file: .env
     volumes:
       - "dovecot_mail:/mail"
       - "/etc/mailu/overrides:/overrides:ro"
@@ -71,7 +71,7 @@ services:
       - front
       - resolver
     dns:
-      - 192.168.203.254
+      - {{networks.local.mailu.dns}}
     logging:
       driver: journald
 {% include 'templates/docker/container/networks.yml.j2' %}
@@ -79,7 +79,7 @@ services:
   smtp:
     image: ghcr.io/mailu/postfix:{{applications.mailu.version}}
     restart: {{docker_restart_policy}}
-    env_file: mailu.env
+    env_file: .env
     volumes:
       - "/etc/mailu/overrides:/overrides:ro"
       - "smtp_queue:/queue"
@@ -87,7 +87,7 @@ services:
       - front
       - resolver
     dns:
-      - 192.168.203.254
+      - {{networks.local.mailu.dns}}
     logging:
       driver: journald
 {% include 'templates/docker/container/networks.yml.j2' %}
@@ -99,14 +99,14 @@ services:
     depends_on:
       - resolver
     dns:
-      - 192.168.203.254
+      - {{networks.local.mailu.dns}}
 {% include 'templates/docker/container/networks.yml.j2' %}
       noinet:
 
   antispam:
     image: ghcr.io/mailu/rspamd:{{applications.mailu.version}}
     restart: {{docker_restart_policy}}
-    env_file: mailu.env
+    env_file: .env
     volumes:
       - "filter:/var/lib/rspamd"
       - "dkim:/dkim"
@@ -117,7 +117,7 @@ services:
       - antivirus
       - resolver
     dns:
-      - 192.168.203.254
+      - {{networks.local.mailu.dns}}
     logging:
       driver: journald
 {% include 'templates/docker/container/networks.yml.j2' %}
@@ -128,13 +128,13 @@ services:
   antivirus:
     image: clamav/clamav-debian:latest
     restart: {{docker_restart_policy}}
-    env_file: mailu.env
+    env_file: .env
     volumes:
       - "filter:/data"
     depends_on:
       - resolver
     dns:
-      - 192.168.203.254
+      - {{networks.local.mailu.dns}}
     logging:
       driver: journald
 {% include 'templates/docker/container/networks.yml.j2' %}
@@ -142,7 +142,7 @@ services:
   webdav:
     image: ghcr.io/mailu/radicale:{{applications.mailu.version}}
     restart: {{docker_restart_policy}}
-    env_file: mailu.env
+    env_file: .env
     volumes:
       - "webdav_data:/data"
     logging:
@@ -150,7 +150,7 @@ services:
     depends_on:
       - resolver
     dns:
-      - 192.168.203.254
+      - {{networks.local.mailu.dns}}
 {% include 'templates/docker/container/networks.yml.j2' %}
       radicale:
 
@@ -159,7 +159,7 @@ services:
     volumes:
       - "admin_data:/data"
     restart: {{docker_restart_policy}}
-    env_file: mailu.env
+    env_file: .env
     logging:
       driver: journald
     depends_on:
@@ -168,13 +168,13 @@ services:
       - imap
       - resolver
     dns:
-      - 192.168.203.254
+      - {{networks.local.mailu.dns}}
 {% include 'templates/docker/container/networks.yml.j2' %}
 
   webmail:
     image: ghcr.io/mailu/webmail:{{applications.mailu.version}}
     restart: {{docker_restart_policy}}
-    env_file: mailu.env
+    env_file: .env
     volumes:
       - "webmail_data:/data"
       - "/etc/mailu/overrides:/overrides:ro"
@@ -185,7 +185,7 @@ services:
     logging:
       driver: journald
     dns:
-      - 192.168.203.254
+      - {{networks.local.mailu.dns}}
 {% include 'templates/docker/container/networks.yml.j2' %}
       webmail:
 
@@ -204,7 +204,7 @@ services:
     ipam:
       driver: default
       config:
-        - subnet: {{applications.mailu.subnet}}
+        - subnet: {{networks.local.mailu.subnet}}
   radicale:
     driver: bridge
   webmail:

roles/docker-mailu/templates/env.j2

@@ -15,7 +15,7 @@ LD_PRELOAD=/usr/lib/libhardened_malloc.so
 SECRET_KEY={{mailu_secret_key}}
 
 # Subnet of the docker network. This should not conflict with any networks to which your system is connected. (Internal and external!)
-SUBNET={{applications.mailu.subnet}}
+SUBNET={{networks.local.mailu.subnet}}
 
