From dac63af2ecd1ffac8e55655a085657e624d98f77 Mon Sep 17 00:00:00 2001
From: Tunui Franken <tfranken@protonmail.com>
Date: Tue, 9 Apr 2024 21:17:25 +0200
Subject: [PATCH] Add role "add_cert" to be used instead of
 add_cert_{dns_01,http_01}

---
 inventory/group_vars/mailservers              |  6 ++--
 playbook_mailserver.yml                       | 17 +--------
 roles/add_cert/README.md                      |  6 ++++
 roles/add_cert/tasks/main.yml                 | 30 ++++++++++++++++
 roles/add_cert_dns_01/tasks/main.yml          |  8 ++---
 roles/add_cert_http_01/tasks/main.yml         |  8 ++---
 roles/forgejo/tasks/main.yml                  | 30 +++-------------
 roles/mailserver_postfix/templates/main.cf.j2 |  4 +--
 roles/tunuifranken/tasks/main.yml             | 36 +++++--------------
 9 files changed, 63 insertions(+), 82 deletions(-)
 create mode 100644 roles/add_cert/README.md
 create mode 100644 roles/add_cert/tasks/main.yml

diff --git a/inventory/group_vars/mailservers b/inventory/group_vars/mailservers
index 1ff365a..590c68c 100644
--- a/inventory/group_vars/mailservers
+++ b/inventory/group_vars/mailservers
@@ -1,6 +1,6 @@
 ---
 
 virtual_domain: tunuifranken.info
-letsencrypt_email: "dns@{{ virtual_domain }}"
-letsencrypt_domain: "{{ ansible_hostname }}.{{ virtual_domain }}"
-letsencrypt_post_hook: systemctl restart postfix dovecot
+add_cert_email: "dns@{{ virtual_domain }}"
+add_cert_domain: "{{ ansible_hostname }}.{{ virtual_domain }}"
+add_cert_post_hook: systemctl restart postfix dovecot
diff --git a/playbook_mailserver.yml b/playbook_mailserver.yml
index 29add71..2bbf057 100644
--- a/playbook_mailserver.yml
+++ b/playbook_mailserver.yml
@@ -5,25 +5,10 @@
 - name: Install mail server
   gather_facts: true
   hosts: mailserver,mailserver-test
-  pre_tasks:
-    - name: Get local public IP
-      tags: cert
-      ansible.builtin.uri:
-        url: https://ipinfo.io/ip
-        return_content: true
-      register: local_public_ip
-    - name: Get public IP of "{{ letsencrypt_domain }}"
-      tags: cert
-      ansible.builtin.set_fact:
-        target_public_ip: "{{ lookup('community.general.dig', letsencrypt_domain, '@1.1.1.1') }}"
   roles:
     - role: common_handlers
       tags: always
-    - role: add_cert_http_01
-      when: local_public_ip == target_public_ip
-      tags: cert
-    - role: add_cert_dns_01
-      when: local_public_ip != target_public_ip
+    - role: add_cert
       tags: cert
     - role: mailserver_database
       tags: database
diff --git a/roles/add_cert/README.md b/roles/add_cert/README.md
new file mode 100644
index 0000000..dd62cce
--- /dev/null
+++ b/roles/add_cert/README.md
@@ -0,0 +1,6 @@
+# Add certificate
+
+Deploys a Let's Encrypt certificate with `certbot`, using a DNS-01 or a HTTP-01 challenge.
+
+To choose between the two, this role checks the current public IP address of the host, and compares it to the IP address that the host publicly resolves to.
+It then calls sub-roles `add_cert_dns_01` or `add_cert_http_01` accordingly.
diff --git a/roles/add_cert/tasks/main.yml b/roles/add_cert/tasks/main.yml
new file mode 100644
index 0000000..02d6f67
--- /dev/null
+++ b/roles/add_cert/tasks/main.yml
@@ -0,0 +1,30 @@
+---
+
+- name: Make sure needed vars are defined
+  ansible.builtin.fail:
+    msg: "{{ item }} is undefined"
+  loop:
+    - "{{ add_cert_domain }}"
+    - "{{ add_cert_email }}"
+    - "{{ add_cert_post_hook }}"
+  when: item is undefined
+
+- name: Get local public IP
+  ansible.builtin.uri:
+    url: https://ipinfo.io/ip
+    return_content: true
+  register: local_public_ip
+
+- name: Get public IP of "{{ add_cert_domain }}"
+  ansible.builtin.set_fact:
+    target_public_ip: "{{ lookup('community.general.dig', add_cert_domain, '@1.1.1.1') }}"
+
+- name: Deploy letsencrypt certificate (HTTP-01)
+  when: local_public_ip == target_public_ip
+  ansible.builtin.include_role:
+    name: add_cert_http_01
+
+- name: Deploy letsencrypt certificate (DNS-01)
+  when: local_public_ip != target_public_ip
+  ansible.builtin.include_role:
+    name: add_cert_dns_01
diff --git a/roles/add_cert_dns_01/tasks/main.yml b/roles/add_cert_dns_01/tasks/main.yml
index 3bffe15..d6ff0a1 100644
--- a/roles/add_cert_dns_01/tasks/main.yml
+++ b/roles/add_cert_dns_01/tasks/main.yml
@@ -37,12 +37,12 @@
       - --rsa-key-size
       - 4096
       - -d
-      - "{{ letsencrypt_domain }}"
+      - "{{ add_cert_domain }}"
       - -m
-      - "{{ letsencrypt_email }}"
+      - "{{ add_cert_email }}"
       - --agree-tos
       - --post-hook
-      - "{{ letsencrypt_post_hook }}"
+      - "{{ add_cert_post_hook }}"
 
