Merge branch 'dev-tls_switch' into dev-owncloud

2024-07-09 13:34:07 +02:00 · 2024-07-09 13:34:07 +02:00 · f6a4d902ec
commit f6a4d902ec
parent 349832c77e 91ca433198
27 changed files with 395 additions and 177 deletions
--- a/roles/authelia-and-nginx/defaults/main.json
+++ b/roles/authelia-and-nginx/defaults/main.json
@ -1,3 +1,4 @@
 {
-	"var_authelia_and_nginx_domain": "authelia.example.org"
+	"var_authelia_and_nginx_domain": "authelia.example.org",
 	"var_authelia_and_nginx_tls_mode": "enable"
 }
--- a/roles/authelia-and-nginx/templates/conf.j2
+++ b/roles/authelia-and-nginx/templates/conf.j2
@ -1,22 +1,4 @@
-server {
+{% macro authelia_common() %}
 	server_name {{var_authelia_and_nginx_domain}};
 	listen [::]:80;
 	listen 80;
 	return 301 https://$server_name$request_uri;
 }
 server {
 	server_name {{var_authelia_and_nginx_domain}};
 	listen [::]:443 ssl http2;
 	listen 443 ssl http2;
 	ssl_certificate /etc/ssl/fullchains/{{var_authelia_and_nginx_domain}}.pem;
 	ssl_certificate_key /etc/ssl/private/{{var_authelia_and_nginx_domain}}.pem;
 	include /etc/nginx/ssl-hardening.conf;
 	location / {
 		## Headers
 		proxy_set_header Host $host;
@ -60,4 +42,32 @@ server {
 	location /api/verify {
 		proxy_pass http://localhost:9091;
 	}
 {% endmacro %}
 server {
 	server_name {{var_authelia_and_nginx_domain}};
 	listen 80;
 	listen [::]:80;
 {% if (var_authelia_and_nginx_tls_mode == 'force') %}
 	return 301 https://$http_host$request_uri;
 {% else %}
 {{ authelia_common() }}
 {% endif %}
 }
 {% if (var_authelia_and_nginx_tls_mode != 'disable') %}
 server {
 	server_name {{var_authelia_and_nginx_domain}};
 	listen [::]:443 ssl http2;
 	listen 443 ssl http2;
 	ssl_certificate_key /etc/ssl/private/{{var_authelia_and_nginx_domain}}.pem;
 	ssl_certificate /etc/ssl/fullchains/{{var_authelia_and_nginx_domain}}.pem;
 	include /etc/nginx/ssl-hardening.conf;
 {{ authelia_common() }}
 }
 {% endif %}
--- a/roles/authelia-and-nginx/vardef.json
+++ b/roles/authelia-and-nginx/vardef.json
@ -0,0 +1,15 @@
 {
 	"domain": {
 		"type": "string",
 		"mandatory": false
 	},
 	"tls_mode": {
        "type": "string",
        "options": [
 			"disable",
 			"enable",
 			"force"
        ],
        "mandatory": false
 	}
 }
--- a/roles/dokuwiki-and-nginx/defaults/main.json
+++ b/roles/dokuwiki-and-nginx/defaults/main.json
@ -1,5 +1,5 @@
 {
 	"var_dokuwiki_and_nginx_directory": "/opt/dokuwiki",
 	"var_dokuwiki_and_nginx_domain": "dokuwiki.example.org",
-	"var_dokuwiki_and_nginx_tls_enable": true
+	"var_dokuwiki_and_nginx_tls_mode": "enable"
 }
--- a/roles/dokuwiki-and-nginx/templates/conf.j2
+++ b/roles/dokuwiki-and-nginx/templates/conf.j2
@ -1,22 +1,4 @@
-server {
+{% macro dokuwiki_common() %}
 	listen 80;
 	listen [::]:80;
 	server_name {{var_dokuwiki_and_nginx_domain}};
 	return 301 https://$server_name$request_uri;
 }
 server {
 	listen [::]:443 ssl;
 	listen 443 ssl;
 	server_name {{var_dokuwiki_and_nginx_domain}};
 {% if var_dokuwiki_and_nginx_tls_enable %}
 	ssl_certificate /etc/ssl/fullchains/{{var_dokuwiki_and_nginx_domain}}.pem;
 	ssl_certificate_key /etc/ssl/private/{{var_dokuwiki_and_nginx_domain}}.pem;
 	include /etc/nginx/ssl-hardening.conf;
 {% endif %}
 	# Maximum file upload size is 4MB - change accordingly if needed
 	client_max_body_size 4M;
 	client_body_buffer_size 128k;
@ -58,4 +40,32 @@ server {
 		fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
 		# fastcgi_pass unix:/var/run/php5-fpm.sock; #old php version
 	}
 {% endmacro %}
 server {
 	server_name {{var_dokuwiki_and_nginx_domain}};
 	listen 80;
 	listen [::]:80;
 {% if (var_dokuwiki_and_nginx_tls_mode == 'force') %}
 	return 301 https://$http_host$request_uri;
 {% else %}
 {{ dokuwiki_common() }}
 {% endif %}
 }
 {% if (var_dokuwiki_and_nginx_tls_mode != 'disable') %}
 server {
 	server_name {{var_dokuwiki_and_nginx_domain}};
 	listen [::]:443 ssl http2;
 	listen 443 ssl http2;
 	ssl_certificate_key /etc/ssl/private/{{var_dokuwiki_and_nginx_domain}}.pem;
 	ssl_certificate /etc/ssl/fullchains/{{var_dokuwiki_and_nginx_domain}}.pem;
 	include /etc/nginx/ssl-hardening.conf;
 {{ dokuwiki_common() }}
 }
 {% endif %}
--- a/roles/dokuwiki-and-nginx/vardef.json
+++ b/roles/dokuwiki-and-nginx/vardef.json
@ -0,0 +1,19 @@
 {
 	"directory": {
 		"type": "string",
 		"mandatory": false
 	},
 	"domain": {
 		"type": "string",
 		"mandatory": false
 	},
 	"tls_mode": {
        "type": "string",
        "options": [
 			"disable",
 			"enable",
 			"force"
        ],
        "mandatory": false
 	}
 }
--- a/roles/element-and-nginx/defaults/main.json
+++ b/roles/element-and-nginx/defaults/main.json
@ -1,4 +1,5 @@
 {
 	"var_element_and_nginx_domain": "element.example.org",
-	"var_element_and_nginx_path": "/opt/element"
+	"var_element_and_nginx_path": "/opt/element",
 	"var_element_and_nginx_tls_mode": "enable"
 }
--- a/roles/element-and-nginx/templates/conf.j2
+++ b/roles/element-and-nginx/templates/conf.j2
@ -1,14 +1,31 @@
 {% macro element_common() %}
 root {{var_element_and_nginx_path}};
 {% endmacro %}
 server {
 	server_name {{var_element_and_nginx_domain}};
 	listen 80;
 	listen [::]:80;
 {% if (var_element_and_nginx_tls_mode == 'force') %}
 	return 301 https://$http_host$request_uri;
 {% else %}
 {{ element_common() }}
 {% endif %}
 }
 {% if (var_element_and_nginx_tls_mode != 'disable') %}
 server {
 	server_name {{var_element_and_nginx_domain}};
 	listen 443 ssl;
 	listen [::]:443 ssl;
 	server_name {{var_element_and_nginx_domain}};
 	ssl_certificate /etc/ssl/fullchains/{{var_element_and_nginx_domain}}.pem;
 	ssl_certificate_key /etc/ssl/private/{{var_element_and_nginx_domain}}.pem;
 	ssl_certificate /etc/ssl/fullchains/{{var_element_and_nginx_domain}}.pem;
 	include /etc/nginx/ssl-hardening.conf;
-	root {{var_element_and_nginx_path}};
+{{ element_common() }}
 }
 {% endif %}
--- a/roles/element-and-nginx/vardef.json
+++ b/roles/element-and-nginx/vardef.json
@ -0,0 +1,19 @@
 {
 	"domain": {
 		"mandatory": false,
 		"type": "string"
 	},
 	"path": {
 		"mandatory": false,
 		"type": "string"
 	},
 	"tls_mode": {
 		"mandatory": false,
 		"type": "string",
 		"options": [
 			"disable",
 			"enable",
 			"force"
 		]
 	}
 }
--- a/roles/gitlab-and-nginx/defaults/main.json
+++ b/roles/gitlab-and-nginx/defaults/main.json
@ -1,4 +1,5 @@
 {
 	"var_gitlab_and_nginx_domain": "element.example.org",
-	"var_gitlab_and_nginx_path": "/opt/element"
+	"var_gitlab_and_nginx_path": "/opt/element",
 	"var_gitlab_and_nginx_tls_mode": "enable"
 }
--- a/roles/gitlab-and-nginx/templates/conf.j2
+++ b/roles/gitlab-and-nginx/templates/conf.j2
@ -1,64 +1,7 @@
-upstream gitlab-workhorse {
+{% macro gitlab_common() %}
 	server unix:/home/git/gitlab/tmp/sockets/gitlab-workhorse.socket fail_timeout=0;
 }
 map $http_upgrade $connection_upgrade_gitlab_ssl {
 	default upgrade;
 	'' close;
 }
 log_format gitlab_ssl_access '$remote_addr - $remote_user [$time_local] "$request_method $gitlab_ssl_filtered_request_uri $server_protocol" $status $body_bytes_sent "$gitlab_ssl_filtered_http_referer" "$http_user_agent"';
 map $request_uri $gitlab_ssl_temp_request_uri_1 {
 	default $request_uri;
 	~(?i)^(?<start>.*)(?<temp>[\?&]private[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
 }
 map $gitlab_ssl_temp_request_uri_1 $gitlab_ssl_temp_request_uri_2 {
 	default $gitlab_ssl_temp_request_uri_1;
 	~(?i)^(?<start>.*)(?<temp>[\?&]authenticity[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
 }
 map $gitlab_ssl_temp_request_uri_2 $gitlab_ssl_filtered_request_uri {
 	default $gitlab_ssl_temp_request_uri_2;
 	~(?i)^(?<start>.*)(?<temp>[\?&]feed[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
 }
 map $http_referer $gitlab_ssl_filtered_http_referer {
 	default $http_referer;
 	~^(?<temp>.*)\? $temp;
 }
 server {
 	listen 80 default_server;
 	listen [::]:80 ipv6only=on default_server;
 	server_name {{var_gitlab_and_nginx_domain}};
 	server_tokens off;
 	return 301 https://$http_host$request_uri;
 	access_log /var/log/nginx/gitlab_access.log gitlab_ssl_access;
 	error_log /var/log/nginx/gitlab_error.log;
 }
 server {
 	listen 0.0.0.0:443 ssl http2;
 	listen [::]:443 ipv6only=on ssl http2 default_server;
 	server_name {{var_gitlab_and_nginx_domain}};
 	server_tokens off;
 	ssl_certificate /etc/ssl/fullchains/{{var_gitlab_and_nginx_domain}}.pem;
 	ssl_certificate_key /etc/ssl/private/{{var_gitlab_and_nginx_domain}}.pem;
 	include /etc/nginx/ssl-hardening.conf;
 	real_ip_header X-Real-IP;
 	real_ip_recursive off;
 	access_log /var/log/nginx/gitlab_access.log gitlab_ssl_access;
 	error_log /var/log/nginx/gitlab_error.log;
 	location / {
 		client_max_body_size 0;
 		gzip off;
@ -90,5 +33,71 @@ server {
 		root /home/git/gitlab/public;
 		internal;
 	}
 {% endmacro %}
 upstream gitlab-workhorse {
 	server unix:/home/git/gitlab/tmp/sockets/gitlab-workhorse.socket fail_timeout=0;
 }
 map $http_upgrade $connection_upgrade_gitlab_ssl {
 	default upgrade;
 	'' close;
 }
