Implemented certbot for cloudflare\hetzner, optimized documentation and solved bugs

docs/guides/administrator/Setup_Guide.md

@@ -19,7 +19,7 @@ This command will setup CyMaIS on your system with the alias **cymais**.
 
 ## Get Help 
 
-After you setuped CyMaIS you can recieve more help by executing: 
+After you setuped CyMaIS you can receive more help by executing: 
 
 ```bash
 cymais --help

group_vars/all/00_general.yml

@@ -88,3 +88,9 @@ enable_wildcard_certificate:              false
 # This enables debugging in ansible and in the apps
 # You SHOULD NOT enable this on production servers
 enable_debug:                             false
+
+# Which ACME method to use: webroot, cloudflare, or hetzner
+certbot_acme_challenge_method:            "webroot"
+certbot_credentials_dir:                  /etc/certbot
+certbot_credentials_file:                 "{{ certbot_credentials_dir }}/{{ certbot_acme_challenge_method }}.ini"
+# certbot_dns_api_token                   # Define in inventory file

group_vars/all/03_domains.yml

@@ -45,6 +45,7 @@ defaults_domains:
   roulette-wheel:          "roulette.{{primary_domain}}"
   snipe_it:                "inventory.{{primary_domain}}"
   sphinx:                  "docs.{{primary_domain}}"
+  syncope:                 "syncope.{{primary_domain}}"
   taiga:                   "kanban.{{primary_domain}}"
   yourls:                  "s.{{primary_domain}}"
   # ATTENTION: Will be owerwritten by the values in domains. Not merged.

group_vars/all/09_ports.yml

@@ -56,6 +56,7 @@ ports:
       fusiondirectory:  8038
       presentation:     8039
       espocrm:          8040
+      syncope:          8041
       bigbluebutton:    48087 # This port is predefined by bbb. @todo Try to change this to a 8XXX port
   # Ports which are exposed to the World Wide Web
   public:

group_vars/all/10_networks.yml

@@ -82,6 +82,8 @@ defaults_networks:
       subnet: 192.168.103.48/28
     espocrm:
       subnet: 192.168.103.64/28
+    syncope:
+      subnet: 192.168.103.80/28
       
     # /24 Networks / 254 Usable Clients
     bigbluebutton:

roles/certbot/README.md

@@ -0,0 +1,32 @@
+# Certbot
+
+## 🔥 Description
+
+This Ansible role automates the installation and configuration of [Certbot](https://certbot.eff.org/), a free and open-source tool for automating the deployment of [Let's Encrypt](https://letsencrypt.org/) certificates. It also handles the setup of DNS plugins for ACME challenges.
+
+## 📖 Overview
+
+Optimized for Archlinux, this role ensures secure SSL/TLS certificate generation with minimal manual intervention. It supports both `webroot` and `DNS-01` validation methods, providing flexibility based on your infrastructure needs.
+
+### Key Features
+- **Automatic Installation:** Installs `certbot` and the necessary DNS plugin via pacman.
+- **Dynamic DNS Plugin Support:** Automatically installs the correct `certbot-dns-<provider>` package based on your selected challenge method.
+- **Credential Management:** Creates secure credential files for DNS API tokens when using DNS-01 validation.
+- **Idempotent Execution:** Tasks are intelligently executed only once per playbook run.
+
+## 🎯 Purpose
+
+The Certbot role provides a ready-to-use, automated solution for SSL/TLS management in your infrastructure. Whether you're managing traditional servers or containerized environments, this role ensures your certificates are always in place and valid.
+
+## 🚀 Features
+
+- **Certbot Installation:** Ensures the latest version of Certbot is installed.
+- **DNS Plugin Installation:** Installs a matching plugin based on your configured ACME challenge method.
+- **Credential Directory Management:** Creates a secured `/etc/certbot` directory with proper permissions.
+- **API Token File Setup:** Manages API token files securely for DNS challenge authentication.
+
+## 🔗 Learn More
+
+- [Certbot Official Website](https://certbot.eff.org/)
+- [Let's Encrypt](https://letsencrypt.org/)
+- [ACME Challenge Types (Wikipedia)](https://en.wikipedia.org/wiki/Automated_Certificate_Management_Environment)

roles/certbot/meta/main.yml

@@ -0,0 +1,28 @@
+---
+galaxy_info:
+  author: "Kevin Veen-Birkenbach"
+  description: "Automates the installation and configuration of Certbot for SSL/TLS certificate management"
+  license: "CyMaIS NonCommercial License (CNCL)"
+  license_url: "https://s.veen.world/cncl"
+  company: |
+    Kevin Veen-Birkenbach
+    Consulting & Coaching Solutions
+    https://www.veen.world
+  min_ansible_version: "2.9"
+  platforms:
+    - name: Archlinux
+      versions:
+        - rolling
+  galaxy_tags:
+    - certbot
+    - ssl
+    - tls
+    - https
+    - encryption
+    - letsencrypt
+    - acme
+    - automation
+  repository: "https://s.veen.world/cymais"
+  issue_tracker_url: "https://s.veen.world/cymaisissues"
+  documentation: "https://s.veen.world/cymais"
