From d5a03479af3b5d443bb130be4dab2de097b7516b Mon Sep 17 00:00:00 2001
From: Fritz Grimpen <fritz@grimpen.net>
Date: Tue, 2 Feb 2021 21:49:20 +0000
Subject: [PATCH] New certbot role covering standalone and webroot setups

---
 host_vars/wiki.emma.ccchb.de.yml          |  6 ++++++
 roles/certbot/defaults/main.yml           | 11 +++++++++++
 roles/certbot/tasks/main.yml              | 22 ++++++++++++++++++++++
 roles/certbot/tasks/obtain_standalone.yml |  4 ++++
 roles/certbot/tasks/obtain_webroot.yml    |  4 ++++
 roles/certbot/templates/certbot.conf.j2   |  4 ++++
 wiki.yml                                  |  1 +
 7 files changed, 52 insertions(+)
 create mode 100644 roles/certbot/defaults/main.yml
 create mode 100644 roles/certbot/tasks/main.yml
 create mode 100644 roles/certbot/tasks/obtain_standalone.yml
 create mode 100644 roles/certbot/tasks/obtain_webroot.yml
 create mode 100644 roles/certbot/templates/certbot.conf.j2

diff --git a/host_vars/wiki.emma.ccchb.de.yml b/host_vars/wiki.emma.ccchb.de.yml
index 5ee9594..05f727a 100644
--- a/host_vars/wiki.emma.ccchb.de.yml
+++ b/host_vars/wiki.emma.ccchb.de.yml
@@ -10,3 +10,9 @@ user_mgmt:
   fritz:
     state: present
     groups: sudo
+
+certbot_certs:
+  - [ "wiki.ccchb.de" ]
+  - [ "ccchb.de", "www.ccchb.de" ]
+  - [ "files.ccchb.de" ]
+
diff --git a/roles/certbot/defaults/main.yml b/roles/certbot/defaults/main.yml
new file mode 100644
index 0000000..60a15ba
--- /dev/null
+++ b/roles/certbot/defaults/main.yml
@@ -0,0 +1,11 @@
+---
+certbot_admin_email: hostmaster@ccchb.de
+
+certbot_package: letsencrypt
+
+certbot_method: webroot
+certbot_webroot: /var/www/html
+
+certbot_certs: []
+
+certbot_renew: true
diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml
new file mode 100644
index 0000000..506227c
--- /dev/null
+++ b/roles/certbot/tasks/main.yml
@@ -0,0 +1,22 @@
+---
+- name: Enable certbot timer.
+  systemd:
+    name: certbot.timer
+    enabled: yes
+
+- name: Install certbot.
+  package:
+    name: "{{ certbot_package }}"
+    state: present
+
+- name: Check for presence of certificates.
+  stat:
+    path: "/etc/letsencrypt/live/{{ item | first | replace(\"*.\", \"\") }}/cert.pem"
+  register: certs_presence
+  loop: "{{ certbot_certs }}"
+
+- name: Obtain certificates.
+  include_tasks: 'obtain_{{ certbot_method }}.yml'
+  when: not item.stat.exists
+  loop: "{{ certs_presence.results }}"
+...
diff --git a/roles/certbot/tasks/obtain_standalone.yml b/roles/certbot/tasks/obtain_standalone.yml
new file mode 100644
index 0000000..fd863ed
--- /dev/null
+++ b/roles/certbot/tasks/obtain_standalone.yml
@@ -0,0 +1,4 @@
+---
+- name: "Obtain certificate for {{ item.item | join(',') }}"
+  command: "certbot certonly --agree-tos -m {{ certbot_admin_email | quote }} -d {{ item.item | join(',') }} --standalone"
+...
diff --git a/roles/certbot/tasks/obtain_webroot.yml b/roles/certbot/tasks/obtain_webroot.yml
new file mode 100644
index 0000000..13ec4ff
--- /dev/null
+++ b/roles/certbot/tasks/obtain_webroot.yml
@@ -0,0 +1,4 @@
+---
+- name: "Obtain certificate for {{ item.item | join(',') }}"
+  command: "certbot certonly --agree-tos -m {{ certbot_admin_email | quote }} -d {{ item.item | join(',') }} --webroot -w {{ certbot_webroot | quote }}"
+...
diff --git a/roles/certbot/templates/certbot.conf.j2 b/roles/certbot/templates/certbot.conf.j2
new file mode 100644
index 0000000..6c3cc87
--- /dev/null
+++ b/roles/certbot/templates/certbot.conf.j2
@@ -0,0 +1,4 @@
+location /.well-known/acme-challenge/ {
+	alias {{ certbot_webroot }}/.well-known/acme-challenge/;
+	allow all;
+}
diff --git a/wiki.yml b/wiki.yml
index cf0244f..a42dc86 100644
--- a/wiki.yml
+++ b/wiki.yml
@@ -4,3 +4,4 @@
   become: yes
   roles:
     - mediawiki
+    - certbot