 log_format gitlab_ssl_access '$remote_addr - $remote_user [$time_local] "$request_method $gitlab_ssl_filtered_request_uri $server_protocol" $status $body_bytes_sent "$gitlab_ssl_filtered_http_referer" "$http_user_agent"';
 map $request_uri $gitlab_ssl_temp_request_uri_1 {
 	default $request_uri;
 	~(?i)^(?<start>.*)(?<temp>[\?&]private[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
 }
 map $gitlab_ssl_temp_request_uri_1 $gitlab_ssl_temp_request_uri_2 {
 	default $gitlab_ssl_temp_request_uri_1;
 	~(?i)^(?<start>.*)(?<temp>[\?&]authenticity[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
 }
 map $gitlab_ssl_temp_request_uri_2 $gitlab_ssl_filtered_request_uri {
 	default $gitlab_ssl_temp_request_uri_2;
 	~(?i)^(?<start>.*)(?<temp>[\?&]feed[\-_]token)=[^&]*(?<rest>.*)$ "$start$temp=[FILTERED]$rest";
 }
 map $http_referer $gitlab_ssl_filtered_http_referer {
 	default $http_referer;
 	~^(?<temp>.*)\? $temp;
 }
 server {
 	server_name {{var_gitlab_and_nginx_domain}};
 	server_tokens off;
 	listen 80;
 	listen [::]:80 ipv6only=on;
 {% if (var_gitlab_and_nginx_tls_mode == 'force') %}
 	return 301 https://$http_host$request_uri;
 {% else %}
 	access_log /var/log/nginx/gitlab_access.log;
 	error_log /var/log/nginx/gitlab_error.log;
 {{ gitlab_common() }}
 {% endif %}
 }
 {% if (var_gitlab_and_nginx_tls_mode != 'disable') %}
 server {
 	server_name {{var_gitlab_and_nginx_domain}};
 	server_tokens off;
 	listen 443 ssl http2;
 	listen [::]:443 ipv6only=on ssl http2;
 	ssl_certificate /etc/ssl/fullchains/{{var_gitlab_and_nginx_domain}}.pem;
 	ssl_certificate_key /etc/ssl/private/{{var_gitlab_and_nginx_domain}}.pem;
 	include /etc/nginx/ssl-hardening.conf;
 	access_log /var/log/nginx/gitlab_access.log gitlab_ssl_access;
 	error_log /var/log/nginx/gitlab_error.log;
 {{ gitlab_common() }}
 }
 {% endif %}
--- a/roles/gitlab-and-nginx/vardef.json
+++ b/roles/gitlab-and-nginx/vardef.json
@ -0,0 +1,19 @@
 {
 	"domain": {
 		"mandatory": false,
 		"type": "string"
 	},
 	"path": {
 		"mandatory": false,
 		"type": "string"
 	},
 	"tls_mode": {
 		"mandatory": false,
 		"type": "string",
 		"options": [
 			"disable",
 			"enable",
 			"force"
 		]
 	}
 }
--- a/roles/hedgedoc-and-nginx/defaults/main.json
+++ b/roles/hedgedoc-and-nginx/defaults/main.json
@ -1,3 +1,4 @@
 {
-	"var_hedgedoc_and_nginx_domain": "hedgedoc.example.org"
+	"var_hedgedoc_and_nginx_domain": "hedgedoc.example.org",
 	"var_hedgedoc_and_nginx_tls_mode": "enable"
 }
--- a/roles/hedgedoc-and-nginx/templates/conf.j2
+++ b/roles/hedgedoc-and-nginx/templates/conf.j2
@ -3,16 +3,7 @@ map $http_upgrade $connection_upgrade {
 	'' close;
 }
-server {
+{% macro hedgedoc_common() %}
 	server_name {{var_hedgedoc_and_nginx_domain}};
 	listen [::]:443 ssl http2;
 	listen 443 ssl http2;
 	ssl_certificate /etc/ssl/fullchains/{{var_hedgedoc_and_nginx_domain}}.pem;
 	ssl_certificate_key /etc/ssl/private/{{var_hedgedoc_and_nginx_domain}}.pem;
 	include /etc/nginx/ssl-hardening.conf;
 	location / {