 - name: Set letsencrypt dns-01 challenge argv (staging)
   when: ansible_hostname.endswith('-test')
@@ -53,7 +53,7 @@
   become: true
   ansible.builtin.command:
     argv: "{{ letsencrypt_dns_01_challenge_argv }}"
-    creates: "/etc/letsencrypt/live/{{ letsencrypt_domain }}"
+    creates: "/etc/letsencrypt/live/{{ add_cert_domain }}"
 
 - name: Create directory for certbot.service override
   become: true
diff --git a/roles/add_cert_http_01/tasks/main.yml b/roles/add_cert_http_01/tasks/main.yml
index dee5e8d..6629ecd 100644
--- a/roles/add_cert_http_01/tasks/main.yml
+++ b/roles/add_cert_http_01/tasks/main.yml
@@ -65,12 +65,12 @@
       - --webroot-path
       - /var/www/acme
       - -d
-      - "{{ letsencrypt_domain }}"
+      - "{{ add_cert_domain }}"
       - -m
-      - "{{ letsencrypt_email }}"
+      - "{{ add_cert_email }}"
       - --agree-tos
       - --post-hook
-      - "{{ letsencrypt_post_hook }}"
+      - "{{ add_cert_post_hook }}"
 
 - name: Set letsencrypt http-01 challenge argv (staging)
   when: ansible_hostname.endswith('-test')
@@ -81,4 +81,4 @@
   become: true
   ansible.builtin.command:
     argv: "{{ letsencrypt_http_01_challenge_argv }}"
-    creates: "/etc/letsencrypt/live/{{ letsencrypt_domain }}"
+    creates: "/etc/letsencrypt/live/{{ add_cert_domain }}"
diff --git a/roles/forgejo/tasks/main.yml b/roles/forgejo/tasks/main.yml
index 13cf772..4840c8e 100644
--- a/roles/forgejo/tasks/main.yml
+++ b/roles/forgejo/tasks/main.yml
@@ -1,32 +1,12 @@
 ---
 
