Kevin Veen-Birkenbach
e09f561f0b
- Replace legacy utils/run_once.yml with the new helpers utils/once_flag.yml and utils/once_finalize.yml - Introduce utils/compose_up.yml to ensure docker-compose stacks are up and to flush handlers safely without coupling to run-once flags - Migrate all affected roles (desk-*, dev-*, sys-ctl-*, sys-svc-*, web-app-*, web-svc-*, util-*) to the new run-once helpers - Rework sys-svc-msmtp to auto-load Mailu once per deploy, check reachability, and reuse the running stack instead of requiring multiple playbook passes - Adjust web-app-mailu to integrate cert deployment, handler flushing, and run-once handling so Mailu is fully initialized in a single deploy - Improve Matomo, CDN, logout and CSP/health-check related roles to cooperate with the new compose_up / once_* pattern - Simplify alarm/backup/timer/service orchestration (sys-ctl-alm-*, sys-bkp-provider, sys-timer-cln-bkps, etc.) by moving run-once logic into dedicated 01_core.yml files - Update integration tests so utils/once_flag.yml and utils/once_finalize.yml are recognised as valid run-once providers, keeping the global run_once_* guarantees consistent - Align frontend injection and service dependencies so Mastodon- and Mailu-related services can be brought up coherently within a single deployment cycle rather than several iterations
Webserver HTTPS Provisioning 🚀
Description
The sys-svc-webserver-https role extends a basic Nginx installation by wiring in everything you need to serve content over HTTPS:
- Ensures your Nginx server is configured for SSL/TLS.
- Pulls in Let’s Encrypt ACME challenge handling.
- Applies global cleanup of unused domain configs.
This role is built on top of your existing sys-svc-webserver-core role, and it automates the end-to-end process of turning HTTP sites into secure HTTPS sites.
Overview
When you apply sys-svc-webserver-https, it will:
- Include the
sys-svc-webserver-corerole to install and configure Nginx. - Clean up any stale vHost files under
sys-svc-cln-domains. - Deploy the Let’s Encrypt challenge-and-redirect snippet from
sys-svc-letsencrypt. - Reload Nginx automatically when any template changes.
All tasks are idempotent—once your certificates are in place and your configuration is set, Ansible will skip unchanged steps on subsequent runs.
Features
-
🔒 Automatic HTTPS Redirect
Sets up port 80 → 443 redirect and serves/.well-known/acme-challenge/for Certbot. -
🔑 Let’s Encrypt Integration
Pulls in challenge configuration and CAA-record management for automatic certificate issuance and renewal. -
🧹 Domain Cleanup
Removes obsolete or orphaned server blocks before enabling HTTPS. -
🚦 Handler-Safe
Triggers an Nginx reload only when necessary, minimizing service interruptions.
License
This role is released under the Infinito.Nexus NonCommercial License. See https://s.infinito.nexus/license for details.
Author
Developed and maintained by Kevin Veen-Birkenbach Consulting & Coaching Solutions https://www.veen.world