From 173c1af669e9404b88ed4abf1fc0c2699f611e15 Mon Sep 17 00:00:00 2001
From: Matej Stajduhar <matej.stajduhar@codeenigma.com>
Date: Thu, 17 Jul 2025 17:21:04 +0200
Subject: [PATCH 1/2] Docs-change

---
 .../nginx/templates/vhost_letsencrypt.j2      |  1 +
 roles/debian/ssl/README.md                    | 25 ++++++++++++++++---
 roles/debian/ssl/defaults/main.yml            |  6 ++---
 3 files changed, 24 insertions(+), 8 deletions(-)

diff --git a/roles/debian/nginx/templates/vhost_letsencrypt.j2 b/roles/debian/nginx/templates/vhost_letsencrypt.j2
index b66b35b02..fcbbce7c9 100644
--- a/roles/debian/nginx/templates/vhost_letsencrypt.j2
+++ b/roles/debian/nginx/templates/vhost_letsencrypt.j2
@@ -7,6 +7,7 @@ server {
     listen 80;
     {% endif %}
     server_name {{ domain.server_name }};
+    root /home/deploy;
     error_log {{ domain.error_log }} {{ domain.error_log_level }};
     access_log {{ domain.access_log }} {{ domain.access_log_format | default('main') }};
     # Proxy for certbot (LetsEncrypt)
diff --git a/roles/debian/ssl/README.md b/roles/debian/ssl/README.md
index 129a9ea0c..1b43cfdc6 100644
--- a/roles/debian/ssl/README.md
+++ b/roles/debian/ssl/README.md
@@ -22,7 +22,7 @@ location /.well-known/acme-challenge/ {
 }
 ```
 
-If you are using LetsEncrypt handling combined with our `nginx` role and you set `ssl.http_01_port` then it should take care of the proxying, for example:
+If you are using LetsEncrypt handling combined with our `nginx` role and you set `ssl.http_01_port` and `ssl.web_server` to `standalone` then it should take care of the proxying, for example:
 
 ```yaml
 nginx:
@@ -38,13 +38,30 @@ nginx:
         services: []
         web_server: standalone
         certbot_register_command: "certonly --standalone --agree-tos --preferred-challenges http -n"
-        certbot_renew_command: "certonly --standalone --agree-tos --force-renew"
+        on_calendar: "Mon *-*-* 04:00:00"
+        reload_command: reload
+        reload:
+          - nginx
+```
+webroot option
+```yaml
+nginx:
+  domains:
+    - # other domain variables here
+      ssl:
+        domains:
+          - "{{ _domain_name }}"
+        handling: letsencrypt
+        autorenew: true
+        email: administrator@example.com
+        services: []
+        web_server: webroot
+        certbot_register_command: "certonly --standalone --agree-tos --preferred-challenges http -n"
+        on_calendar: "Mon *-*-* 04:00:00"
         reload_command: reload
         reload:
           - nginx
 ```
-Variable "on_calendar" is no longer in use since we have 1 general cron to renew all domains
-
 "web_server" can be standalone and webroot, differnce is that webroot wont start webserver to validate SSL, while standalone requires port on which webserver will be running in order to validate cert so we need the "http_01_port" for standalone option
 
 As in the example above, you need to include *all* variables required by the `letsencrypt` SSL handler because defaults will not load from the `ssl` role in this context.
diff --git a/roles/debian/ssl/defaults/main.yml b/roles/debian/ssl/defaults/main.yml
index 9e829468f..201a7eab2 100644
--- a/roles/debian/ssl/defaults/main.yml
+++ b/roles/debian/ssl/defaults/main.yml
@@ -33,12 +33,10 @@ ssl:
   http_01_port: 80 # you can set a non-standard port to listen on, but certbot still needs port 80 - see https://letsencrypt.org/docs/challenge-types/#http-01-challenge
   # For "letsencrypt" auto renewal
   autorenew: false # set to true to create a systemd timer to renew LE certs
-  certbot_renew_command: "certonly --agree-tos --force-renew" # root of the command used in the systemd timer
-  # See systemd.time documentation - https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html#Calendar%20Events
-  on_calendar: "Mon *-*-* 04:00:00"
+  on_calendar: "Mon *-*-* 04:00:00" # this is still needed to define when the cron will run, and it's needed in each ssl item not to break task
   web_server: standalone
   # values are standalone, webroot, nginx or apache - warning, nginx and apache will attempt to manipulate your vhosts!
-  # webroot unlike standalone, won't start webserver with certain port
+  # webroot unlike standalone, won't start webserver with certain port, so we can remove http_01_port
 
   # For "letsencrypt" handling, a list of service to stop while creating the certificate.
   # This is because we need port 80 to be free.

From 7eff30c228e7c19c66fdb4acbb5a916a9aa9eeac Mon Sep 17 00:00:00 2001
From: Matej Stajduhar <matej.stajduhar@codeenigma.com>
Date: Fri, 18 Jul 2025 12:32:59 +0200
Subject: [PATCH 2/2] LE-vhost-root-update

---
 roles/debian/nginx/templates/vhost_letsencrypt.j2 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/debian/nginx/templates/vhost_letsencrypt.j2 b/roles/debian/nginx/templates/vhost_letsencrypt.j2
index fcbbce7c9..bef81f556 100644
--- a/roles/debian/nginx/templates/vhost_letsencrypt.j2
+++ b/roles/debian/nginx/templates/vhost_letsencrypt.j2
@@ -7,7 +7,7 @@ server {
     listen 80;
     {% endif %}
     server_name {{ domain.server_name }};
-    root /home/deploy;
+    root /tmp;
     error_log {{ domain.error_log }} {{ domain.error_log_level }};
     access_log {{ domain.access_log }} {{ domain.access_log_format | default('main') }};
     # Proxy for certbot (LetsEncrypt)