fix(nginx): prevent cert leak on IPv6 / unknown SNI

Two issues caused TLS to break on photos.carabosse.cloud over IPv6
(GrapheneOS + Immich app via Orange 5G NAT64):

1. Per-service vhosts only listened on IPv4 (listen 443 ssl). On IPv6,
   nginx fell back to the first vhost loaded alphabetically and served
   its certificate, breaking hostname verification on every other vhost.

2. /etc/letsencrypt/{live,archive} were 0700 root:root after certbot
   created them, so the nginx worker (user http on Arch) could not read
   the chained intermediates and served the leaf-only chain.

Changes:
- Add catch-all 00-default.conf default_server on :80 and :443 (v4+v6)
  with a self-signed cert and 'return 444'. ACME challenges still
  answered on :80.
- Add IPv6 listeners ([::]:80 and [::]:443 ssl) to immich, gitea, ntfy,
  uptime_kuma vhosts and to the temporary ACME provisioning vhost.
- Apply 0755 on /etc/letsencrypt/live and /etc/letsencrypt/archive on
  every run, not only at initial cert provisioning.

roles/nginx/README.md

@@ -11,6 +11,22 @@ Installs and configures Nginx as a reverse proxy for web applications with modul
 - SSL/TLS configuration
 - **Native ACME/Let's Encrypt support** (Nginx 1.25.0+)
 - **Transparent proxy forwarding** (HTTP/HTTPS to other hosts)
+- **Catch-all `default_server`** that rejects unknown SNI/Host with `444`
+
+## Catch-all default_server
+
+A `00-default.conf` vhost is deployed and marked `default_server` on both
+ports 80 and 443. It uses a self-signed cert (`/etc/nginx/ssl/default.crt`)
+and returns `444` (close connection) for any request whose SNI/Host does
+not match an explicit vhost. ACME HTTP-01 challenges (`/.well-known/acme-challenge/`)
+are still answered on port 80 so Certbot keeps working for new hostnames.
+
+Without this, clients hitting the server IP directly (or doing HTTP/2
+connection coalescing across vhosts sharing the same IP) would receive the
+certificate of the first vhost loaded alphabetically, leaking that
+hostname and breaking TLS verification on other vhosts.
+
+Disable with `nginx_default_server_enabled: false`.
 
 ## Service Integration Pattern
 

roles/nginx/defaults/main.yml

@@ -17,6 +17,12 @@ nginx_client_max_body_size: 100M
 # SSL configuration (volontarily omit TLSv1.2 here)
 nginx_ssl_protocols: TLSv1.3
 
+# Catch-all default_server (rejects unknown SNI / Host with 444).
+# Prevents leaking the first-loaded vhost's cert to unrelated requests.
+nginx_default_server_enabled: true
+nginx_default_ssl_cert: /etc/nginx/ssl/default.crt
+nginx_default_ssl_key: /etc/nginx/ssl/default.key
+
 # Logging configuration
 # Backend: 'file' (traditional /var/log/nginx/*.log) or 'journald' (systemd journal)
 nginx_log_backend: journald

roles/nginx/tasks/certbot.yml

@@ -29,6 +29,16 @@
     path: "/etc/letsencrypt/live/{{ certbot_hostname }}/fullchain.pem"
   register: certbot_cert_file
 
+- name: Ensure letsencrypt directories are traversable by nginx
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    mode: "0755"
+  loop:
+    - /etc/letsencrypt/live
+    - /etc/letsencrypt/archive
+  when: certbot_cert_file.stat.exists
+
 - name: Provision certificate for {{ certbot_hostname }}
   when: not certbot_cert_file.stat.exists
   block:

roles/nginx/tasks/main.yml

@@ -78,6 +78,49 @@
     group: root
     mode: "0755"
 
+- name: Configure catch-all default_server
+  when: nginx_default_server_enabled
+  block:
+    - name: Ensure nginx ssl directory exists
+      ansible.builtin.file:
+        path: "{{ nginx_default_ssl_cert | dirname }}"
+        state: directory
+        owner: root
+        group: root
+        mode: "0755"
+
+    - name: Generate self-signed cert for default_server
+      ansible.builtin.command:
+        cmd: >-
+          openssl req -x509 -nodes -newkey rsa:2048
+          -keyout {{ nginx_default_ssl_key }}
+          -out {{ nginx_default_ssl_cert }}
+          -days 3650 -subj "/CN=default"
+        creates: "{{ nginx_default_ssl_cert }}"
+
+    - name: Restrict permissions on default_server key
+      ansible.builtin.file:
+        path: "{{ nginx_default_ssl_key }}"
+        owner: root
+        group: root
+        mode: "0600"
+
+    - name: Deploy default_server vhost
+      ansible.builtin.template:
+        src: default-server.conf.j2
+        dest: "{{ nginx_conf_dir }}/00-default.conf"
+        owner: root
+        group: root
+        mode: "0644"
+      notify: Reload nginx
+
+- name: Remove default_server vhost when disabled
+  ansible.builtin.file:
+    path: "{{ nginx_conf_dir }}/00-default.conf"
+    state: absent
+  when: not nginx_default_server_enabled
+  notify: Reload nginx
+
 - name: Ensure Certbot webroot directory exists
   ansible.builtin.file:
     path: /var/www/certbot

roles/nginx/templates/default-server.conf.j2

@@ -0,0 +1,35 @@
+# Catch-all default_server vhosts
+# Managed by Ansible - DO NOT EDIT MANUALLY
+#
+# Purpose: reject any request whose Host/SNI does not match an explicit
+# server_name. Without this, the first vhost loaded alphabetically would
+# leak its certificate to unrelated SNI requests (e.g. clients doing
+# HTTP/2 connection coalescing or hitting the IP directly).
+#
+# `return 444` closes the connection without sending an HTTP response.
+
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+    server_name _;
+
+    # Keep ACME HTTP-01 challenges working for any hostname
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
+    location / {
+        return 444;
+    }
+}
+
+server {
+    listen 443 ssl default_server;
+    listen [::]:443 ssl default_server;
+    server_name _;
+
+    ssl_certificate {{ nginx_default_ssl_cert }};
+    ssl_certificate_key {{ nginx_default_ssl_key }};
+
+    return 444;
+}

roles/nginx/templates/vhost-http-acme.conf.j2

@@ -3,6 +3,7 @@
 
 server {
     listen 80;
+    listen [::]:80;
     server_name {{ certbot_hostname }};
 
     location /.well-known/acme-challenge/ {