From 9d08db6ae365b5e6f409409a8eafea6fb8deaa76 Mon Sep 17 00:00:00 2001
From: "flyingscorpio@clevo" <tfranken@protonmail.com>
Date: Fri, 20 Jan 2023 22:45:03 +0100
Subject: [PATCH] Move certificate creation for tunuifranken.info to generic
 role

---
 .../tasks/main.yml}                           | 82 +++++++++----------
 .../templates/renewal.conf.j2                 | 10 +++
 .../files/renewal/tunuifranken.info.conf      | 10 ---
 roles/tunuifranken/tasks/main.yml             |  9 +-
 4 files changed, 57 insertions(+), 54 deletions(-)
 rename roles/{tunuifranken/tasks/letsencrypt.yml => deploy_certificate/tasks/main.yml} (56%)
 create mode 100644 roles/deploy_certificate/templates/renewal.conf.j2
 delete mode 100644 roles/tunuifranken/files/renewal/tunuifranken.info.conf

diff --git a/roles/tunuifranken/tasks/letsencrypt.yml b/roles/deploy_certificate/tasks/main.yml
similarity index 56%
rename from roles/tunuifranken/tasks/letsencrypt.yml
rename to roles/deploy_certificate/tasks/main.yml
index fbaea07..9d0a867 100644
--- a/roles/tunuifranken/tasks/letsencrypt.yml
+++ b/roles/deploy_certificate/tasks/main.yml
@@ -1,13 +1,13 @@
 ---
-- name: Get public IP
+- name: Get local public IP
   ansible.builtin.uri:
     url: https://ipinfo.io/ip
     return_content: true
   register: local_public_ip
 
-- name: Get tunuifranken.info public IP
+- name: Get public IP of "{{ domain }}"
   ansible.builtin.set_fact:
-    target_public_ip: "{{ lookup('community.general.dig', 'tunuifranken.info', '@1.1.1.1') }}"
+    target_public_ip: "{{ lookup('community.general.dig', domain, '@1.1.1.1') }}"
 
 - name: Create needed directories
   become: true
@@ -20,9 +20,9 @@
   with_items:
     - /etc/letsencrypt/renewal
     - /etc/letsencrypt/archive
-    - /etc/letsencrypt/archive/tunuifranken.info
+    - "/etc/letsencrypt/archive/{{ domain }}"
     - /etc/letsencrypt/live
-    - /etc/letsencrypt/live/tunuifranken.info
+    - "/etc/letsencrypt/live/{{ domain }}"
 
 - name: Add webroot configuration for letsencrypt
   become: true
@@ -30,11 +30,11 @@
     path: /etc/letsencrypt/cli.ini
     line: webroot-path = /var/www/acme
 
-- name: Create renewal configuration for tunuifranken.info
+- name: Create renewal configuration for "{{ domain }}"
   become: true
-  ansible.builtin.copy:
-    src: renewal/tunuifranken.info.conf
-    dest: /etc/letsencrypt/renewal/tunuifranken.info.conf
+  ansible.builtin.template:
+    src: renewal.conf.j2
+    dest: "/etc/letsencrypt/renewal/{{ domain }}.conf"
     mode: 0644
 
 - name: Create private key for account
@@ -45,14 +45,14 @@
 - name: Create private key for challenge
   become: true
   community.crypto.openssl_privatekey:
-    path: /etc/letsencrypt/archive/tunuifranken.info/privkey1.pem
+    path: "/etc/letsencrypt/archive/{{ domain }}/privkey1.pem"
   register: challenge_privkey
 
 - name: Create csr for letsencrypt
   become: true
   community.crypto.openssl_csr_pipe:
-    privatekey_path: /etc/letsencrypt/archive/tunuifranken.info/privkey1.pem
-    common_name: tunuifranken.info
+    privatekey_path: "/etc/letsencrypt/archive/{{ domain }}/privkey1.pem"
+    common_name: "{{ domain }}"
   register: csr
   changed_when: challenge_privkey is changed
 
@@ -69,16 +69,16 @@
         terms_agreed: true
         csr_content: "{{ csr.csr }}"
         challenge: http-01
-        dest: /etc/letsencrypt/archive/tunuifranken.info/cert1.pem
-        chain_dest: /etc/letsencrypt/archive/tunuifranken.info/chain1.pem
-        fullchain_dest: /etc/letsencrypt/archive/tunuifranken.info/fullchain1.pem
+        dest: "/etc/letsencrypt/archive/{{ domain }}/cert1.pem"
+        chain_dest: "/etc/letsencrypt/archive/{{ domain }}/chain1.pem"
+        fullchain_dest: "/etc/letsencrypt/archive/{{ domain }}/fullchain1.pem"
       register: letsencrypt_challenge
     - name: Copy http-01 resource
       ansible.builtin.copy:
-        dest: "/var/www/acme/{{ letsencrypt_challenge['challenge_data']['tunuifranken.info']['http-01']['resource'] }}"
-        content: "{{ letsencrypt_challenge['challenge_data']['tunuifranken.info']['http-01']['resource_value'] }}"
+        dest: "/var/www/acme/{{ letsencrypt_challenge['challenge_data'][domain]['http-01']['resource'] }}"
+        content: "{{ letsencrypt_challenge['challenge_data'][domain]['http-01']['resource_value'] }}"
         mode: 0644
-      when: letsencrypt_challenge is changed and 'tunuifranken.info' in letsencrypt_challenge.challenge_data
+      when: letsencrypt_challenge is changed and domain in letsencrypt_challenge.challenge_data
     - name: Validate the challenge and get the cert
       community.crypto.acme_certificate:
         acme_version: 2
@@ -87,16 +87,16 @@
         account_key_content: "{{ account_privkey.privatekey }}"
         csr_content: "{{ csr.csr }}"
         challenge: http-01
-        dest: /etc/letsencrypt/archive/tunuifranken.info/cert1.pem
-        chain_dest: /etc/letsencrypt/archive/tunuifranken.info/chain1.pem
-        fullchain_dest: /etc/letsencrypt/archive/tunuifranken.info/fullchain1.pem
+        dest: "/etc/letsencrypt/archive/{{ domain }}/cert1.pem"
+        chain_dest: "/etc/letsencrypt/archive/{{ domain }}/chain1.pem"
+        fullchain_dest: "/etc/letsencrypt/archive/{{ domain }}/fullchain1.pem"
         data: "{{ letsencrypt_challenge }}"
-      when: letsencrypt_challenge is changed and 'tunuifranken.info' in letsencrypt_challenge.challenge_data
+      when: letsencrypt_challenge is changed and domain in letsencrypt_challenge.challenge_data
     - name: Remove the http-01 resource
       ansible.builtin.file:
-        path: "/var/www/acme/{{ letsencrypt_challenge['challenge_data']['tunuifranken.info']['http-01']['resource'] }}"
+        path: "/var/www/acme/{{ letsencrypt_challenge['challenge_data'][domain]['http-01']['resource'] }}"
         state: absent
-      when: letsencrypt_challenge is changed and 'tunuifranken.info' in letsencrypt_challenge.challenge_data
+      when: letsencrypt_challenge is changed and domain in letsencrypt_challenge.challenge_data
 
 - name: Do dns-01 challenge
   become: true
@@ -111,25 +111,25 @@
         terms_agreed: true
         csr_content: "{{ csr.csr }}"
         challenge: dns-01
-        dest: /etc/letsencrypt/archive/tunuifranken.info/cert1.pem
-        chain_dest: /etc/letsencrypt/archive/tunuifranken.info/chain1.pem
-        fullchain_dest: /etc/letsencrypt/archive/tunuifranken.info/fullchain1.pem
+        dest: "/etc/letsencrypt/archive/{{ domain }}/cert1.pem"
+        chain_dest: "/etc/letsencrypt/archive/{{ domain }}/chain1.pem"
+        fullchain_dest: "/etc/letsencrypt/archive/{{ domain }}/fullchain1.pem"
       register: letsencrypt_challenge
     - name: Create dns-01 record
       community.general.gandi_livedns:
         api_key: "{{ gandi_livedns_api_key }}"
-        domain: tunuifranken.info
-        record: "{{ letsencrypt_challenge.challenge_data['tunuifranken.info']['dns-01'].resource }}"
+        domain: "{{ domain }}"
+        record: "{{ letsencrypt_challenge.challenge_data[domain]['dns-01'].resource }}"
         values:
-          - "{{ letsencrypt_challenge.challenge_data['tunuifranken.info']['dns-01'].resource_value }}"
+          - "{{ letsencrypt_challenge.challenge_data[domain]['dns-01'].resource_value }}"
         type: TXT
         state: present
         ttl: 300
-      when: letsencrypt_challenge is changed and 'tunuifranken.info' in letsencrypt_challenge.challenge_data
+      when: letsencrypt_challenge is changed and domain in letsencrypt_challenge.challenge_data
     - name: Wait for DNS to propagate
       ansible.builtin.pause:
         seconds: 300
-      when: letsencrypt_challenge is changed and 'tunuifranken.info' in letsencrypt_challenge.challenge_data
+      when: letsencrypt_challenge is changed and domain in letsencrypt_challenge.challenge_data
     - name: Validate the challenge and get the cert
       community.crypto.acme_certificate:
         acme_version: 2
@@ -138,25 +138,25 @@
         account_key_content: "{{ account_privkey.privatekey }}"
         csr_content: "{{ csr.csr }}"
         challenge: dns-01
-        dest: /etc/letsencrypt/archive/tunuifranken.info/cert1.pem
-        chain_dest: /etc/letsencrypt/archive/tunuifranken.info/chain1.pem
-        fullchain_dest: /etc/letsencrypt/archive/tunuifranken.info/fullchain1.pem
+        dest: "/etc/letsencrypt/archive/{{ domain }}/cert1.pem"
+        chain_dest: "/etc/letsencrypt/archive/{{ domain }}/chain1.pem"
+        fullchain_dest: "/etc/letsencrypt/archive/{{ domain }}/fullchain1.pem"
         data: "{{ letsencrypt_challenge }}"
-      when: letsencrypt_challenge is changed and 'tunuifranken.info' in letsencrypt_challenge.challenge_data
+      when: letsencrypt_challenge is changed and domain in letsencrypt_challenge.challenge_data
     - name: Remove dns-01 record
       community.general.gandi_livedns:
         api_key: "{{ gandi_livedns_api_key }}"
-        domain: tunuifranken.info
-        record: "{{ letsencrypt_challenge.challenge_data['tunuifranken.info']['dns-01'].resource }}"
+        domain: "{{ domain }}"
+        record: "{{ letsencrypt_challenge.challenge_data[domain]['dns-01'].resource }}"
         type: TXT
         state: absent
-      when: letsencrypt_challenge is changed and 'tunuifranken.info' in letsencrypt_challenge.challenge_data
+      when: letsencrypt_challenge is changed and domain in letsencrypt_challenge.challenge_data
 
