kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-12-02 15:39:57 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
e09f561f0bc8206608c5fd4e06610148669e214a
computer-playbook/roles/sys-svc-letsencrypt
History
Kevin Veen-Birkenbach e09f561f0b Refactor run-once orchestration and bootstrap Mailu/Mastodon in a single deploy 
- Replace legacy utils/run_once.yml with the new helpers utils/once_flag.yml and utils/once_finalize.yml
- Introduce utils/compose_up.yml to ensure docker-compose stacks are up and to flush handlers safely without coupling to run-once flags
- Migrate all affected roles (desk-*, dev-*, sys-ctl-*, sys-svc-*, web-app-*, web-svc-*, util-*) to the new run-once helpers
- Rework sys-svc-msmtp to auto-load Mailu once per deploy, check reachability, and reuse the running stack instead of requiring multiple playbook passes
- Adjust web-app-mailu to integrate cert deployment, handler flushing, and run-once handling so Mailu is fully initialized in a single deploy
- Improve Matomo, CDN, logout and CSP/health-check related roles to cooperate with the new compose_up / once_* pattern
- Simplify alarm/backup/timer/service orchestration (sys-ctl-alm-*, sys-bkp-provider, sys-timer-cln-bkps, etc.) by moving run-once logic into dedicated 01_core.yml files
- Update integration tests so utils/once_flag.yml and utils/once_finalize.yml are recognised as valid run-once providers, keeping the global run_once_* guarantees consistent
- Align frontend injection and service dependencies so Mastodon- and Mailu-related services can be brought up coherently within a single deployment cycle rather than several iterations
2025-12-01 13:30:50 +01:00
..
meta
tasks
Refactor run-once orchestration and bootstrap Mailu/Mastodon in a single deploy
2025-12-01 13:30:50 +01:00
templates
README.md
TODO.md

README.md

Lets Encrypt SSL for Nginx 🔐

Description

Automates obtaining, configuring, and renewing Lets Encrypt SSL certificates for Nginx with Certbot. Keeps your sites secure with minimal fuss! 🌐

Overview

This Ansible role sets up the necessary Nginx configuration and Certbot integration to:

  • Redirect HTTP traffic to HTTPS
  • Serve the ACME challenge for certificate issuance
  • Apply strong SSL/TLS defaults
  • Schedule automatic renewals

Its idempotent: configuration and certificate tasks only run when needed.

Purpose

Ensure all your Nginx-hosted sites use free, trusted SSL certificates from Lets Encrypt—all managed automatically via Ansible. 🎯

Features

  • Automatic Certificate Issuance: Uses Certbots webroot plugin to request and install certificates. 📜
  • Nginx Redirect: Creates a temporary HTTP → HTTPS redirect block. ↪️
  • ACMEChallenge Handling: Configures /.well-known/acme-challenge/ for Certbot validation. 🔍
  • Secure SSL Defaults: Includes modern cipher suites, HSTS, OCSP stapling, and session settings. 🔒
  • AutoRenewal: Leverages system scheduling (cron or systemd timer) to renew certs before expiration. 🔄
  • OneTime Setup: Tasks guarded by a “run once” fact to avoid re-applying unchanged templates. 🏃‍♂️
Reference in New Issue View Git Blame Copy Permalink