Refactoring of nginx and the cert management.

README.md

@@ -14,16 +14,44 @@ For the last point *(Web UI on port 443)* the recommendation from the [official
 
 ## Preparation
 
-Configure on the Proxmox an **ACME Challenge** first, so the certificate `/etc/pve/local/pveproxy-ssl.pem` is created. The playbook checks if this file exists, the web server will not start otherwise.
+Configure on the Proxmox an **ACME** first, so the certificate `/etc/pve/local/pveproxy-ssl.pem` is created.
 
-> This project is intended for my home proxmox server and should not be used on production servers.
+- If the certificate is renewed by Proxmox, the web server is **automatically reloaded**. This is made possible with the systemd option [`ReloadPropagatedFrom`](https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#PropagatesReloadTo=).
+
+- If no ACME has been set up, the service is **ignored when booting**. This is controlled by the [`ConditionPathExists`](https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#AssertArchitecture=) option. If the service has been ignored, it remains deactivated until Proxmox is restarted.<br>There is a check in the Ansible playbook if ACME has been set up, without a valid configuration the execution will be **aborted at the beginning**.
+
+- If an existing ACME configuration is deleted in the Proxmox interface, the old certificate files remain available. The NGINX web server remains active and will respond with an expired certificate.
+
+These options are stored in the NGINX extended service file under `/etc/systemd/system/nginx.service.d/override.conf`:
+```ini
+# {{ ansible_managed }}
+
+[Unit]
+# The path /etc/pve/local is only available after this service.
+Requires=pve-cluster.service
+After=pve-cluster.service
+
+# The web server requires an existing certificate. The service is only
+# activated if an automatic certificate management environment (ACME)
+# has been set up in Promxox.
+ConditionPathExists=/etc/pve/local/pveproxy-ssl.pem
+ConditionPathExists=/etc/pve/local/pveproxy-ssl.key
+
+# When systemd reload the unit listed here, the action is
+# propagated to this unit. This occurs when the certificate is updated.
+ReloadPropagatedFrom=pveproxy.service
+```
+
+> You can edit this file directly for test purposes using the command `sudo systemctl edit nginx`.
 
 ## Versions
 
 The following versions were tested:
 
 ✅ Proxmox VE 7.4-xx
 
+> This project is intended for my home proxmox server and should not be used on production servers.
+
 ## Workspace
 
 Open the workspace file `proxmox.code-workspace` to access the predefined build tasks with Visual Studio Code.
@@ -32,4 +60,4 @@ Predefined build tasks:
 | Task     | Description                                |            Command |
 | -------- | ------------------------------------------ | -----------------: |
 | 🚀 Deploy | Run the main playbook with all tasks.      | `ansible-playbook` |
-| 🧪 Check  | Check the code without making any changes. | `ansible-playbook` |
+| 🧪 Check  | Check the code without making any changes. | `ansible-playbook` |

playbook.yml → main.yml

@@ -15,12 +15,12 @@
             path: /etc/pve/local/pveproxy-ssl.key
           register: cert_key
 
-        - name: Ensure that ACME has been set up
-          ansible.builtin.assert:
-            that:
-              - cert_pem.stat.exists == true
-              - cert_key.stat.exists == true
-            fail_msg: "Certificate was not found, make sure ACME has been set up."
+        # - name: Ensure that ACME has been set up
+        #   ansible.builtin.assert:
+        #     that:
+        #       - cert_pem.stat.exists == true
+        #       - cert_key.stat.exists == true
+        #     fail_msg: "Certificate was not found, make sure ACME has been set up."
 