 		proxy_pass http://localhost:3000;
 		proxy_set_header Host $host;
@ -30,4 +21,31 @@ server {
 		proxy_set_header Upgrade $http_upgrade;
 		proxy_set_header Connection $connection_upgrade;
 	}
 {% endmacro %}
 server {
 	server_name {{var_hedgedoc_and_nginx_domain}};
 	listen 80;
 	listen [::]:80;
 {% if (var_element_and_nginx_tls_mode == 'force') %}
 	return 301 https://$http_host$request_uri;
 {% else %}
 {{ hedgedoc_common() }}
 {% endif %}
 }
 {% if (var_hedgedoc_and_nginx_tls_mode != 'disable') %}
 server {
 	server_name {{var_hedgedoc_and_nginx_domain}};
 	listen [::]:443 ssl http2;
 	listen 443 ssl http2;
 	ssl_certificate_key /etc/ssl/private/{{var_hedgedoc_and_nginx_domain}}.pem;
 	ssl_certificate /etc/ssl/fullchains/{{var_hedgedoc_and_nginx_domain}}.pem;
 	include /etc/nginx/ssl-hardening.conf;
 {{ hedgedoc_common() }}
 }
--- a/roles/hedgedoc-and-nginx/vardef.json
+++ b/roles/hedgedoc-and-nginx/vardef.json
@ -0,0 +1,15 @@
 {
 	"domain": {
 		"type": "string",
 		"mandatory": false
 	},
 	"tls_mode": {
        "type": "string",
        "options": [
 			"disable",
 			"enable",
 			"force"
        ],
        "mandatory": false
 	}
 }
--- a/roles/hedgedoc/defaults/main.json
+++ b/roles/hedgedoc/defaults/main.json
@ -14,7 +14,7 @@
 	"var_hedgedoc_authentication_kind": "authelia",
 	"var_hedgedoc_authentication_data_authelia_client_id": "hedgedoc",
 	"var_hedgedoc_authentication_data_authelia_client_secret": "REPLACE_ME",
-	"var_hedgedoc_authentication_data_authelia_url_base": "https://authelia.linke.sx",
+	"var_hedgedoc_authentication_data_authelia_url_base": "https://authelia.example.org",
 	"var_hedgedoc_guest_allow_create": false,
 	"var_hedgedoc_guest_allow_change": false,
 	"var_hedgedoc_free_names_mode": "authed"
--- a/roles/synapse-and-nginx/defaults/main.json
+++ b/roles/synapse-and-nginx/defaults/main.json
@ -1,3 +1,4 @@
 {
-	"var_synapse_and_nginx_domain": "REPLACE_ME"
+	"var_synapse_and_nginx_domain": "REPLACE_ME",
 	"var_synapse_and_nginx_tls_mode": "enable"
 }
--- a/roles/synapse-and-nginx/templates/conf.j2
+++ b/roles/synapse-and-nginx/templates/conf.j2
@ -1,19 +1,4 @@
-server {
+{% macro synapse_common() %}
 	listen 80;
 	listen [::]:80;
 	listen 443 ssl;
 	listen [::]:443 ssl;
 	## For the federation port
 	listen 8448 ssl http2 default_server;
 	listen [::]:8448 ssl http2 default_server;
 	server_name {{var_synapse_and_nginx_domain}};
 	ssl_certificate /etc/ssl/fullchains/{{var_synapse_and_nginx_domain}}.pem;
 	ssl_certificate_key /etc/ssl/private/{{var_synapse_and_nginx_domain}}.pem;
 	include /etc/nginx/ssl-hardening.conf;
 	location ~ ^(/_matrix|/_synapse/client) {
 		proxy_pass http://localhost:8008;
 		proxy_set_header X-Forwarded-For $remote_addr;
@ -24,4 +9,36 @@ server {
 		proxy_http_version 1.1;
 	}
 {% endmacro %}
 server {
 	server_name {{var_synapse_and_nginx_domain}};
 	listen 80;
 	listen [::]:80;
 {% if (var_synapse_and_nginx_tls_mode == 'force') %}
 	return 301 https://$http_host$request_uri;