+dependencies: []

roles/certbot/tasks/main.yml

@@ -0,0 +1,41 @@
+- name: install certbot
+  pacman:
+    name: certbot
+    state: present
+  when: run_once_certbot is not defined
+
+- name: install certbot DNS plugin
+  pacman:
+    name: "certbot-dns-{{ certbot_acme_challenge_method }}"
+    state: present
+  when:
+    - run_once_certbot is not defined
+    - certbot_acme_challenge_method != 'webroot'
+
+- name: Ensure /etc/certbot directory exists
+  file:
+    path:   "{{ certbot_credentials_dir }}"
+    state:  directory
+    owner:  root
+    group:  root
+    mode:   '0755'
+  when:
+    - run_once_certbot is not defined
+    - certbot_acme_challenge_method != 'webroot'
+
+- name: Install plugin credentials file
+  copy:
+    dest: "{{ certbot_credentials_file }}"
+    content: |
+      dns_{{ certbot_acme_challenge_method }}_api_token = {{ certbot_dns_api_token }}
+    owner: root
+    group: root
+    mode: '0600'
+  when:
+    - run_once_certbot is not defined
+    - certbot_acme_challenge_method != 'webroot'
+
+- name: run the certbot role once
+  set_fact:
+    run_once_certbot: true
+  when: run_once_certbot is not defined

roles/docker-attendize/tasks/main.yml

@@ -3,7 +3,7 @@
   include_role: 
     name: docker-central-database
 
-- name: "include role for {{application_id}} to recieve certs & do modification routines"
+- name: "include role for {{application_id}} to receive certs & do modification routines"
   include_role:
     name: nginx-https-get-cert-modify-all
   vars:

roles/docker-central-database/vars/database.yml

@@ -4,5 +4,5 @@ database_name:      "{{ application_id }}"
 database_username:  "{{ application_id }}"
 database_port:      "{{ 3306 if database_type == 'mariadb' else 5432 }}"
 database_env:       "{{docker_compose.directories.env}}{{database_type}}.env"
-
-# Don't set application_id . It would conflict with central database logic
+database_url_jdbc:  "jdbc:{{ database_type if database_type == 'mariadb' else 'postgresql' }}://{{ database_host }}:{{ database_port }}/{{ database_name }}"
+database_url_full:  "{{database_type}}://{{database_username}}:{{database_password}}@{{database_host}}:{{database_port}}/{{ database_name }}"

roles/docker-funkwhale/templates/env.j2

@@ -118,4 +118,4 @@ LDAP_ROOT_DN        =   "{{ldap.dn.root}}"
 
 FUNKWHALE_FRONTEND_PATH=/srv/funkwhale/front/dist
 
-DATABASE_URL = postgresql://{{database_username}}:{{database_password}}@{{database_host}}:{{database_port}}/{{ database_name }}
+DATABASE_URL = {{ database_url_full }}

roles/docker-keycloak/templates/env.j2

@@ -13,7 +13,7 @@ KC_METRICS_ENABLED=             true
 KEYCLOAK_ADMIN=                 "{{applications.keycloak.users.administrator.username}}"
 KEYCLOAK_ADMIN_PASSWORD=        "{{applications.keycloak.administrator_password}}"
 KC_DB=                          postgres
-KC_DB_URL=                      jdbc:postgresql://{{database_host}}/{{database_name}}
+KC_DB_URL=                      {{database_url_jdbc}}
 KC_DB_USERNAME=                 {{database_username}}
 KC_DB_PASSWORD=                 {{database_password}}
 

roles/docker-mastodon/tasks/create-administrator.yml

@@ -11,7 +11,12 @@
   command: 
     cmd: 'docker compose exec -u root web bash -c "RAILS_ENV=production bin/tootctl accounts create {{users.administrator.username}} --email {{users.administrator.email}} --confirmed --role Owner"'
     chdir: "{{docker_compose.directories.instance}}"
-  ignore_errors: true
+  register: tootctl_create
+  changed_when: tootctl_create.rc == 0
+  failed_when: >
+    tootctl_create.rc != 0
+    and
+    ("taken" not in tootctl_create.stderr | lower)
     
 - name: Approve the administrator account in Mastodon
   command: 

roles/docker-matrix-compose/tasks/main.yml

@@ -3,7 +3,7 @@
   include_role: 
     name: docker-central-database
 
-- name: "include role for {{application_id}} to recieve certs & do modification routines"
+- name: "include role for {{application_id}} to receive certs & do modification routines"
   include_role:
     name: nginx-https-get-cert-modify-all
   vars:

roles/docker-mybb/tasks/setup-domain.yml

@@ -1,4 +1,4 @@
-{# Recieves https certificate and setup proxy with domain replace #}
+{# receives https certificate and setup proxy with domain replace #}
 
 - name: "include role receive certbot certificate"
   include_role: 

roles/docker-nextcloud/docs/Applications.md

@@ -2,8 +2,8 @@
 
 Details on specific apps like Cospend, including related SQL queries and debugging tips.
 
-## Recieve Plugin Information
-To recieve the relevant configuration options for a plugin type:
+## receive Plugin Information
+To receive the relevant configuration options for a plugin type:
 ```bash
 docker compose exec -u www-data application php occ config:list oidc_login
 ```

roles/docker-nextcloud/tasks/main.yml

@@ -19,7 +19,7 @@
   # Not all type of changes take instantly place. Due to this reason a rebuild is required.
   notify: docker compose project setup
 
-- name: "include role for {{application_id}} to recieve certs & do modification routines"
+- name: "include role for {{application_id}} to receive certs & do modification routines"
   include_role:
     name: nginx-https-get-cert-modify-all
 

roles/docker-openproject/templates/env.j2

@@ -11,7 +11,7 @@ OPENPROJECT_HOST__NAME={{domains[application_id]}}
 OPENPROJECT_RAILS__RELATIVE__URL__ROOT=
 IMAP_ENABLED=false
 POSTGRES_PASSWORD="{{ database_password }}"
-DATABASE_URL="postgres://{{ database_username }}:{{ database_password }}@{{database_host}}/{{database_name}}?pool=20&encoding=unicode&reconnect=true"
+DATABASE_URL="{{ database_url_full }}?pool=20&encoding=unicode&reconnect=true"
 RAILS_MIN_THREADS=4
 RAILS_MAX_THREADS=16
 OPENPROJECT_HSTS=true

roles/docker-peertube/tasks/create-domains.yml

@@ -1,4 +1,4 @@
-- name: "include role for {{application_id}} to recieve certs & do modification routines"
+- name: "include role for {{application_id}} to receive certs & do modification routines"
   include_role:
     name: nginx-https-get-cert-modify-all
 

roles/docker-syncope/README.md

@@ -0,0 +1,35 @@
+# Syncope (DRAFT)
+
+## 🔥 Description
+
+[Apache Syncope](https://syncope.apache.org/) is a powerful and flexible open-source system for managing digital identities in enterprise environments. It offers Identity Governance and Administration (IGA) capabilities, including user provisioning, role management, auditing, workflow integration, and more. Syncope is designed to handle complex identity life cycles across multiple systems, both on-premise and in the cloud.
+
+This role deploys Apache Syncope using Docker Compose, automating the setup of its core services, database, and reverse proxy integration.
+
+## 📖 Overview
+
+Optimized for Archlinux, this role brings up a fully functional Syncope stack based on the official [Docker Compose samples](https://syncope.apache.org/docs/getting-started.html#docker-compose-samples). It includes all core components like Syncope Core, Console, and Enduser, with secure environment management and HTTPS integration.
+
+### Key Features
+- **Complete Identity Management:** Centralized user, group, and policy management.
+- **Extensible Architecture:** Integrates easily with external identity providers (LDAP, Active Directory, etc.).
+- **Modern Interfaces:** Provides REST APIs and web consoles for administrators and end-users.
+- **Open Standards Support:** SAML 2.0, OAuth 2.0, OpenID Connect, SCIM.
+
+## 🎯 Purpose
+
+The Syncope (Docker Deployment) role provides a fully automated environment for testing, development, or production setups of Apache Syncope, simplifying the complexities of IAM deployment.
+
+## 🚀 Features
+
+- **PostgreSQL Database Setup:** Integrated database management for Syncope.
+- **Syncope Core + Console + Enduser Deployment:** All critical services brought up automatically.
+- **Nginx Reverse Proxy with SSL:** Secured access with HTTPS termination.
+- **Credential and Secrets Management:** Handles sensitive user credentials securely.
+- **Customizable Paths and Environment:** Easy adjustment for your domain and access paths.
+
+## 🔗 Learn More
+
+- [Apache Syncope Official Website](https://syncope.apache.org/)
+- [Apache Syncope Documentation](https://syncope.apache.org/docs/)
+- [Identity Management (Wikipedia)](https://en.wikipedia.org/wiki/Identity_management)

roles/docker-syncope/TODO.md

@@ -0,0 +1,2 @@
+# Todos
+- Implement this draft

roles/docker-syncope/meta/main.yml

@@ -0,0 +1,28 @@
+---
+galaxy_info:
+  author: "Kevin Veen-Birkenbach"
+  description: |
+    Apache Syncope is an open-source Identity and Access Management (IAM) system, offering centralized identity governance, user provisioning, role management, and workflow integration.
+  license: "CyMaIS NonCommercial License (CNCL)"
+  license_url: "https://s.veen.world/cncl"
+  company: |
+    Kevin Veen-Birkenbach
+    Consulting & Coaching Solutions
+    https://www.veen.world
+  min_ansible_version: "2.9"
+  platforms:
+    - name: Archlinux
+      versions:
+        - rolling
+  galaxy_tags:
+    - docker
+    - syncope
+    - iam
+    - identity
+    - management
+    - nginx
+    - https
+    - automation
+  repository: "https://s.veen.world/cymais"
+  issue_tracker_url: "https://s.veen.world/cymaisissues"
+  documentation: "https://s.veen.world/cymais"

roles/docker-syncope/tasks/main.yml

@@ -0,0 +1,31 @@
+---
+- name: "include docker-central-database"
+  include_role: 
+    name: docker-central-database
+
+- name: "include role for {{application_id}} to receive certs & do modification routines"
+  include_role:
+    name: nginx-https-get-cert-modify-all
+
+- name: configure {{domain}}.conf
+  template: 
+    src:  "templates/proxy.conf.j2"
+    dest: "{{nginx.directories.http.servers}}{{domain}}.conf"
+  notify: restart nginx
+
+- name: configure {{domain}}.conf
+  template: 
+    src:  "templates/proxy.conf.j2"
+    dest: "{{nginx.directories.http.servers}}{{domain}}.conf"
+  notify: restart nginx
+
+- name: "create {{docker_compose.files.env}}"
+  template: 
+    src:  "database.j2" 
+    dest: "{{docker_compose.files.env}}"
+    mode: '770'
+    force: yes
+  notify: docker compose project setup
+
+- name: "copy docker-compose.yml and env file"
+  include_tasks: copy-docker-compose-and-env.yml

roles/docker-syncope/templates/database.env.j2