 # Main mail domain
 DOMAIN={{applications.mailu.domain}}

roles/docker-mailu/vars/main.yml

@@ -1,5 +1,5 @@
-application_id:                       "mailu"
+application_id:               "mailu"
-database_password:  	                "{{mailu_database_password}}"
+database_password:  	        "{{mailu_database_password}}"
-database_type:                        "mariadb"
+database_type:                "mariadb"
-cert_mount_directory:                 "{{docker_compose_instance_directory}}/certs/"
+cert_mount_directory:         "{{docker_compose_instance_directory}}/certs/"
-enable_one_letsencrypt_cert_for_all:  false
+enable_wildcard_certificate:  false

roles/docker-matrix-ansible/templates/hosts.yml.j2

@@ -1,7 +1,7 @@
 matrix_servers:
   hosts:
     {{inventory_hostname}}:
-      ansible_host: "{{ip4_address}}"
+      ansible_host: "{{networks.internet.ip4}}"
       ansible_ssh_user: administrator
       become: true
       become_user: root

roles/docker-matrix-compose/tasks/main.yml

@@ -24,7 +24,7 @@
     src:  "templates/nginx.conf.j2" 
     dest: "{{nginx.directories.http.servers}}{{domains.matrix_synapse}}.conf"
   vars:
-    domain:     "{{domains.matrix_synapse}}"
+    # domain:     "{{domains.matrix_synapse}}" This does not seem to work @todo Check how to solve without declaring set_fact, seems a bug at templates
     http_port:  "{{ports.localhost.http_ports.matrix_synapse}}"
   notify: restart nginx
         

roles/docker-matrix-compose/templates/nginx.conf.j2

@@ -1,4 +1,7 @@
 server {
+    # Somehow .j2 doesn't interpretate the passed variable right. For this reasons this redeclaration is necessary
+    {% set domain = domains.matrix_synapse %}
+
     server_name {{domain}};
     {% include 'roles/letsencrypt/templates/ssl_header.j2' %}
     

roles/docker-pixelfed/templates/env.j2

@@ -15,8 +15,8 @@ ENFORCE_EMAIL_VERIFICATION=false
 PF_MAX_USERS=1000
 OAUTH_ENABLED=true
 
-APP_TIMEZONE=UTC
+APP_TIMEZONE={{timezone}}
-APP_LOCALE=en
+APP_LOCALE={{locale}}
 
 ## Pixelfed Tweaks
 LIMIT_ACCOUNT_SIZE=true

roles/docker-snipe-it/templates/docker-compose.yml

@@ -1,18 +0,0 @@
-volumes:
-  db_data:
-  storage:
-
-services:
-  app:
-    image: snipe/snipe-it:${APP_VERSION}
-    restart: unless-stopped
-    volumes:
-      - storage:/var/lib/snipeit
-    ports:
-      - "${APP_PORT:-8000}:80"
-    depends_on:
-      db:
-        condition: service_healthy
-        restart: true
-    env_file:
-      - .env

roles/docker-snipe-it/templates/docker-compose.yml.j2

@@ -0,0 +1,26 @@
+volumes:
+  db_data:
+  storage:
+
+{% include 'templates/docker/services/redis.yml.j2' %}
+
+{% include 'templates/docker/services/' + database_type + '.yml.j2' %}
+
+services:
+  app:
+    image: snipe/snipe-it:${APP_VERSION}
+    restart: {{docker_restart_policy}}
+    volumes:
+      - data:/var/lib/snipeit
+    ports:
+      - "${APP_PORT}:80"
+{% include 'templates/docker/container/depends-on-database-redis.yml.j2' %}
+    env_file:
+      - .env  # Will also be read, without this parameter
+{% include 'templates/docker/container/networks.yml.j2' %}
+
+{% include 'templates/docker/compose/volumes.yml.j2' %}
+  redis:
+  data:
+
+{% include 'templates/docker/compose/networks.yml.j2' %}

roles/docker-snipe-it/templates/env.j2

@@ -1,8 +1,8 @@
 # --------------------------------------------
 # REQUIRED: DOCKER SPECIFIC SETTINGS
 # --------------------------------------------
-APP_VERSION=
+APP_VERSION={{applications.snape-it.version}}
-APP_PORT=8000
+APP_PORT={{ports.localhost.http_ports.snipe-it}}
 
