From 5b08c3fb96e54e0ae8ae1d650658b27dcdfd78de Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Tue, 8 Aug 2023 00:42:56 +0200
Subject: make acmetool cert role more generic (WIP - needs more testing)

---
 roles/nginx/vhost/tasks/acme.yml | 44 ----------------------------------------
 roles/nginx/vhost/tasks/main.yml | 19 ++++++++++++++++-
 2 files changed, 18 insertions(+), 45 deletions(-)
 delete mode 100644 roles/nginx/vhost/tasks/acme.yml

(limited to 'roles/nginx/vhost/tasks')

diff --git a/roles/nginx/vhost/tasks/acme.yml b/roles/nginx/vhost/tasks/acme.yml
deleted file mode 100644
index 8a6cddb7..00000000
--- a/roles/nginx/vhost/tasks/acme.yml
+++ /dev/null
@@ -1,44 +0,0 @@
----
-- name: check if acme certs already exist
-  loop: "{{ nginx_vhost.hostnames }}"
-  loop_control:
-    loop_var: acme_hostname
-  stat:
-    path: "/var/lib/acme/live/{{ acme_hostname }}"
-  register: acme_cert_stat
-
-- name: set acmecert_missing_hostnames variable
-  set_fact:
-    acmecert_missing_hostnames: "{{ acme_cert_stat.results | acme_cert_nonexistent(nginx_vhost.hostnames) }}"
-
-- name: link nonexistent hostnames to self-signed interim cert
-  when: acmecert_missing_hostnames | length > 0
-  block:
-  - name: get id of existing selfsigned interim certificate
-    command: cat /var/lib/acme/.selfsigned-interim-cert
-    changed_when: false
-    check_mode: false
-    register: selfsigned_interim_cert_id
-
-  - name: set selfsigned_interim_cert_id variable
-    set_fact:
-      selfsigned_interim_cert_id: "{{ selfsigned_interim_cert_id.stdout }}"
-
-  - name: link to snakeoil cert for nonexistent hostnames
-    loop: "{{ acmecert_missing_hostnames }}"
-    loop_control:
-      loop_var: acme_missing_hostname
-    file:
-      src: "../certs/{{ selfsigned_interim_cert_id }}"
-      dest: "/var/lib/acme/live/{{ acme_missing_hostname }}"
-      state: link
-
-- name: make sure nginx config has been (re)loaded
-  meta: flush_handlers
-
-- name: get certificate using acmetool
-  import_role:
-    name: x509/acmetool/cert
-  vars:
-    acmetool_cert_name: "{{ nginx_vhost.name }}"
-    acmetool_cert_hostnames: "{{ nginx_vhost.hostnames }}"
diff --git a/roles/nginx/vhost/tasks/main.yml b/roles/nginx/vhost/tasks/main.yml
index 1b5e3392..424c86a0 100644
--- a/roles/nginx/vhost/tasks/main.yml
+++ b/roles/nginx/vhost/tasks/main.yml
@@ -1,4 +1,12 @@
 ---
+- name: ensure certificate exists (fake it, until you make it)
+  when: "'acme' in nginx_vhost  and  nginx_vhost.acme"
+  import_role:
+    name: x509/acmetool/cert/prepare
+  vars:
+    acmetool_cert_name: "{{ nginx_vhost.name }}"
+    acmetool_cert_hostnames: "{{ nginx_vhost.hostnames }}"
+
 - name: install nginx configs from template
   when: "'template' in nginx_vhost"
   template:
@@ -24,4 +32,13 @@
 
 - name: generate acme certificate
   when: "'acme' in nginx_vhost  and  nginx_vhost.acme"
-  include_tasks: acme.yml
+  block:
+  - name: make sure nginx config has been (re)loaded
+    meta: flush_handlers
+
+  - name: actually request the certificate
+    import_role:
+      name: x509/acmetool/cert/finalize
+    vars:
+      acmetool_cert_name: "{{ nginx_vhost.name }}"
+      acmetool_cert_hostnames: "{{ nginx_vhost.hostnames }}"
-- 
cgit v1.2.3