 {% else %}
 {{ synapse_common() }}
 {% endif %}
 }
 {% if (var_synapse_and_nginx_tls_mode != 'disable') %}
 server {
 	server_name {{var_synapse_and_nginx_domain}};
 	listen 443 ssl http2;
 	listen [::]:443 ssl http2;
 	## For the federation port
 	listen 8448 ssl http2 default_server;
 	listen [::]:8448 ssl http2 default_server;
 	ssl_certificate_key /etc/ssl/private/{{var_synapse_and_nginx_domain}}.pem;
 	ssl_certificate /etc/ssl/fullchains/{{var_synapse_and_nginx_domain}}.pem;
 	include /etc/nginx/ssl-hardening.conf;
 {{ synapse_common() }}
 }
 {% endif %}
--- a/roles/synapse-and-nginx/vardef.json
+++ b/roles/synapse-and-nginx/vardef.json
@ -0,0 +1,15 @@
 {
 	"domain": {
 		"type": "string",
 		"mandatory": false
 	},
 	"tls_mode": {
        "type": "string",
        "options": [
 			"disable",
 			"enable",
 			"force"
        ],
        "mandatory": false
 	}
 }
--- a/roles/system_basics/tasks/main.json
+++ b/roles/system_basics/tasks/main.json
@ -21,6 +21,7 @@
 		"become": true,
 		"ansible.builtin.apt": {
 			"pkg": [
 				"acl",
 				"vim",
 				"htop",
 				"tmux",
--- a/roles/tlscert_existing/defaults/main.json
+++ b/roles/tlscert_existing/defaults/main.json
@ -1,8 +1,6 @@
 {
 	"var_tlscert_existing_domain": "foo.example.org",
 	"var_tlscert_existing_key_path": "/tmp/key.pem",
 	"var_tlscert_existing_cert_path": "/tmp/cert.pem",
-	"var_tlscert_existing_fullchain_path": "/tmp/fullchain.pem",
+	"var_tlscert_existing_fullchain_path": "/tmp/fullchain.pem"
 	"var_tlscert_existing_domain_base": "example.org",
 	"var_tlscert_existing_domain_path": "foo",
 	"var_tlscert_existing_ssl_directory": "/etc/ssl"
 }
--- a/roles/tlscert_existing/tasks/main.json
+++ b/roles/tlscert_existing/tasks/main.json
@ -3,10 +3,10 @@
 		"name": "directories",
 		"become": true,
 		"loop": [
-			"{{var_tlscert_existing_ssl_directory}}/private",
+			"/etc/ssl/private",
-			"{{var_tlscert_existing_ssl_directory}}/csr",
+			"/etc/ssl/csr",
-			"{{var_tlscert_existing_ssl_directory}}/certs",
+			"/etc/ssl/certs",
-			"{{var_tlscert_existing_ssl_directory}}/fullchains"
+			"/etc/ssl/fullchains"
 		],
 		"ansible.builtin.file": {
 			"state": "directory",
@ -18,7 +18,7 @@
 		"become": true,
 		"ansible.builtin.copy": {
 			"src": "{{var_tlscert_existing_key_path}}",
-			"dest": "{{var_tlscert_existing_ssl_directory}}/private/{{var_tlscert_existing_domain_path}}.{{var_tlscert_existing_domain_base}}.pem"
+			"dest": "/etc/ssl/private/{{var_tlscert_existing_domain}}.pem"
 		}
 	},
 	{
@ -26,7 +26,7 @@
 		"become": true,
 		"ansible.builtin.copy": {
 			"src": "{{var_tlscert_existing_cert_path}}",
-			"dest": "{{var_tlscert_existing_ssl_directory}}/certs/{{var_tlscert_existing_domain_path}}.{{var_tlscert_existing_domain_base}}.pem"
+			"dest": "/etc/ssl/certs/{{var_tlscert_existing_domain}}.pem"
 		}
 	},
 	{
@ -35,7 +35,7 @@
 		"become": true,
 		"ansible.builtin.copy": {
 			"src": "{{var_tlscert_existing_fullchain_path}}",
-			"dest": "{{var_tlscert_existing_ssl_directory}}/fullchains/{{var_tlscert_existing_domain_path}}.{{var_tlscert_existing_domain_base}}.pem"
+			"dest": "/etc/ssl/fullchains/{{var_tlscert_existing_domain}}.pem"
 		}
 	},
 	{
@ -43,7 +43,7 @@
 		"when": "var_tlscert_existing_fullchain_path == None",
 		"become": true,
 		"ansible.builtin.shell": {
-			"cmd": "cat {{var_tlscert_existing_ssl_directory}}/certs/{{var_tlscert_existing_domain_path}}.{{var_tlscert_existing_domain_base}}.pem > {{var_tlscert_existing_ssl_directory}}/fullchains/{{var_tlscert_existing_domain_path}}.{{var_tlscert_existing_domain_base}}.pem"
+			"cmd": "cat /etc/ssl/certs/{{var_tlscert_existing_domain}}.pem > /etc/ssl/fullchains/{{var_tlscert_existing_domain}}.pem"
 		}
 	}
 ]
--- a/roles/tlscert_selfsigned/defaults/main.json
+++ b/roles/tlscert_selfsigned/defaults/main.json
@ -1,5 +1,3 @@
 {
-	"var_tlscert_selfsigned_domain_base": "example.org",
+	"var_tlscert_selfsigned_domain": "foo.example.org"
 	"var_tlscert_selfsigned_domain_path": "foo",
 	"var_tlscert_selfsigned_ssl_directory": "/etc/ssl"
 }
--- a/roles/tlscert_selfsigned/tasks/main.json
+++ b/roles/tlscert_selfsigned/tasks/main.json
@ -14,10 +14,10 @@
 		"name": "setup directories",
 		"become": true,
 		"loop": [
-			"{{var_tlscert_selfsigned_ssl_directory}}/private",
+			"/etc/ssl/private",
-			"{{var_tlscert_selfsigned_ssl_directory}}/csr",
+			"/etc/ssl/csr",
-			"{{var_tlscert_selfsigned_ssl_directory}}/certs",
+			"/etc/ssl/certs",
-			"{{var_tlscert_selfsigned_ssl_directory}}/fullchains"
+			"/etc/ssl/fullchains"
 		],
 		"ansible.builtin.file": {
 			"state": "directory",
@ -28,19 +28,19 @@
 		"name": "csr | generate private key",
 		"become": true,
 		"community.crypto.openssl_privatekey": {
-			"path": "{{var_tlscert_selfsigned_ssl_directory}}/private/{{var_tlscert_selfsigned_domain_path}}.{{var_tlscert_selfsigned_domain_base}}.pem"
+			"path": "/etc/ssl/private/{{var_tlscert_selfsigned_domain}}.pem"
 		}
 	},
 	{
 		"name": "csr | execute",
 		"become": true,
 		"community.crypto.openssl_csr": {
-			"privatekey_path": "{{var_tlscert_selfsigned_ssl_directory}}/private/{{var_tlscert_selfsigned_domain_path}}.{{var_tlscert_selfsigned_domain_base}}.pem",
+			"privatekey_path": "/etc/ssl/private/{{var_tlscert_selfsigned_domain}}.pem",
-			"common_name": "{{var_tlscert_selfsigned_domain_path}}.{{var_tlscert_selfsigned_domain_base}}",
+			"common_name": "{{var_tlscert_selfsigned_domain}}",
 			"subject_alt_name": [
-				"DNS:{{var_tlscert_selfsigned_domain_path}}.{{var_tlscert_selfsigned_domain_base}}"
+				"DNS:{{var_tlscert_selfsigned_domain}}"
 			],
-			"path": "{{var_tlscert_selfsigned_ssl_directory}}/csr/{{var_tlscert_selfsigned_domain_path}}.{{var_tlscert_selfsigned_domain_base}}.pem"
+			"path": "/etc/ssl/csr/{{var_tlscert_selfsigned_domain}}.pem"
 		},
 		"register": "temp_csr"
 	},
@ -48,17 +48,17 @@
 		"name": "generate certificate",
 		"become": true,
 		"community.crypto.x509_certificate": {
