kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-12-09 02:45:17 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
94f97ed1f30d6e0e1cfac9a9708c83d6331604ff
computer-playbook/roles/sys-svc-certs
History
Kevin Veen-Birkenbach e09f561f0b Refactor run-once orchestration and bootstrap Mailu/Mastodon in a single deploy 
- Replace legacy utils/run_once.yml with the new helpers utils/once_flag.yml and utils/once_finalize.yml
- Introduce utils/compose_up.yml to ensure docker-compose stacks are up and to flush handlers safely without coupling to run-once flags
- Migrate all affected roles (desk-*, dev-*, sys-ctl-*, sys-svc-*, web-app-*, web-svc-*, util-*) to the new run-once helpers
- Rework sys-svc-msmtp to auto-load Mailu once per deploy, check reachability, and reuse the running stack instead of requiring multiple playbook passes
- Adjust web-app-mailu to integrate cert deployment, handler flushing, and run-once handling so Mailu is fully initialized in a single deploy
- Improve Matomo, CDN, logout and CSP/health-check related roles to cooperate with the new compose_up / once_* pattern
- Simplify alarm/backup/timer/service orchestration (sys-ctl-alm-*, sys-bkp-provider, sys-timer-cln-bkps, etc.) by moving run-once logic into dedicated 01_core.yml files
- Update integration tests so utils/once_flag.yml and utils/once_finalize.yml are recognised as valid run-once providers, keeping the global run_once_* guarantees consistent
- Align frontend injection and service dependencies so Mastodon- and Mailu-related services can be brought up coherently within a single deployment cycle rather than several iterations
2025-12-01 13:30:50 +01:00
..
meta
tasks
Refactor run-once orchestration and bootstrap Mailu/Mastodon in a single deploy
2025-12-01 13:30:50 +01:00
README.md

README.md

Nginx HTTPS Certificate Retrieval

🔥 Description

This role automates the retrieval of Let's Encrypt SSL/TLS certificates using Certbot for domains served via Nginx. It supports both single-domain and wildcard certificates, and can use either the DNS or webroot ACME challenge methods.

📖 Overview

Designed for Archlinux systems, this role handles issuing certificates per domain and optionally cleans up redundant certificates if wildcard certificates are used. It intelligently decides whether to issue a standard or wildcard certificate based on the domain structure and your configuration.

Key Features

  • Single Domain and Wildcard Support: Handles both individual domains and wildcard domains (*.example.com).
  • DNS and Webroot Challenges: Dynamically selects the correct ACME challenge method.
  • Certificate Renewal Logic: Skips renewal if the certificate is still valid.
  • Optional Cleanup: Deletes redundant domain certificates when wildcard certificates are used.
  • Non-Interactive Operation: Fully automated using --non-interactive and --agree-tos.

🎯 Purpose

The Nginx HTTPS Certificate Retrieval role ensures that your Nginx-served domains have valid, automatically issued SSL/TLS certificates, improving web security without manual intervention.

🚀 Features

  • ACME Challenge Selection: Supports DNS plugins or webroot method automatically.
  • Wildcard Certificate Management: Issues wildcard certificates when configured, saving effort for subdomain-heavy deployments.
  • Safe Cleanup: Ensures that no unused certificates are left behind.
  • Flexible Control: Supports MODE_TEST for staging environment testing and MODE_CLEANUP for cert cleanup operations.

🔗 Learn More

Reference in New Issue View Git Blame Copy Permalink