 # --------------------------------------------
 # REQUIRED: BASIC APP SETTINGS
@@ -11,10 +11,10 @@ APP_ENV=production
 APP_DEBUG=false
 # Please regenerate the APP_KEY value by calling `docker compose run --rm app php artisan key:generate --show`. Copy paste the value here
 APP_KEY=base64:3ilviXqB9u6DX1NRcyWGJ+sjySF+H18CPDGb3+IVwMQ=
-APP_URL=http://localhost:8000
+APP_URL=https://{{domain}}
 # https://en.wikipedia.org/wiki/List_of_tz_database_time_zones - TZ identifier
-APP_TIMEZONE='UTC'
+APP_TIMEZONE='{{timezone}}'
-APP_LOCALE=en-US
+APP_LOCALE={{locale}}
 MAX_RESULTS=500
 
 # --------------------------------------------
@@ -27,16 +27,16 @@ PUBLIC_FILESYSTEM_DISK=local_public
 # REQUIRED: DATABASE SETTINGS
 # --------------------------------------------
 DB_CONNECTION=mysql
-DB_HOST=db
+DB_HOST={{database_host}}
-DB_PORT='3306'
+DB_PORT={{database_port}}
-DB_DATABASE=snipeit
+DB_DATABASE={{database_name}}
-DB_USERNAME=snipeit
+DB_USERNAME={{database_username}}
-DB_PASSWORD=changeme1234
+DB_PASSWORD={{pixelfed_database_password}}
-MYSQL_ROOT_PASSWORD=changeme1234
+#MYSQL_ROOT_PASSWORD=
-DB_PREFIX=null
+#DB_PREFIX=null
-DB_DUMP_PATH='/usr/bin'
+#DB_DUMP_PATH='/usr/bin'
-DB_CHARSET=utf8mb4
+#DB_CHARSET=utf8mb4
-DB_COLLATION=utf8mb4_unicode_ci
+#DB_COLLATION=utf8mb4_unicode_ci
 
 # --------------------------------------------
 # OPTIONAL: SSL DATABASE SETTINGS
@@ -52,17 +52,17 @@ DB_SSL_VERIFY_SERVER=null
 # --------------------------------------------
 # REQUIRED: OUTGOING MAIL SERVER SETTINGS
 # --------------------------------------------
-MAIL_MAILER=smtp
+MAIL_MAILER             =   smtp
-MAIL_HOST=mailhog
+MAIL_HOST               =   {{system_email.host}}                                       # SMTP server address
-MAIL_PORT=1025
+MAIL_PORT               =   {{system_email.host}}                                       # SMTP server address
-MAIL_USERNAME=null
+MAIL_USERNAME           =   {{system_email.username}}                                   # user to connect the SMTP server
-MAIL_PASSWORD=null
+MAIL_PASSWORD           =   {{system_email.password}}                                   # SMTP user's password
-MAIL_TLS_VERIFY_PEER=true
+MAIL_TLS_VERIFY_PEER    =   EMAIL_USE_TLS={{ system_email.tls | lower | capitalize }}   # use TLS (secure) connection with the SMTP server
-MAIL_FROM_ADDR=you@example.com
+MAIL_FROM_ADDR          =   {{system_email.from}}                                       # default email address for the automated emails
-MAIL_FROM_NAME='Snipe-IT'
+MAIL_FROM_NAME          =   'Snipe-IT'
-MAIL_REPLYTO_ADDR=you@example.com
+MAIL_REPLYTO_ADDR       =   {{system_email.from}}                                       # default email address for the automated emails
-MAIL_REPLYTO_NAME='Snipe-IT'
+MAIL_REPLYTO_NAME       =   'Snipe-IT'
-MAIL_AUTO_EMBED_METHOD='attachment'
+MAIL_AUTO_EMBED_METHOD  =   'attachment'
 
 # --------------------------------------------
 # REQUIRED: DATA PROTECTION
@@ -97,12 +97,12 @@ API_TOKEN_EXPIRATION_YEARS=40
 # --------------------------------------------
 # OPTIONAL: SECURITY HEADER SETTINGS
 # --------------------------------------------
-APP_TRUSTED_PROXIES=192.168.1.1,10.0.0.1,172.16.0.0/12
+APP_TRUSTED_PROXIES=172.17.0.1  # Docker Gateway
 ALLOW_IFRAMING=false
 REFERRER_POLICY=same-origin
-ENABLE_CSP=false
+ENABLE_CSP=true
 CORS_ALLOWED_ORIGINS=null
-ENABLE_HSTS=false
+ENABLE_HSTS=false               # Certificates managed by nginx
 
