kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-12-02 15:39:57 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
fff7d261a25eb69c9e1143f56311abaa53cb6bc4
computer-playbook/roles/sys-svc-certs
History
Kevin Veen-Birkenbach fff7d261a2 Refactor run-once logic across multiple roles and integrate unified utils/run_once.yml 
This commit standardizes all run-once implementations across the following roles:
- desk-git
- dev-fakeroot
- dev-git
- dev-python-yaml
- sys-lock
- sys-svc-certs (wildcard flavor)
- update-apt
- update-pacman
- update-compose
- user-root (moved logic to 01_core.yml + unified run-once handling)
- web-app-matomo
- web-svc-libretranslate

All roles now:
- Use a block guarded by 'run_once_<role>' facts
- Trigger run-once state through utils/run_once.yml
- Optionally disable handler flushing via 'flush_handlers: false'
- Achieve consistent per-host one-time execution semantics

Conversation reference: https://chatgpt.com/share/692c7fbb-ff68-800f-8cb4-4b132cffc8e4
2025-11-30 18:51:40 +01:00
..
meta
tasks
Refactor run-once logic across multiple roles and integrate unified utils/run_once.yml
2025-11-30 18:51:40 +01:00
README.md

README.md

Nginx HTTPS Certificate Retrieval

🔥 Description

This role automates the retrieval of Let's Encrypt SSL/TLS certificates using Certbot for domains served via Nginx. It supports both single-domain and wildcard certificates, and can use either the DNS or webroot ACME challenge methods.

📖 Overview

Designed for Archlinux systems, this role handles issuing certificates per domain and optionally cleans up redundant certificates if wildcard certificates are used. It intelligently decides whether to issue a standard or wildcard certificate based on the domain structure and your configuration.

Key Features

  • Single Domain and Wildcard Support: Handles both individual domains and wildcard domains (*.example.com).
  • DNS and Webroot Challenges: Dynamically selects the correct ACME challenge method.
  • Certificate Renewal Logic: Skips renewal if the certificate is still valid.
  • Optional Cleanup: Deletes redundant domain certificates when wildcard certificates are used.
  • Non-Interactive Operation: Fully automated using --non-interactive and --agree-tos.

🎯 Purpose

The Nginx HTTPS Certificate Retrieval role ensures that your Nginx-served domains have valid, automatically issued SSL/TLS certificates, improving web security without manual intervention.

🚀 Features

  • ACME Challenge Selection: Supports DNS plugins or webroot method automatically.
  • Wildcard Certificate Management: Issues wildcard certificates when configured, saving effort for subdomain-heavy deployments.
  • Safe Cleanup: Ensures that no unused certificates are left behind.
  • Flexible Control: Supports MODE_TEST for staging environment testing and MODE_CLEANUP for cert cleanup operations.

🔗 Learn More

Reference in New Issue View Git Blame Copy Permalink