-- name: Get local public IP
-  ansible.builtin.uri:
-    url: https://ipinfo.io/ip
-    return_content: true
-  register: local_public_ip
-
-- name: Get public IP of "{{ forgejo_domain }}"
-  ansible.builtin.set_fact:
-    target_public_ip: "{{ lookup('community.general.dig', forgejo_domain, '@1.1.1.1') }}"
-
-- name: Deploy letsencrypt certificate (HTTP-01)
-  when: local_public_ip == target_public_ip
+- name: Deploy letsencrypt certificate
   ansible.builtin.include_role:
-    name: add_cert_http_01
+    name: add_cert
   vars:
-    letsencrypt_domain: "{{ forgejo_domain }}"
-    letsencrypt_email: "{{ forgejo_server_admin }}"
-    letsencrypt_post_hook: systemctl restart apache2
-
-- name: Deploy letsencrypt certificate (DNS-01)
-  when: local_public_ip != target_public_ip
-  ansible.builtin.include_role:
-    name: add_cert_dns_01
-  vars:
-    letsencrypt_domain: "{{ forgejo_domain }}"
-    letsencrypt_email: "{{ forgejo_server_admin }}"
-    letsencrypt_post_hook: systemctl restart apache2
+    add_cert_domain: "{{ forgejo_domain }}"
+    add_cert_email: "{{ forgejo_server_admin }}"
+    add_cert_post_hook: systemctl restart apache2
 
 - name: Include apache2 tasks
   ansible.builtin.include_tasks: apache2.yml
diff --git a/roles/mailserver_postfix/templates/main.cf.j2 b/roles/mailserver_postfix/templates/main.cf.j2
index f24b5ea..483ec98 100644
--- a/roles/mailserver_postfix/templates/main.cf.j2
+++ b/roles/mailserver_postfix/templates/main.cf.j2
@@ -32,8 +32,8 @@ smtpd_sasl_type = dovecot
 smtpd_sasl_path = private/auth
 smtpd_sasl_auth_enable = yes
 
-smtpd_tls_cert_file = /etc/letsencrypt/live/{{ letsencrypt_domain }}/fullchain.pem
-smtpd_tls_key_file = /etc/letsencrypt/live/{{ letsencrypt_domain }}/privkey.pem
+smtpd_tls_cert_file = /etc/letsencrypt/live/{{ add_cert_domain }}/fullchain.pem
+smtpd_tls_key_file = /etc/letsencrypt/live/{{ add_cert_domain }}/privkey.pem
 smtpd_tls_security_level = may
 smtpd_tls_auth_only = yes
 
diff --git a/roles/tunuifranken/tasks/main.yml b/roles/tunuifranken/tasks/main.yml
index 74bf408..c5f4145 100644
--- a/roles/tunuifranken/tasks/main.yml
+++ b/roles/tunuifranken/tasks/main.yml
@@ -1,5 +1,13 @@
 ---
 
+- name: Deploy letsencrypt certificate
+  ansible.builtin.include_role:
+    name: add_cert
+  vars:
+    add_cert_domain: "{{ tunuifranken_domain }}"
+    add_cert_email: "{{ tunuifranken_server_admin }}"
+    add_cert_post_hook: systemctl restart apache2
+
 - name: Install needed packages
   become: true
   ansible.builtin.apt:
@@ -8,34 +16,6 @@
       - acl  # for become_user: forgejo
     state: present
 
-- name: Get local public IP
-  ansible.builtin.uri:
-    url: https://ipinfo.io/ip
-    return_content: true
-  register: local_public_ip
-
-- name: Get public IP of "{{ tunuifranken_domain }}"
-  ansible.builtin.set_fact:
-    target_public_ip: "{{ lookup('community.general.dig', tunuifranken_domain, '@1.1.1.1') }}"
-
-- name: Deploy letsencrypt certificate (HTTP-01)
-  when: local_public_ip == target_public_ip
-  ansible.builtin.include_role:
-    name: add_cert_http_01
-  vars:
-    letsencrypt_domain: "{{ tunuifranken_domain }}"
-    letsencrypt_email: "{{ tunuifranken_server_admin }}"
-    letsencrypt_post_hook: systemctl restart apache2
-
-- name: Deploy letsencrypt certificate (DNS-01)
-  when: local_public_ip != target_public_ip
-  ansible.builtin.include_role:
-    name: add_cert_dns_01
-  vars:
-    letsencrypt_domain: "{{ tunuifranken_domain }}"
-    letsencrypt_email: "{{ tunuifranken_server_admin }}"
-    letsencrypt_post_hook: systemctl restart apache2
-
 - name: Create tunuifranken group
   become: true
   ansible.builtin.group: