mirror of
https://github.com/kevinveenbirkenbach/computer-playbook.git
synced 2025-08-18 09:45:03 +02:00
Kevin Veen-Birkenbach
2620ee088e
- replaced CERTBOT_DNS_API_TOKEN with CLOUDFLARE_API_TOKEN everywhere - introduced generic sys-dns-cloudflare-records role for managing DNS records - added sys-dns-hetzner-rdns role with both Cloud (hcloud) and Robot API flavors - updated Mailu role to: - generate DKIM before DNS setup - delegate DNS + rDNS records to the new generic roles - removed legacy per-role Cloudflare vars (MAILU_CLOUDFLARE_API_TOKEN) - extended group vars with HOSTING_PROVIDER for rDNS flavor decision - added hetzner.hcloud collection to requirements This consolidates DNS management into reusable roles, supports both Cloudflare and Hetzner providers, and standardizes variable naming across the project.
Let’s Encrypt SSL for Nginx 🔐
Description
Automates obtaining, configuring, and renewing Let’s Encrypt SSL certificates for Nginx with Certbot. Keeps your sites secure with minimal fuss! 🌐
Overview
This Ansible role sets up the necessary Nginx configuration and Certbot integration to:
- Redirect HTTP traffic to HTTPS
- Serve the ACME challenge for certificate issuance
- Apply strong SSL/TLS defaults
- Schedule automatic renewals
It’s idempotent: configuration and certificate tasks only run when needed. ✅
Purpose
Ensure all your Nginx-hosted sites use free, trusted SSL certificates from Let’s Encrypt—all managed automatically via Ansible. 🎯
Features
- Automatic Certificate Issuance: Uses Certbot’s webroot plugin to request and install certificates. 📜
- Nginx Redirect: Creates a temporary HTTP → HTTPS redirect block. ↪️
- ACME‐Challenge Handling: Configures
/.well-known/acme-challenge/for Certbot validation. 🔍 - Secure SSL Defaults: Includes modern cipher suites, HSTS, OCSP stapling, and session settings. 🔒
- Auto‐Renewal: Leverages system scheduling (cron or systemd timer) to renew certs before expiration. 🔄
- One‐Time Setup: Tasks guarded by a “run once” fact to avoid re-applying unchanged templates. 🏃♂️