rewrite lego role

roles/webserver/meta/main.yml

@@ -1,5 +1,14 @@
 ---
 dependencies:
+  - role: lego
+    vars:
+      lego_certificate_domains:
+        - cn: "{{ webserver_domain }}"
+          sans: ["*.{{ webserver_domain }}"]
+      lego_certificate_destination:
+        path: "{{ webserver_nginx_cert_path }}"
+      lego_services_reload:
+        name: nginx
   - role: rclone
   - role: nginx
   - role: nginx_exporter

roles/webserver/tasks/nginx.yml

@@ -7,10 +7,10 @@
     mode: "0644"
   loop:
     - {src: "nginx.conf.j2", dest: "/etc/nginx/nginx.conf"}
-    - {src: "cert.conf.j2", dest: "/etc/nginx/global/cert.conf"}
+    - {src: "cert.conf.j2", dest: "/etc/nginx/snippets/cert.conf"}
     - {src: "header.conf.j2", dest: "/etc/nginx/global/header.conf"}
     - {src: "proxy.conf.j2", dest: "/etc/nginx/global/proxy.conf"}
-    - {src: "php_optimization.j2", dest: "/etc/nginx/global/php_optimization"}
+    - {src: "php_optimization.j2", dest: "/etc/nginx/snippets/php_optimization.conf"}
   notify: Reload nginx
 
 - name: Copy virtual server configs
@@ -21,26 +21,6 @@
   with_fileglob: "../templates/conf.d/*.j2"
   notify: Reload nginx
 
-## Certificates
-
-- name: Create Certificate directory
-  file:
-    path: "{{ webserver_nginx_cert_path }}"
-    state: directory
-    mode: "0755"
-
-- name: "Copy SSL certificates for {{ webserver_domain }}"
-  copy:
-    remote_src: true
-    # make sure that ssl certs are available
-    src: "{{ lego_config_dir }}/certificates/{{ webserver_domain }}.{{ item }}"
-    dest: "{{ webserver_nginx_cert_path }}/{{ webserver_domain }}.{{ item }}"
-    owner: root
-    group: root
-    mode: "0600"
-  loop: [crt, key, issuer.crt]
-  notify: Reload nginx
-
 - name: Create nginx.service.d directory
   file:
     path: /etc/systemd/system/nginx.service.d

roles/webserver/templates/conf.d/cloud.conf.j2

@@ -28,7 +28,7 @@ server {
     http2 on;
 
     server_name {{ nextcloud_domain_name }} www.{{ nextcloud_domain_name }};
-    include global/cert.conf;
+    include snippets/cert.conf;
 
     # Path to the root of your installation
     root {{ nextcloud_dir }};
@@ -83,7 +83,7 @@ server {
     # only for Nextcloud like below:
     include mime.types;
     types {
-        text/javascript js mjs;
+        text/javascript mjs;
 	application/wasm wasm;
     }
 
@@ -141,7 +141,7 @@ server {
     # to the URI, resulting in a HTTP 500 error response.
     location ~ \.php(?:$|/) {
         # Required for legacy support
-        rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
+        rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) /index.php$request_uri;
 
         fastcgi_split_path_info ^(.+?\.php)(/.*)$;
         set $path_info $fastcgi_path_info;
@@ -164,7 +164,7 @@ server {
     }
 
     # Serve static files
-    location ~ \.(?:css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ {
+    location ~ \.(?:css|js|mjs|svg|gif|ico|jpg|png|webp|wasm|tflite|map|ogg|flac)$ {
         try_files $uri /index.php$request_uri;
         # HTTP response headers borrowed from Nextcloud `.htaccess`
         add_header Cache-Control                     "public, max-age=15778463$asset_immutable";
@@ -177,7 +177,7 @@ server {
         access_log off;     # Optional: Don't log access to assets
     }
 
-    location ~ \.woff2?$ {
+    location ~ \.(otf|woff2?)$ {
         try_files $uri /index.php$request_uri;
         expires 7d;         # Cache-Control policy borrowed from `.htaccess`
         access_log off;     # Optional: Don't log access to assets

roles/webserver/templates/conf.d/twirling.conf.j2

@@ -21,7 +21,7 @@ server {
     quic_gso on;
 
     server_name {{ webserver_domain }} www.{{ webserver_domain }};
-    include global/cert.conf;
+    include snippets/cert.conf;
     include global/header.conf;
 
     # Path to the root of your installation