@@ -0,0 +1,5 @@
+DB_URL={{ database_url_jdbc }}?stringtype=unspecified
+DB_USER=DB_URL={{ database_username }}
+DB_PASSWORD={{ database_password }}
+DB_POOL_MAX=20
+DB_POOL_MIN=5

roles/docker-syncope/templates/docker-compose.yml.j2

@@ -0,0 +1,40 @@
+services:
+
+{% include 'roles/docker-central-database/templates/services/' + database_type + '.yml.j2' %}
+
+   application: 
+     depends_on:
+       - db
+     image: apache/syncope:{{ applications[application_id].version }}
+     ports:
+       - "18080:8080"
+     restart: always
+{% include 'roles/docker-compose/templates/services/base.yml.j2' %}
+     environment:
+       SPRING_PROFILES_ACTIVE: docker,postgresql,saml2
+       OPENJPA_REMOTE_COMMIT: sjvm
+       SERVICE_DISCOVERY_ADDRESS: {{ web_protocol }}://{{ domains[application_id] }}/{{syncope_paths[rest]}}/
+    # database variablen auslesen
+
+   console: 
+     depends_on:
+       - syncope
+     image: apache/syncope-console:{{ applications[application_id].version }}
+     ports:
+       - "28080:8080"
+     restart: always
+     environment:
+       SPRING_PROFILES_ACTIVE: docker,saml2
+       SERVICE_DISCOVERY_ADDRESS: {{ web_protocol }}://{{ domains[application_id] }}/{{syncope_paths[console]}}/
+
+   enduser: 
+     depends_on:
+       - syncope
+     image: apache/syncope-enduser:{{ applications[application_id].version }}
+     ports:
+       - "38080:8080"
+     restart: always
+     environment:
+       SPRING_PROFILES_ACTIVE: docker,saml2
+       SERVICE_DISCOVERY_ADDRESS: {{ web_protocol }}://{{ domains[application_id] }}/{{syncope_paths[enduser]}}/
+       

roles/docker-syncope/templates/env.j2

@@ -0,0 +1,12 @@
+# Default variables
+
+KEYMASTER_USERNAME={{ syncope_anonymous_user }}
+KEYMASTER_PASSWORD={{ syncope_anonymous_password }}
+ANONYMOUS_USER={{ syncope_anonymous_user }}
+ANONYMOUS_KEY={{ syncope_anonymous_password }}
+KEYMASTER_ADDRESS={{ syncope_keymaster_address }}
+
+# Spring Boot Variables
+# @See https://docs.spring.io/spring-boot/docs/2.0.9.RELEASE/reference/html/boot-features-external-config.html
+SECURITY_ADMINUSER={{ syncope_administrator_user }}
+SECURITY_ADMINPASSWORD={{ syncope_administrator_password }}

roles/docker-syncope/templates/proxy.conf

@@ -0,0 +1,22 @@
+server
+{
+  server_name {{domain}};
+
+  {% if applications | get_oauth2_enabled(application_id) %}
+    {% include 'roles/docker-oauth2-proxy/templates/endpoint.conf.j2'%}
+  {% endif %}
+
+  {% include 'roles/nginx-modifier-all/templates/global.includes.conf.j2'%}
+  
+  {% if nginx_docker_reverse_proxy_extra_configuration is defined %}
+    {# Additional Domain Specific Configuration #}
+    {{nginx_docker_reverse_proxy_extra_configuration}}
+  {% endif %}
+
+  {% include 'roles/letsencrypt/templates/ssl_header.j2' %}
+
+  {% for path in syncope_paths.values() %}
+    {% set location =  web_protocol ~ '://' ~ domains[application_id] ~ '/' ~ path ~ '/' %}
+    {% include 'roles/nginx-docker-reverse-proxy/templates/location/proxy_basic.conf.j2'%}
+  {% endfor %}
+}

roles/docker-syncope/vars/main.yml

@@ -0,0 +1,17 @@
+# General Configuration
+application_id:                 syncope
+database_type:                  "postgres"
+database_password:              {{ domains[application_id].credentials.database.password }}
+
+# Application Specific
+syncope_keymaster_address:      http://localhost:8080/syncope/rest/keymaster
+syncope_paths:
+  rest:                         rest
+  console:                      console
+  enduser:                      enduser
+
+syncope_anonymous_user:         {{ domains[application_id].users.anonymous.username }}
+syncope_anonymous_password:     {{ domains[application_id].credentials.anonymous.password }}
+
+syncope_administrator_user:     {{ domains[application_id].users.administrator.username }}
+syncope_administrator_password: {{ domains[application_id].credentials.administrator.password }}

roles/nginx-certbot/README.md

@@ -0,0 +1,33 @@
+# Nginx Certbot Automation
+
+## 🔥 Description
+
+This role automates the setup of an automatic [Let's Encrypt](https://letsencrypt.org/) certificate renewal system for Nginx using [Certbot](https://certbot.eff.org/). It ensures that SSL/TLS certificates are renewed seamlessly in the background and that Nginx reloads automatically after successful renewals.
+
+## 📖 Overview
+
+Optimized for Archlinux systems, this role installs the `certbot-nginx` package, configures a dedicated `systemd` service for certificate renewal, and integrates with a `systemd-timer` to schedule periodic renewals. After a renewal, Nginx is reloaded to apply the updated certificates immediately.
+
+### Key Features
+- **Automatic Renewal:** Schedules unattended certificate renewals using systemd-timers.
+- **Seamless Nginx Reload:** Reloads the Nginx service automatically after successful renewals.
+- **Systemd Integration:** Manages renewal operations reliably with `systemd` and `systemd-notifier`.
+- **Quiet and Safe Operation:** Uses `--quiet` and `--agree-tos` flags to ensure non-interactive renewals.
+
+## 🎯 Purpose
+
+The Nginx Certbot Automation role ensures that Let's Encrypt SSL/TLS certificates stay valid without manual intervention. It enhances the security and reliability of web services by automating certificate lifecycle management.
+
+## 🚀 Features
+
+- **Certbot-Nginx Package Installation:** Installs required certbot plugins for Nginx.
+- **Custom Systemd Service:** Configures a lightweight, dedicated renewal service.