     - name: Configure repositories
       block:
@@ -38,51 +38,57 @@
             state: present
             update_cache: true
 
-    - name: Template login manager configuration
-      ansible.builtin.template:
-        src: logind.conf.j2
-        dest: /etc/systemd/logind.conf
-        owner: root
-        group: root
-        mode: "0644"
-      notify:
-        - Restart login manager
+    - name: Configure systemd
+      block:
+        - name: Update login manager configuration
+          ansible.builtin.template:
+            src: etc/systemd/logind.conf.j2
+            dest: /etc/systemd/logind.conf
+            owner: root
+            group: root
+            mode: "0644"
+          notify:
+            - Restart login manager
 
     - name: Install nginx
       ansible.builtin.apt:
         name:
           - nginx-light
-        policy_rc_d: 101 # Prevent autostart
+        policy_rc_d: 101  # Prevent autostart
 
-    - name: Configure nginx
+    - name: Configure nginx application
       notify:
         - Stop nginx
       block:
-        - name: Template nginx site
+        - name: Template nginx configuration
+          ansible.builtin.template:
+            src: etc/nginx/nginx.conf.j2
+            dest: /etc/nginx/nginx.conf
+            owner: root
+            group: root
+            mode: "0644"
+            validate: nginx -t -c "%s"
+
+        - name: Template proxmox site
           ansible.builtin.template:
-            src: nginx.proxmox.conf.j2
+            src: etc/nginx/sites-available/proxmox.conf.j2
             dest: /etc/nginx/sites-available/proxmox.conf
             owner: root
             group: root
             mode: "0644"
 
-        - name: Enable nginx site
+        - name: Enable proxmox site
           ansible.builtin.file:
             src: /etc/nginx/sites-available/proxmox.conf
             dest: /etc/nginx/sites-enabled/proxmox.conf
             owner: root
             group: root
             state: link
 
-        - name: Template nginx configuration
-          ansible.builtin.template:
-            src: nginx.conf.j2
-            dest: /etc/nginx/nginx.conf
-            owner: root
-            group: root
-            mode: "0644"
-            validate: nginx -t -c "%s"
-
+    - name: Configure nginx service
+      notify:
+        - Stop nginx
+      block:
         - name: Ensure nginx override folder exists
           ansible.builtin.file:
             path: /etc/systemd/system/nginx.service.d
@@ -91,28 +97,12 @@
 
         - name: Template nginx override configuration
           ansible.builtin.template:
-            src: nginx.service.override.conf.j2
+            src: etc/systemd/system/nginx.service.d/override.conf.j2
             dest: /etc/systemd/system/nginx.service.d/override.conf
             owner: root
             group: root
             mode: "0644"
 
-        - name: Template nginx watcher configuration
-          ansible.builtin.template:
-            src: nginx.watcher.conf.j2
-            dest: /etc/systemd/system/nginx.watcher.conf
-            owner: root
-            group: root
-            mode: "0644"
-
-        - name: Template nginx watcher path
-          ansible.builtin.template:
-            src: nginx.watcher.path.j2
-            dest: /etc/systemd/system/nginx.watcher.path
-            owner: root
-            group: root
-            mode: "0644"
-
     - name: Stop nginx if configuration has changed
       ansible.builtin.meta: flush_handlers
 
@@ -122,16 +112,12 @@
         state: started
         enabled: true
 
-    - name: Ensure watcher is enabled
-      ansible.builtin.service:
-        name: nginx
-        enabled: true
-
   handlers:
     - name: Stop nginx
       ansible.builtin.service:
         name: nginx
         state: stopped
+        daemon_reload: true
 
     - name: Restart login manager
       ansible.builtin.service:

templates/etc/systemd/system/nginx.service.d/override.conf.j2

@@ -0,0 +1,16 @@
+# {{ ansible_managed }}
+
+[Unit]
+# The path /etc/pve/local is only available after this service.
+Requires=pve-cluster.service
+After=pve-cluster.service
+
+# The web server requires an existing certificate. The service is only
+# activated if an automatic certificate management environment (ACME)
+# has been set up in Promxox.
+ConditionPathExists=/etc/pve/local/pveproxy-ssl.pem
+ConditionPathExists=/etc/pve/local/pveproxy-ssl.key
+
+# When systemd reload the unit listed here, the action is
+# propagated to this unit. This occurs when the certificate is updated.
+ReloadPropagatedFrom=pveproxy.service