 # --------------------------------------------
 # OPTIONAL: CACHE SETTINGS
@@ -115,7 +115,7 @@ CACHE_PREFIX=snipeit
 # --------------------------------------------
 # OPTIONAL: REDIS SETTINGS
 # --------------------------------------------
-REDIS_HOST=null
+REDIS_HOST=redis
 REDIS_PASSWORD=null
 REDIS_PORT=6379
 

roles/letsencrypt/templates/ssl_credentials.j2

@@ -1,4 +1,4 @@
-{% set ssl_cert_folder = primary_domain if enable_one_letsencrypt_cert_for_all else domain %}
+{% set ssl_cert_folder = primary_domain if enable_wildcard_certificate | bool and primary_domain in domain else domain %}
 ssl_certificate /etc/letsencrypt/live/{{ ssl_cert_folder }}/fullchain.pem;
 ssl_certificate_key /etc/letsencrypt/live/{{ ssl_cert_folder }}/privkey.pem;
 ssl_trusted_certificate /etc/letsencrypt/live/{{ ssl_cert_folder }}/chain.pem;

roles/nginx-docker-cert-deploy/README.md

@@ -23,7 +23,7 @@ This Ansible role simplifies the deployment of **Let's Encrypt certificates** in
 By default, each subdomain gets its own certificate. You can **enable a wildcard certificate** by setting:
 
 ```yaml
-enable_one_letsencrypt_cert_for_all: true
+enable_wildcard_certificate: true
 ```
 
 📌 **Pros & Cons of a Wildcard Certificate:**
@@ -58,7 +58,7 @@ If enabled, update your inventory file and follow the **manual wildcard certific
 ---
 
 ## **🔐 Wildcard Certificate Setup with Let's Encrypt**
-If you enabled `enable_one_letsencrypt_cert_for_all`, follow these steps to manually request a **wildcard certificate**.
+If you enabled `enable_wildcard_certificate`, follow these steps to manually request a **wildcard certificate**.
 
