Files
computer-playbook/roles/sys-stk-front-pure
Kevin Veen-Birkenbach a552ea175d feat(dns): add sys-svc-dns role and extend parent DNS handling
Introduce sys-svc-dns to bootstrap Cloudflare DNS prerequisites. Validates CLOUDFLARE_API_TOKEN, (optionally) manages CAA for base SLDs, and delegates parent record creation to sys-dns-parent-hosts. Wired into sys-stk-front-pure.

sys-dns-parent-hosts: new parent_dns filter builds A/AAAA for each parent host and wildcard children (*.parent). Supports dict/list inputs for CURRENT_PLAY_DOMAINS, optional IPv6, proxied flag, and optional *.apex. Exposes a single parent_build_records entry point.

Let’s Encrypt role cleanup: remove DNS/C AA management from sys-svc-letsencrypt; it now focuses on webroot challenge config and renew timer. Fixed path joins and run_once guards.

Tests: update unit tests to allow wildcard outputs and dict-based CURRENT_PLAY_DOMAINS. Add generate_base_sld_domains filter. Documentation updates for both roles.

Conversation: https://chatgpt.com/share/68c342f7-d20c-800f-b61f-cefeebcf1cd8
2025-09-11 23:47:27 +02:00
..

Webserver HTTPS Provisioning 🚀

Description

The sys-stk-front-pure role extends a basic Nginx installation by wiring in everything you need to serve content over HTTPS:

  1. Ensures your Nginx server is configured for SSL/TLS.
  2. Pulls in Lets Encrypt ACME challenge handling.
  3. Applies global cleanup of unused domain configs.

This role is built on top of your existing sys-svc-webserver role, and it automates the end-to-end process of turning HTTP sites into secure HTTPS sites.


Overview

When you apply sys-stk-front-pure, it will:

  1. Include the sys-svc-webserver role to install and configure Nginx.
  2. Clean up any stale vHost files under sys-svc-cln-domains.
  3. Deploy the Lets Encrypt challenge-and-redirect snippet from sys-svc-letsencrypt.
  4. Reload Nginx automatically when any template changes.

All tasks are idempotent—once your certificates are in place and your configuration is set, Ansible will skip unchanged steps on subsequent runs.


Features

  • 🔒 Automatic HTTPS Redirect
    Sets up port 80 → 443 redirect and serves /.well-known/acme-challenge/ for Certbot.

  • 🔑 Lets Encrypt Integration
    Pulls in challenge configuration and CAA-record management for automatic certificate issuance and renewal.

  • 🧹 Domain Cleanup
    Removes obsolete or orphaned server blocks before enabling HTTPS.

  • 🚦 Handler-Safe
    Triggers an Nginx reload only when necessary, minimizing service interruptions.


Requirements

  • A working sys-svc-webserver setup.
  • DNS managed via Cloudflare (for CAA record tasks) or equivalent ACME DNS flow.
  • Variables:
    • LETSENCRYPT_WEBROOT_PATH
    • LETSENCRYPT_LIVE_PATH
    • on_calendar_renew_lets_encrypt_certificates

License

This role is released under the Infinito.Nexus NonCommercial License. See https://s.infinito.nexus/license for details.


Author

Developed and maintained by Kevin Veen-Birkenbach Consulting & Coaching Solutions https://www.veen.world