3 changed files with 69 additions and 13 deletions
--- a/README.MD
+++ b/README.MD
@ -38,11 +38,58 @@ nginx_vhosts:
      - 'fastcgi_pass unix:{{ pool_listen }};'
    state: 'enable'
    letsencrypt: 'false'
-```
+  
+  # Selfsigned cert example:
+   - name: 'privatebin.example.com'
+     template: 'privatebin'
+     proto: 'https'
+     listen: '443'
+     root: 'privatebin'
+     index: 'index.php'
+     ssl_name: 'bin.example.com'
+     selfsigned: 'true'
+     use_access_log: 'false'
+     use_error_log: 'true'
+     nginx_error_log_level: 'warn'
+     upstream_params:
+       - 'fastcgi_pass unix:{{ pool_listen }};'
+       - 'fastcgi_index index.php;'
+       - 'fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;'
+     header_xframe: 'none'
+     header_cto: 'none'
+     file_cache:
+       - cache: 'max=1000 inactive=20s'
+         valid: '30s'
+         min_users: '2'
+         cache_errors: 'on'
+     state: 'enable'
+     letsencrypt: 'false'

-## Changelog
- **04.03.2021** - Modyfied header info for proxy (locations), and core templates
- **26.01.2021** - Rewritten templates structure
- **02.12.2020** - conversejs template
- **14.12.2019** - Start changelog
- **14.12.2019** - Updated hubzilla,privatebin, framadate template
+  # Selfsigned wildcard cert example:
+   - name: 'privatebin.example.com'
+     template: 'privatebin'
+     proto: 'https'
+     listen: '443'
+     root: 'privatebin'
+     index: 'index.php'
+     wildcard: 'true' #enable wildcard
+     ssl_name: 'wildcard.example.com' #specify direcotry name for wildcard cert
+     domain_name: 'example.com' #domain name to create the cert for: *.example.com
+     selfsigned: 'true'
+     use_access_log: 'false'
+     use_error_log: 'true'
+     nginx_error_log_level: 'warn'
+     upstream_params:
+       - 'fastcgi_pass unix:{{ pool_listen }};'
+       - 'fastcgi_index index.php;'
+       - 'fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;'
+     header_xframe: 'none'
+     header_cto: 'none'
+     file_cache:
+       - cache: 'max=1000 inactive=20s'
+         valid: '30s'
+         min_users: '2'
+         cache_errors: 'on'
+     state: 'enable'
+     letsencrypt: 'false'
+```
--- a/tasks/ssl.yml
+++ b/tasks/ssl.yml
@ -76,7 +76,7 @@
    state: directory
    mode: 0755
  with_items: "{{ nginx_vhosts }}"
-  when: item.selfsigned is defined and item.selfsigned == 'true'
+  when: item.selfsigned is defined and item.selfsigned == 'true' 
  notify: reload nginx

 - name: '[SELFSIGNED] - Create a self-signed key'
@ -85,15 +85,25 @@
    size: 2048
    type: RSA
  with_items: "{{ nginx_vhosts }}"
-  when: item.selfsigned is defined and item.state == 'enable' and item.selfsigned == 'true'
+  when: item.selfsigned is defined and item.state == 'enable' and item.selfsigned == 'true' 
  notify: reload nginx

 - name: '[SELFSIGNED] - Generate OpenSSL Certificate Signing Request (CSR)'
  openssl_csr:
-    path:  '{{ ssl_src_path }}/{{ item.ssl_name }}/selfsigned.crs'
+    path: '{{ ssl_src_path }}/{{ item.ssl_name }}/selfsigned.crs'
    privatekey_path:  '{{ ssl_src_path }}/{{ item.ssl_name }}/privkey.pem'
  with_items: "{{ nginx_vhosts }}"
-  when: item.selfsigned is defined and item.state == 'enable' and item.selfsigned == 'true'
+  when: item.selfsigned is defined and item.state == 'enable' and item.selfsigned == 'true'  and (item.wildcard is not defined or item.wildcard != 'true')
+  notify: reload nginx
+
+- name: '[SELFSIGNED] - Generate OpenSSL Certificate Signing Request (CSR) for wildcard'
+  openssl_csr:
+    path:  '{{ ssl_src_path }}/{{ item.ssl_name }}/selfsigned.crs'
+    privatekey_path:  '{{ ssl_src_path }}/{{ item.ssl_name }}/privkey.pem'
+    common_name: "*.{{ item.domain_name }}"
+    subject_alt_name: "DNS:*.{{ item.domain_name }}"
+  with_items: "{{ nginx_vhosts }}"
+  when: item.selfsigned is defined and item.state == 'enable' and item.selfsigned == 'true' and item.wildcard is defined and item.wildcard == 'true'
  notify: reload nginx

 - name: '[SELFSIGNED] - Create a self-signed certificate'
@ -105,3 +115,4 @@
  with_items: "{{ nginx_vhosts }}"
  when: item.selfsigned is defined and item.state == 'enable' and item.selfsigned == 'true'
  notify: reload nginx
+
--- a/templates/etc/nginx/sites-available/core.j2
+++ b/templates/etc/nginx/sites-available/core.j2
@ -20,10 +20,8 @@ server {
 {% endif %}
 {% if item.proto == 'https' %}
  listen {{ item.listen }} ssl {% if item.http2 is defined %}http2{% endif %};
-
  ssl_certificate {{ nginx_ssl_dir + '/' + item.ssl_name + '/' + 'fullchain.pem' + ';' }}
  ssl_certificate_key {{ nginx_ssl_dir + '/' + item.ssl_name + '/' + 'privkey.pem;' }}
-
 {% endif %}
  server_tokens off;
 {% if item.max_upload is defined %}