 ### **1️⃣ Run the Certbot Command 🖥️**
 ```sh

roles/nginx-matomo-tracking/templates/matomo-tracking.conf.j2

@@ -1,5 +1,5 @@
 # Deactivate CSP header
-more_set_headers "Content-Security-Policy: ";
+add_header Content-Security-Policy: "";
 
 # sub filters to integrate matomo tracking code in nginx websites
 sub_filter '</head>' '<script>{{matomo_tracking_code_one_liner}}</script></head>';

roles/nginx-www-redirect/meta/main.yml

@@ -0,0 +1,2 @@
+dependencies:
+  - nginx

roles/nginx-www-redirect/tasks/main.yml

@@ -5,6 +5,8 @@
     patterns: '*.*.conf'
   register: conf_files
 
+# Filter all domains
+
 - name: Filter domain names and remove .conf extension and path
   set_fact:
     filtered_domains: "{{ conf_files.files | map(attribute='path') | map('regex_search', domain_regex) | select('string') | map('regex_replace', path_regex, '') | map('regex_replace', '.conf$', '') | list }}"
@@ -15,9 +17,69 @@
 - name: The domains for which a www. redirect will be implemented
   debug:
     var: filtered_domains
+  when: mode_debug | bool
 
-- name: Include nginx-domain-redirect role with dynamic domain mappings
+# Routine for domains with primary domain included
+
+- name: Set filtered_domains_with_primary_domain
+  set_fact:
+    filtered_domains_with_primary_domain: "{{ filtered_domains | select('search', primary_domain + '$') | list }}"
+
+- name: Debug with primary domain
+  debug:
+    var: filtered_domains_with_primary_domain
+  when: mode_debug | bool
+
+- name: Include nginx-domain-redirect role with dynamic domain mappings for domains with {{primary_domain}} included
   include_role:
     name: nginx-domain-redirect
   vars:
-    domain_mappings: "{{ filtered_domains | map('regex_replace', '^(.*)$', '{ source: \"www.\\1\", target: \"\\1\" }') | map('from_yaml') | list }}"
+    domain_mappings: "{{ filtered_domains_with_primary_domain | map('regex_replace', '^(.*)$', '{ source: \"www.\\1\", target: \"\\1\" }') | map('from_yaml') | list }}"
+  when: not enable_wildcard_certificate | bool
+
+- name: Include wildcard www. redirect for domains with {{primary_domain}} included
+  vars:
+    domain: "{{primary_domain}}"
+  template: 
+    src:  www.wildcard.conf.j2
+    dest: "{{nginx_www_wildcart_configuration}}"
+  notify: restart nginx
+  when: enable_wildcard_certificate | bool
+
+# Routine for domains without the primary domain included
+
+- name: Set filtered_domains_without_primary_domain
+  set_fact:
+    filtered_domains_without_primary_domain: "{{ filtered_domains | reject('search', primary_domain + '$') | list }}"
+
+- name: Debug domains without primary domain
+  debug:
+    var: filtered_domains_without_primary_domain
+  when: mode_debug | bool
+
+- name: Include nginx-domain-redirect role with dynamic domain mappings for domains without primary domain
+  include_role:
+    name: nginx-domain-redirect
+  vars:
+    domain_mappings: "{{ filtered_domains_without_primary_domain | map('regex_replace', '^(.*)$', '{ source: \"www.\\1\", target: \"\\1\" }') | map('from_yaml') | list }}"
+
+
+# Cleanup
+- name: Cleanup dedicated nginx configurations for www redirect configuration
+  file:
+    path: "{{ nginx.directories.http.servers }}{{ item.source }}.conf"
+    state: absent
+  loop: "{{ filtered_domains_with_primary_domain | map('regex_replace', '^(.*)$', '{ source: \"www.\\1\", target: \"\\1\" }') | map('from_yaml') | list }}"
+  notify: restart nginx
+  when: 
+    - enable_wildcard_certificate | bool
+    - mode_cleanup
+
+- name: Cleanup {{nginx_www_wildcart_configuration}}
+  file:
+    path: "{{nginx_www_wildcart_configuration}}"
+    state: absent
+  notify: restart nginx
+  when: 
+    - not enable_wildcard_certificate | bool
+    - mode_cleanup

roles/nginx-www-redirect/templates/www.wildcard.conf.j2

@@ -0,0 +1,6 @@
+server {
+    server_name ~^www\.(?<domain>.+)$;
+    {% include 'roles/letsencrypt/templates/ssl_header.j2' %}
+
+    return 301 https://$domain$request_uri;
+}

roles/nginx-www-redirect/vars/main.yml

@@ -0,0 +1 @@
+nginx_www_wildcart_configuration: "{{nginx.directories.http.global}}www.wildcard.conf"

roles/nginx/tasks/main.yml

@@ -23,7 +23,7 @@
     state: directory
     mode: '0755'
     recurse: yes
-  loop: "{{ nginx.directories.http + nginx.directories.streams }}"
+  loop: "{{ nginx.directories.http.values() | list + [nginx.directories.streams] }}"
   when: run_once_nginx is not defined
 
 - name: create nginx config file

roles/nginx/templates/nginx.conf.j2

@@ -34,8 +34,9 @@ http
   gzip_types application/atom+xml application/javascript application/xml+rss application/x-javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy text/javascript text/xml;
 
   types_hash_max_size 4096;  
-  include {{nginx.directories.http.maps}}*.conf;
+  {% for dir in nginx.directories.http.values() %}
-  include {{nginx.directories.http.servers}}*.conf;
+  include {{ dir }}*.conf;
+  {% endfor %}
 }
 
 # For port proxies

tasks/recieve-certbot-certificate.yml

@@ -3,21 +3,25 @@
     certbot certonly --agree-tos --email {{ administrator_email }}
     --non-interactive --webroot -w /var/lib/letsencrypt/ -d {{ domain }}
     {{ '--test-cert' if mode_test | bool else '' }}
-  when: not enable_one_letsencrypt_cert_for_all
+  when: not enable_wildcard_certificate | bool or primary_domain not in domain
 
 - name: "recieve certbot certificate for *{{ primary_domain }}"
   command: >-
     certbot certonly --agree-tos --email {{ administrator_email }}
     --non-interactive --webroot -w /var/lib/letsencrypt/ -d {{ primary_domain }} -d *.{{ primary_domain }}
     {{ '--test-cert' if mode_test | bool else '' }}
-  when: enable_one_letsencrypt_cert_for_all and run_once_recieve_certificate is not defined
+  when: 
+    - enable_wildcard_certificate | bool
+    - primary_domain in domain
+    - run_once_recieve_certificate is not defined
 
 - name: "Cleanup dedicated cert for {{ domain }}"
   command: >-
     certbot delete --cert-name {{ domain }} --non-interactive
   when: 
-    - mode_cleanup
+    - mode_cleanup | bool
-    - enable_one_letsencrypt_cert_for_all
+    - enable_wildcard_certificate | bool
+    - primary_domain in domain
     - domain != primary_domain
   ignore_errors: true