+- **Timer Setup:** Uses systemd-timer to run certbot renewals periodically.
+- **Failure Notification:** Integrated with `systemd-notifier` for alerting on failures.
+
+## 🔗 Learn More
+
+- [Certbot Official Website](https://certbot.eff.org/)
+- [Let's Encrypt](https://letsencrypt.org/)
+- [Systemd (Wikipedia)](https://en.wikipedia.org/wiki/Systemd)
+- [HTTPS (Wikipedia)](https://en.wikipedia.org/wiki/HTTPS)

roles/nginx-certbot/meta/main.yml

@@ -1,3 +1,32 @@
+---
+galaxy_info:
+  author: "Kevin Veen-Birkenbach"
+  description: |
+    Automates Let's Encrypt SSL/TLS certificate renewals for Nginx using Certbot and systemd services with automatic reloads after successful renewals.
+  license: "CyMaIS NonCommercial License (CNCL)"
+  license_url: "https://s.veen.world/cncl"
+  company: |
+    Kevin Veen-Birkenbach
+    Consulting & Coaching Solutions
+    https://www.veen.world
+  min_ansible_version: "2.9"
+  platforms:
+    - name: Archlinux
+      versions:
+        - rolling
+  galaxy_tags:
+    - nginx
+    - certbot
+    - ssl
+    - tls
+    - letsencrypt
+    - https
+    - systemd
+    - automation
+  repository: "https://s.veen.world/cymais"
+  issue_tracker_url: "https://s.veen.world/cymaisissues"
+  documentation: "https://s.veen.world/cymais"
 dependencies:
-- nginx
-- systemd-notifier
+  - certbot
+  - nginx
+  - systemd-notifier

roles/nginx-certbot/tasks/main.yml

@@ -1,6 +1,7 @@
 - name: install certbot
   pacman:
-    name: [certbot,certbot-nginx]
+    name:
+      - certbot-nginx
     state: present
   when: run_once_nginx_certbot is not defined
 

roles/nginx-domain-setup/tasks/main.yml

@@ -1,4 +1,4 @@
-- name: "include role for {{domain}} to recieve certificates and do the modification routines"
+- name: "include role for {{domain}} to receive certificates and do the modification routines"
   include_role:
     name: nginx-https-get-cert-modify-all
     

roles/nginx-domains-cleanup/tasks/main.yml

@@ -1,8 +1,9 @@
 ---
 - name: "Remove Nginx configuration for deprecated domains"
-  ansible.builtin.file:
-    path: "/etc/nginx/conf.d/http/servers/{{ item }}"
-    state: absent
+  ansible.builtin.command:
+    cmd: >-
+      rm -fv /etc/nginx/conf.d/http/servers/*.{{ item }}.conf;
+      rm -fv /etc/nginx/conf.d/http/servers/{{ item }}.conf
   loop: "{{ deprecated_domains }}"
   loop_control:
     label: "{{ item }}"
@@ -11,6 +12,7 @@
     - mode_cleanup | bool
     - run_once_nginx_domains_cleanup is not defined
 
+# The revoking just works for the base domain
 - name: "Revoke Certbot certificate for {{ item }}"
   ansible.builtin.command:
     cmd: "certbot revoke -n --cert-name {{ item }}"
@@ -21,7 +23,9 @@
   when:
     - mode_cleanup | bool
     - run_once_nginx_domains_cleanup is not defined
+  ignore_errors: true
 
+# The deleting just works for the base domain
 - name: "Delete Certbot certificate for {{ item }}"
   ansible.builtin.command:
     cmd: "certbot delete -n --cert-name {{ item }}"
@@ -32,6 +36,7 @@
   when:
     - mode_cleanup | bool
     - run_once_nginx_domains_cleanup is not defined
+  ignore_errors: true
 
 - name: run the nginx_domains_cleanup role once
   set_fact:

roles/nginx-https-get-cert/README.md

@@ -1,39 +1,35 @@
-# Let's Encrypt Certificate Role
+# Nginx HTTPS Certificate Retrieval
 
-This Ansible role uses Certbot to obtain Let's Encrypt SSL/TLS certificates. It supports both dedicated and wildcard certificate requests based on domain conditions. It can also clean up (delete) dedicated certificates when cleanup mode is enabled.
+## 🔥 Description
 
-## Features
+This role automates the retrieval of [Let's Encrypt](https://letsencrypt.org/) SSL/TLS certificates using [Certbot](https://certbot.eff.org/) for domains served via Nginx. It supports both single-domain and wildcard certificates, and can use either the DNS or webroot ACME challenge methods.
 
-- **Dedicated Certificate Request:**  
-  Requests a certificate for a given domain using Certbot's `certonly` command with the webroot plugin.
+## 📖 Overview
 
-- **Wildcard Certificate Request:**  
-  When enabled, obtains a wildcard certificate for the primary domain (including both the primary domain and all its direct subdomains).
+Designed for Archlinux systems, this role handles issuing certificates per domain and optionally cleans up redundant certificates if wildcard certificates are used. It intelligently decides whether to issue a standard or wildcard certificate based on the domain structure and your configuration.
 
-- **Certificate Cleanup:**  
-  Provides an option to delete dedicated certificates if cleanup mode is active.
+### Key Features
+- **Single Domain and Wildcard Support:** Handles both individual domains and wildcard domains (`*.example.com`).
+- **DNS and Webroot Challenges:** Dynamically selects the correct ACME challenge method.
+- **Certificate Renewal Logic:** Skips renewal if the certificate is still valid.
+- **Optional Cleanup:** Deletes redundant domain certificates when wildcard certificates are used.
+- **Non-Interactive Operation:** Fully automated using `--non-interactive` and `--agree-tos`.
 
-- **Run Once for Wildcard:**  
-  Ensures that the wildcard certificate task runs only once to prevent duplicate requests.
+## 🎯 Purpose
 
-## Tasks Overview
+The Nginx HTTPS Certificate Retrieval role ensures that your Nginx-served domains have valid, automatically issued SSL/TLS certificates, improving web security without manual intervention.
 
-- **Receive Dedicated Certificate:**  
-  Executes Certbot to request a dedicated certificate for `{{ domain }}` when a wildcard certificate is not applicable.
+## 🚀 Features
 
-- **Receive Wildcard Certificate:**  
-  Executes Certbot to request a wildcard certificate for `*{{ primary_domain }}` under the appropriate conditions.
+- **ACME Challenge Selection:** Supports DNS plugins or webroot method automatically.
+- **Wildcard Certificate Management:** Issues wildcard certificates when configured, saving effort for subdomain-heavy deployments.
+- **Safe Cleanup:** Ensures that no unused certificates are left behind.
+- **Flexible Control:** Supports `mode_test` for staging environment testing and `mode_cleanup` for cert cleanup operations.
 
-- **Cleanup Dedicated Certificate:**  
-  Runs Certbot's delete command to remove the dedicated certificate if cleanup mode is active.
+## 🔗 Learn More
 
-- **Run Once Flag:**  
-  Sets a fact to ensure that the wildcard certificate task is executed only once per playbook run.
-
-## Author
-
-This role is authored by [Kevin Veen-Birkenbach](https://www.veen.world).
-
----
-
-Feel free to contribute or open issues if you have suggestions or encounter any problems with the role. Enjoy secure connections with Let's Encrypt and Ansible!
+- [Certbot Official Website](https://certbot.eff.org/)
+- [Let's Encrypt](https://letsencrypt.org/)
+- [Wildcard Certificates (Wikipedia)](https://en.wikipedia.org/wiki/Wildcard_certificate)
+- [HTTPS (Wikipedia)](https://en.wikipedia.org/wiki/HTTPS)
+- [ACME Protocol (Wikipedia)](https://en.wikipedia.org/wiki/Automated_Certificate_Management_Environment)

roles/nginx-https-get-cert/meta/main.yml

@@ -1,2 +1,31 @@
+---
+galaxy_info:
+  author: "Kevin Veen-Birkenbach"
+  description: |
+    Automates the retrieval of Let's Encrypt SSL/TLS certificates for Nginx domains using Certbot, supporting both single-domain and wildcard certificates with DNS and webroot ACME challenges.
+  license: "CyMaIS NonCommercial License (CNCL)"
+  license_url: "https://s.veen.world/cncl"
+  company: |
+    Kevin Veen-Birkenbach
+    Consulting & Coaching Solutions
+    https://www.veen.world
+  min_ansible_version: "2.9"
+  platforms:
+    - name: Archlinux
+      versions:
+        - rolling
+  galaxy_tags:
+    - nginx
+    - certbot
+    - letsencrypt
+    - ssl
+    - tls
+    - acme
+    - https
+    - wildcard
+    - automation
+  repository: "https://s.veen.world/cymais"
+  issue_tracker_url: "https://s.veen.world/cymaisissues"
+  documentation: "https://s.veen.world/cymais"
 dependencies:
-- nginx-https
+  - nginx-https

roles/nginx-https-get-cert/tasks/main.yml

@@ -1,8 +1,21 @@
-- name: "recieve dedicated certificate for {{ domain }}"
+- name: "receive dedicated certificate for {{ domain }}"
   command: >-
-    certbot certonly --agree-tos --email {{ users.administrator.email }}
-    --non-interactive --webroot -w /var/lib/letsencrypt/ -d {{ domain }}
+    certbot certonly 
+    --agree-tos 
+    --email {{ users.administrator.email }}
+    --non-interactive 
+    {% if certbot_acme_challenge_method != "webroot" %}
+    --dns-{{ certbot_acme_challenge_method }}
+    --dns-{{ certbot_acme_challenge_method }}-credentials {{ certbot_credentials_file }}
+    --dns-{{ certbot_acme_challenge_method }}-propagation-seconds 60
+    {% else %}
+    --webroot 
+    -w /var/lib/letsencrypt/ 
+    {% endif %}
+    -d {{ domain }}
     {{ '--test-cert' if mode_test | bool else '' }}
+  register: certbot_result
+  changed_when: "'Certificate not yet due for renewal' not in certbot_result.stdout"
   when: 
     - not enable_wildcard_certificate | bool or not (domain.split('.') | length == (primary_domain.split('.') | length + 1) and domain.endswith(primary_domain))
       # Wildcard certificate should not be used
@@ -10,17 +23,31 @@
 
 # The following should not work, checkout the Setup.md instructions. 
 # @see https://chatgpt.com/share/67efa9f0-1cdc-800f-8bce-62b00fc3e6a2
-- name: "recieve wildcard certificate *{{ primary_domain }} for {{domain}}"
+- name: "receive wildcard certificate *{{ primary_domain }} for {{domain}}"
   command: >-
-    certbot certonly --agree-tos --email {{ users.administrator.email }}                                          
-    --non-interactive --webroot -w /var/lib/letsencrypt/ -d {{ primary_domain }} -d *.{{ primary_domain }}
+    certbot certonly 
+    --agree-tos 
+    --email {{ users.administrator.email }}                                          
+    --non-interactive 
+    {% if certbot_acme_challenge_method != "webroot" %}
+    --dns-{{ certbot_acme_challenge_method }}
+    --dns-{{ certbot_acme_challenge_method }}-credentials {{ certbot_credentials_file }}
+    --dns-{{ certbot_acme_challenge_method }}-propagation-seconds 60
+    {% else %}
+    --webroot 
+    -w /var/lib/letsencrypt/ 
+    {% endif %}
+    -d {{ primary_domain }} 
+    -d *.{{ primary_domain }}
     {{ '--test-cert' if mode_test | bool else '' }}
+  register: certbot_result
+  changed_when: "'Certificate not yet due for renewal' not in certbot_result.stdout"
   when:
     - enable_wildcard_certificate | bool  
       # Wildcard certificate is enabled
     - domain.split('.') | length == (primary_domain.split('.') | length + 1) and domain.endswith(primary_domain)
       # AND: The domain is a direct first-level subdomain of the primary domain
-    - run_once_recieve_certificate is not defined  
+    - run_once_receive_certificate is not defined  
       # Ensure this task runs only once for the wildcard certificate
   ignore_errors: true
 
@@ -40,7 +67,7 @@
   failed_when: certbot_result.rc != 0 and ("No certificate found with name" not in certbot_result.stderr)
   changed_when: certbot_result.rc == 0 and ("No certificate found with name" not in certbot_result.stderr)
 
-- name: run the recieve_certificate tasks once
+- name: run the receive_certificate tasks once
   set_fact:
-    run_once_recieve_certificate: true
-  when: run_once_recieve_certificate is not defined
+    run_once_receive_certificate: true
+  when: run_once_receive_certificate is not defined

roles/nginx-serve-files/README.md

@@ -1,3 +1,35 @@
 # Nginx File Server
 
-This Ansible role configures an Nginx server to serve files.
+## 🔥 Description
+
+The Nginx File Server role sets up a simple and secure static file server using [Nginx](https://nginx.org/). It provides an easy way to serve files over HTTPS, including directory listing, `.well-known` support, and automatic SSL/TLS certificate integration via Let's Encrypt.
+
+## 📖 Overview
+
+Optimized for Archlinux, this role configures Nginx to act as a lightweight and efficient file server. It ensures that files are served securely, with optional directory browsing enabled, and proper MIME type handling for standard web clients.
+
+### Key Features
+- **HTTPS Secured File Hosting:** Automatically retrieves SSL/TLS certificates using Let's Encrypt.
+- **Autoindex Directory Listing:** Displays files and folders in a clean and human-readable format.
+- **.well-known Support:** Fully supports ACME and other `.well-known` path requirements.
+- **Customizable File Path:** Easily adjust the root directory for your files through Ansible variables.
+- **Local Time Display:** Enhances directory listings by showing local timestamps.
+
+## 🎯 Purpose
+
+The Nginx File Server role is ideal for hosting static files, sharing resources internally or externally, and serving ACME challenges for certificate issuance. It offers a reliable and minimalistic alternative to more complex file-sharing solutions.
+
+## 🚀 Features
+
+- **Automatic SSL/TLS Certificate Management:** Integrates with Let's Encrypt for secure access.
+- **Simple Configuration:** Minimal setup with clear, maintainable templates.
+- **Directory Listings:** Enables browsing through served files with human-readable file sizes and timestamps.
+- **Static Content Hosting:** Serve any type of static files (documents, software, media, etc.).
+- **Well-Known Folder Support:** Allows serving validation files and other standardized resources easily.
+
+## 🔗 Learn More
+
+- [Nginx Official Website](https://nginx.org/)
+- [Let's Encrypt](https://letsencrypt.org/)
+- [HTTP File Server (Wikipedia)](https://en.wikipedia.org/wiki/HTTP_File_Server)
+- [HTTPS (Wikipedia)](https://en.wikipedia.org/wiki/HTTPS)

roles/nginx-serve-files/meta/main.yml

@@ -1,3 +1,30 @@
+---
+galaxy_info:
+  author: "Kevin Veen-Birkenbach"
+  description: |
+    Configures an Nginx-based file server with HTTPS support, automatic SSL/TLS certificate retrieval, directory listing, and .well-known handling for secure static file hosting.
+  license: "CyMaIS NonCommercial License (CNCL)"
+  license_url: "https://s.veen.world/cncl"
+  company: |
+    Kevin Veen-Birkenbach
+    Consulting & Coaching Solutions
+    https://www.veen.world
+  min_ansible_version: "2.9"
+  platforms:
+    - name: Archlinux
+      versions:
+        - rolling
+  galaxy_tags:
+    - nginx
+    - https
+    - file-server
+    - static-files
+    - ssl
+    - letsencrypt
+    - automation
+  repository: "https://s.veen.world/cymais"
+  issue_tracker_url: "https://s.veen.world/cymaisissues"
+  documentation: "https://s.veen.world/cymais"
 dependencies:
-- nginx-https
-- git
+  - nginx-https
+  - git

roles/nginx-serve-files/tasks/main.yml

@@ -1,5 +1,5 @@
 ---
-- name: "include role for {{application_id}} to recieve certs & do modification routines"
+- name: "include role for {{application_id}} to receive certs & do modification routines"
   include_role:
     name: nginx-https-get-cert-modify-all
   vars:

roles/nginx-serve-html/README.md

@@ -1,6 +1,38 @@
-# Nginx Homepage Role
+# Nginx Static HTML Server
 
-This Ansible role configures an Nginx server to serve a static homepage. It handles domain configuration, SSL certificate retrieval with Let's Encrypt.
+## 🔥 Description
 
-## Author Information
-This role was created in 2023 by [Kevin Veen Birkenbach](https://www.veen.world/).
+This role configures an [Nginx](https://nginx.org/) server to host a static HTML homepage securely over HTTPS. It automates domain configuration, SSL/TLS certificate retrieval using [Let's Encrypt](https://letsencrypt.org/), and ensures your site is ready for production with minimal setup.