 - name: Create symlinks for the certificate
   become: true
   ansible.builtin.file:
-    path: "/etc/letsencrypt/live/tunuifranken.info/{{ item.dest }}"
-    src: "/etc/letsencrypt/archive/tunuifranken.info/{{ item.src }}"
+    path: "/etc/letsencrypt/live/{{ domain }}/{{ item.dest }}"
+    src: "/etc/letsencrypt/archive/{{ domain }}/{{ item.src }}"
     state: link
   with_items:
     - {src: cert1.pem, dest: cert.pem}
diff --git a/roles/deploy_certificate/templates/renewal.conf.j2 b/roles/deploy_certificate/templates/renewal.conf.j2
new file mode 100644
index 0000000..29038b9
--- /dev/null
+++ b/roles/deploy_certificate/templates/renewal.conf.j2
@@ -0,0 +1,10 @@
+archive_dir = /etc/letsencrypt/archive/{{ domain }}
+cert = /etc/letsencrypt/live/{{ domain }}/cert.pem
+privkey = /etc/letsencrypt/live/{{ domain }}/privkey.pem
+chain = /etc/letsencrypt/live/{{ domain }}/chain.pem
+fullchain = /etc/letsencrypt/live/{{ domain }}/fullchain.pem
+
+[renewalparams]
+authenticator = webroot
+installer = null
+server = https://acme-v02.api.letsencrypt.org/directory
diff --git a/roles/tunuifranken/files/renewal/tunuifranken.info.conf b/roles/tunuifranken/files/renewal/tunuifranken.info.conf
deleted file mode 100644
index d64e5aa..0000000
--- a/roles/tunuifranken/files/renewal/tunuifranken.info.conf
+++ /dev/null
@@ -1,10 +0,0 @@
-archive_dir = /etc/letsencrypt/archive/tunuifranken.info
-cert = /etc/letsencrypt/live/tunuifranken.info/cert.pem
-privkey = /etc/letsencrypt/live/tunuifranken.info/privkey.pem
-chain = /etc/letsencrypt/live/tunuifranken.info/chain.pem
-fullchain = /etc/letsencrypt/live/tunuifranken.info/fullchain.pem
-
-[renewalparams]
-authenticator = webroot
-installer = null
-server = https://acme-v02.api.letsencrypt.org/directory
diff --git a/roles/tunuifranken/tasks/main.yml b/roles/tunuifranken/tasks/main.yml
index bcab796..3fbdd7d 100644
--- a/roles/tunuifranken/tasks/main.yml
+++ b/roles/tunuifranken/tasks/main.yml
@@ -2,6 +2,12 @@
 - name: Include vault variables
   ansible.builtin.include_vars: vault.yml
 
+- name: Deploy letsencrypt certificate
+  ansible.builtin.include_role:
+    name: deploy_certificate
+  vars:
+    domain: tunuifranken.info
+
 - name: Create tunuifranken directory
   become: true
   ansible.builtin.file:
@@ -11,9 +17,6 @@
     state: directory
     mode: 0775
 
-- name: Deploy letsencrypt certificate
-  ansible.builtin.include_tasks: letsencrypt.yml
-
 - name: Copy vHost conf
   become: true
   ansible.builtin.template: