kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-09-14 14:26:04 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
2d71c461de6b7bbb06b7f222736cfabdc1a70452
computer-playbook/roles/sys-svc-letsencrypt
History
Kevin Veen-Birkenbach a552ea175d feat(dns): add sys-svc-dns role and extend parent DNS handling 
Introduce sys-svc-dns to bootstrap Cloudflare DNS prerequisites. Validates CLOUDFLARE_API_TOKEN, (optionally) manages CAA for base SLDs, and delegates parent record creation to sys-dns-parent-hosts. Wired into sys-stk-front-pure.

sys-dns-parent-hosts: new parent_dns filter builds A/AAAA for each parent host and wildcard children (*.parent). Supports dict/list inputs for CURRENT_PLAY_DOMAINS, optional IPv6, proxied flag, and optional *.apex. Exposes a single parent_build_records entry point.

Let’s Encrypt role cleanup: remove DNS/C AA management from sys-svc-letsencrypt; it now focuses on webroot challenge config and renew timer. Fixed path joins and run_once guards.

Tests: update unit tests to allow wildcard outputs and dict-based CURRENT_PLAY_DOMAINS. Add generate_base_sld_domains filter. Documentation updates for both roles.

Conversation: https://chatgpt.com/share/68c342f7-d20c-800f-b61f-cefeebcf1cd8
2025-09-11 23:47:27 +02:00
..
meta
Refactored server roles for better readability
2025-09-01 18:08:35 +02:00
tasks
feat(dns): add sys-svc-dns role and extend parent DNS handling
2025-09-11 23:47:27 +02:00
templates
Refactored server roles for better readability
2025-09-01 18:08:35 +02:00
README.md
Refactored server roles for better readability
2025-09-01 18:08:35 +02:00
TODO.md
feat(dns): add sys-svc-dns role and extend parent DNS handling
2025-09-11 23:47:27 +02:00

README.md

Lets Encrypt SSL for Nginx 🔐

Description

Automates obtaining, configuring, and renewing Lets Encrypt SSL certificates for Nginx with Certbot. Keeps your sites secure with minimal fuss! 🌐

Overview

This Ansible role sets up the necessary Nginx configuration and Certbot integration to:

  • Redirect HTTP traffic to HTTPS
  • Serve the ACME challenge for certificate issuance
  • Apply strong SSL/TLS defaults
  • Schedule automatic renewals

Its idempotent: configuration and certificate tasks only run when needed.

Purpose

Ensure all your Nginx-hosted sites use free, trusted SSL certificates from Lets Encrypt—all managed automatically via Ansible. 🎯

Features

  • Automatic Certificate Issuance: Uses Certbots webroot plugin to request and install certificates. 📜
  • Nginx Redirect: Creates a temporary HTTP → HTTPS redirect block. ↪️
  • ACMEChallenge Handling: Configures /.well-known/acme-challenge/ for Certbot validation. 🔍
  • Secure SSL Defaults: Includes modern cipher suites, HSTS, OCSP stapling, and session settings. 🔒
  • AutoRenewal: Leverages system scheduling (cron or systemd timer) to renew certs before expiration. 🔄
  • OneTime Setup: Tasks guarded by a “run once” fact to avoid re-applying unchanged templates. 🏃‍♂️