+
+## 📖 Overview
+
+Optimized for Archlinux environments, this role provides a lightweight, reliable solution for serving static websites. It automatically configures Nginx to serve files from a predefined directory, sets up secure HTTPS connections, and includes support for `.well-known` paths required by ACME challenges.
+
+### Key Features
+- **Static Site Hosting:** Serves HTML, CSS, JavaScript, and other static files.
+- **Let's Encrypt Integration:** Automatically requests and installs SSL/TLS certificates.
+- **Simple Root Configuration:** Defines a clean webroot with `index.html` support.
+- **Secure by Default:** Includes modern SSL headers and best practices via Nginx.
+- **.well-known Support:** Ensures full ACME challenge compatibility.
+
+## 🎯 Purpose
+
+The Nginx Static HTML Server role provides a simple and efficient method to publish static websites with HTTPS, perfect for personal homepages, landing pages, or small projects.
+
+## 🚀 Features
+
+- **Automatic HTTPS Certificates:** Handles secure certificate issuance via Let's Encrypt.
+- **Minimal Nginx Setup:** Clean and optimized default configurations.
+- **Highly Portable:** Works out-of-the-box with minimal variables.
+- **Local Time Support:** Properly displays directory listing timestamps when needed.
+
+## 🔗 Learn More
+
+- [Nginx Official Website](https://nginx.org/)
+- [Let's Encrypt](https://letsencrypt.org/)
+- [Static Web Page (Wikipedia)](https://en.wikipedia.org/wiki/Static_web_page)
+- [HTTPS (Wikipedia)](https://en.wikipedia.org/wiki/HTTPS)
+
+## 🧑‍💻 Author Information
+
+Created in 2023 by [Kevin Veen-Birkenbach](https://www.veen.world/)

roles/nginx-serve-html/meta/main.yml

@@ -1,3 +1,31 @@
+---
+galaxy_info:
+  author: "Kevin Veen-Birkenbach"
+  description: |
+    Configures an Nginx server to host static HTML websites with HTTPS support, automatic SSL certificate retrieval via Let's Encrypt, and secure default settings.
+  license: "CyMaIS NonCommercial License (CNCL)"
+  license_url: "https://s.veen.world/cncl"
+  company: |
+    Kevin Veen-Birkenbach
+    Consulting & Coaching Solutions
+    https://www.veen.world
+  min_ansible_version: "2.9"
+  platforms:
+    - name: Archlinux
+      versions:
+        - rolling
+  galaxy_tags:
+    - nginx
+    - https
+    - static
+    - html
+    - letsencrypt
+    - ssl
+    - homepage
+    - automation
+  repository: "https://s.veen.world/cymais"
+  issue_tracker_url: "https://s.veen.world/cymaisissues"
+  documentation: "https://s.veen.world/cymais"
 dependencies:
-- nginx-https
-- git
+  - nginx-https
+  - git

roles/nginx-serve-html/tasks/main.yml

@@ -1,5 +1,5 @@
 ---
-- name: "include role for {{application_id}} to recieve certs & do modification routines"
+- name: "include role for {{application_id}} to receive certs & do modification routines"
   include_role:
     name: nginx-https-get-cert-modify-all
   vars:

roles/pkgmgr-install/tasks/main.yml

@@ -1,17 +1,16 @@
-- name: "pkgmgr installation tasks"
-  become: "{{ pkgmgr_become }}"
-  block:
-    - name: update pkgmgr
-      command:
-        cmd: "pkgmgr update pkgmgr"
-      when: run_once_pkgmgr_update is not defined
+- name: update pkgmgr
+  shell: |
+    source ~/.venvs/pkgmgr/bin/activate
+    pkgmgr update pkgmgr
+  when: run_once_pkgmgr_update is not defined
 
-    - name: update {{ package_name }}
-      command:
-        cmd: "pkgmgr update {{ package_name }} --dependencies --clone-mode https"
-      notify: "{{ package_notify | default(omit) }}"
+- name: update {{ package_name }}
+  shell: |
+    source ~/.venvs/pkgmgr/bin/activate
+    pkgmgr update {{ package_name }} --dependencies --clone-mode https
+  notify: "{{ package_notify | default(omit) }}"
   
-    - name: mark pkgmgr update as done
-      set_fact:
-        run_once_pkgmgr_update: true
-      when: run_once_pkgmgr_update is not defined
+- name: mark pkgmgr update as done
+  set_fact:
+    run_once_pkgmgr_update: true
+  when: run_once_pkgmgr_update is not defined

roles/pkgmgr/tasks/main.yml

@@ -38,9 +38,12 @@
   when: run_once_package_manager is not defined
 
 - name: Run the Package Manager install command to create an alias for Kevins package manager
-  command: "make setup"
+  shell: |
+    source ~/.venvs/pkgmgr/bin/activate
+    make setup
   args:
     chdir: "{{ pkgmgr_install_path }}"
+    executable: /bin/bash
   become: yes
   when: run_once_package_manager is not defined
 

templates/vars/applications.yml.j2

@@ -797,6 +797,20 @@ defaults_applications:
   'iframe':   	false,
 }) }}{% raw %}
 
+#  syncope:
+#    version:         "latest"
+#    credentials:
+#     anonymous:
+#       password:     # Set in environment file
+#     database:
+#       password:     # Set in environment file
+#     administrator:
+#       password:       "{{ users.administrator.password }}"
+#     users:
+#       administrator:
+#         username:     "{{ users.administrator.username }}"
+
+
   ## Taiga
   taiga:
     version:                      "latest"