diff --git a/roles/jellyfin/templates/docker-compose.yml.j2 b/roles/jellyfin/templates/docker-compose.yml.j2 index c4e5330..4742a40 100644 --- a/roles/jellyfin/templates/docker-compose.yml.j2 +++ b/roles/jellyfin/templates/docker-compose.yml.j2 @@ -15,7 +15,7 @@ services: networks: - traefik labels: - - "traefik.http.routers.{{ jellyfin_router }}.rule=Host(`{{ jellyfin_domain }}`)" + - "traefik.http.routers.{{ jellyfin_router }}.rule=Host({{ jellyfin_domains }})" {% if traefik_http_only %} - "traefik.http.routers.{{ jellyfin_router }}.entrypoints=web" {% else %} diff --git a/roles/proxy/tasks/main.yml b/roles/proxy/tasks/main.yml index 6469665..f267bcf 100644 --- a/roles/proxy/tasks/main.yml +++ b/roles/proxy/tasks/main.yml @@ -45,10 +45,11 @@ register: nginx_sites - name: Generate self-signed certificate - ansible.builtin.command: 'openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes \ - -subj "/C=US/ST=Local/L=Local/O=Org/OU=IT/CN=example.com" \ - -keyout /etc/ssl/private/nginx-selfsigned.key \ - -out /etc/ssl/certs/nginx-selfsigned.crt' + ansible.builtin.command: + 'openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes \ + -subj "/C=US/ST=Local/L=Local/O=Org/OU=IT/CN=example.com" \ + -keyout /etc/ssl/private/nginx-selfsigned.key \ + -out /etc/ssl/certs/nginx-selfsigned.crt' args: creates: /etc/ssl/certs/nginx-selfsigned.crt when: proxy.production is not defined or not proxy.production @@ -56,15 +57,22 @@ - name: Install LE's certbot ansible.builtin.apt: - name: ['certbot', 'python3-certbot-dns-cloudflare'] + name: ["certbot", "python3-certbot-dns-cloudflare"] state: present when: proxy.production is defined and proxy.production +- name: Grab Cloudflare API token for configuration + ansible.builtin.slurp: + src: /root/.cloudflare-api + register: cfapi + when: proxy.production is defined and proxy.production and proxy.dns_cloudflare is defined + - name: Install Cloudflare API token ansible.builtin.template: src: cloudflare.ini.j2 dest: /root/.cloudflare.ini mode: "400" + diff: false when: proxy.production is defined and proxy.production and proxy.dns_cloudflare is defined - name: Create nginx post renewal hook directory @@ -78,19 +86,19 @@ ansible.builtin.copy: src: reload-nginx.sh dest: /etc/letsencrypt/renewal-hooks/post/reload-nginx.sh - mode: '0755' + mode: "0755" when: proxy.production is defined and proxy.production - name: Run Cloudflare DNS-01 challenges on wildcard domains ansible.builtin.shell: '/usr/bin/certbot certonly \ - --non-interactive \ - --agree-tos \ - --email "{{ proxy.dns_cloudflare.email }}" \ - --dns-cloudflare \ - --dns-cloudflare-credentials /root/.cloudflare.ini \ - -d "*.{{ item }}" \ - -d "{{ item }}" \ - {{ proxy.dns_cloudflare.opts | default("") }}' + --non-interactive \ + --agree-tos \ + --email "{{ proxy.dns_cloudflare.email }}" \ + --dns-cloudflare \ + --dns-cloudflare-credentials /root/.cloudflare.ini \ + -d "*.{{ item }}" \ + -d "{{ item }}" \ + {{ proxy.dns_cloudflare.opts | default("") }}' args: creates: "/etc/letsencrypt/live/{{ item }}/fullchain.pem" loop: "{{ proxy.dns_cloudflare.wildcard_domains }}" diff --git a/roles/proxy/templates/cloudflare.ini.j2 b/roles/proxy/templates/cloudflare.ini.j2 index eb66f68..3316f1a 100644 --- a/roles/proxy/templates/cloudflare.ini.j2 +++ b/roles/proxy/templates/cloudflare.ini.j2 @@ -1,2 +1,2 @@ # Cloudflare API token used by Certbot -dns_cloudflare_api_token = {{ proxy.dns_cloudflare.api_token }} +dns_cloudflare_api_token = {{ cfapi['content'] | b64decode | trim }}