-			"privatekey_path": "{{var_tlscert_selfsigned_ssl_directory}}/private/{{var_tlscert_selfsigned_domain_path}}.{{var_tlscert_selfsigned_domain_base}}.pem",
+			"privatekey_path": "/etc/ssl/private/{{var_tlscert_selfsigned_domain}}.pem",
-			"csr_path": "{{var_tlscert_selfsigned_ssl_directory}}/csr/{{var_tlscert_selfsigned_domain_path}}.{{var_tlscert_selfsigned_domain_base}}.pem",
+			"csr_path": "/etc/ssl/csr/{{var_tlscert_selfsigned_domain}}.pem",
 			"provider": "selfsigned",
-			"path": "{{var_tlscert_selfsigned_ssl_directory}}/certs/{{var_tlscert_selfsigned_domain_path}}.{{var_tlscert_selfsigned_domain_base}}.pem"
+			"path": "/etc/ssl/certs/{{var_tlscert_selfsigned_domain}}.pem"
 		}
 	},
 	{
 		"name": "compose fullchain",
 		"become": true,
 		"ansible.builtin.shell": {
-			"cmd": "cat {{var_tlscert_selfsigned_ssl_directory}}/certs/{{var_tlscert_selfsigned_domain_path}}.{{var_tlscert_selfsigned_domain_base}}.pem > {{var_tlscert_selfsigned_ssl_directory}}/fullchains/{{var_tlscert_selfsigned_domain_path}}.{{var_tlscert_selfsigned_domain_base}}.pem"
+			"cmd": "cat /etc/ssl/certs/{{var_tlscert_selfsigned_domain}}.pem > /etc/ssl/fullchains/{{var_tlscert_selfsigned_domain}}.pem"
 		}
 	}
 ]
--- a/roles/vikunja-and-nginx/defaults/main.json
+++ b/roles/vikunja-and-nginx/defaults/main.json
@ -1,3 +1,4 @@
 {
-	"var_vikunja_and_nginx_domain": "vikunja.example.org"
+	"var_vikunja_and_nginx_domain": "vikunja.example.org",
 	"var_vikunja_and_nginx_tls_mode": "enable"
 }
--- a/roles/vikunja-and-nginx/templates/conf.j2
+++ b/roles/vikunja-and-nginx/templates/conf.j2
@ -1,17 +1,34 @@
-server {
+{% macro vikunja_common() %}
 	listen 80;
 	listen [::]:80;
 	listen 443 ssl;
 	listen [::]:443 ssl;
 	server_name {{var_vikunja_and_nginx_domain}};
 	ssl_certificate /etc/ssl/fullchains/{{var_vikunja_and_nginx_domain}}.pem;
 	ssl_certificate_key /etc/ssl/private/{{var_vikunja_and_nginx_domain}}.pem;
 	include /etc/nginx/ssl-hardening.conf;
 	location / {
 		proxy_pass http://localhost:3456;
 		client_max_body_size 20M;
 	}
 {% endmacro %}
 server {
 	server_name {{var_vikunja_and_nginx_domain}};
 	listen 80;
 	listen [::]:80;
 {% if (var_vikunja_and_nginx_tls_mode == 'force') %}
 	return 301 https://$http_host$request_uri;
 {% else %}
 {{ vikunja_common() }}
 {% endif %}
 }
 {% if (var_vikunja_and_nginx_tls_mode != 'disable') %}
 server {
 	server_name {{var_vikunja_and_nginx_domain}};
 	listen 443 ssl http2;
 	listen [::]:443 ssl http2;
 	ssl_certificate_key /etc/ssl/private/{{var_vikunja_and_nginx_domain}}.pem;
 	ssl_certificate /etc/ssl/fullchains/{{var_vikunja_and_nginx_domain}}.pem;
 	include /etc/nginx/ssl-hardening.conf;
 {{ vikunja_common() }}
 }
 {% endif %}
--- a/roles/vikunja-and-nginx/vardef.json
+++ b/roles/vikunja-and-nginx/vardef.json
@ -0,0 +1,15 @@
 {
 	"domain": {
 		"type": "string",
 		"mandatory": false
 	},
 	"tls_mode": {
        "type": "string",
        "options": [
 			"disable",
 			"enable",
 			"force"
        ],
        "mandatory": false
 	}
 }