From ed62f2c98059a605ead1a9b4838c75fbd55ead19 Mon Sep 17 00:00:00 2001
From: Lars Wirzenius <liw@liw.fi>
Date: Tue, 3 Jul 2018 16:59:00 +0300
Subject: Change: let user group Let's Encrypt certs

---
 roles/apache_server/tasks/main.yml                 | 68 ++++++++++++----------
 .../templates/deploy_static_site_certs             | 41 ++++++++-----
 .../apache_server/templates/virtualhost.conf.tmpl  |  4 +-
 3 files changed, 65 insertions(+), 48 deletions(-)

diff --git a/roles/apache_server/tasks/main.yml b/roles/apache_server/tasks/main.yml
index 5f9c39f..bd5db50 100644
--- a/roles/apache_server/tasks/main.yml
+++ b/roles/apache_server/tasks/main.yml
@@ -1,29 +1,30 @@
-- name: install apache and related packages
-  apt:
-    name: "{{ item }}"
-  with_items:
-    - rsync
-    - apache2
-
 - name: install certbot
   apt:
     name: certbot
     default_release: stretch-backports
   when: letsencrypt
 
-- name: "empty list of domains for Let's Encrypt"
+- name: "empty default list of domains for Let's Encrypt"
+  file:
+    path: "/etc/letsencrypt/static_sites.list"
+    state: absent
+  when: letsencrypt
+
+- name: "empty lists of domains for Let's Encrypt"
   file:
-    path: /etc/letsencrypt/static_sites.list
+    path: "/etc/letsencrypt/{{ item.letsencrypt_cert }}.list"
     state: absent
+  with_items: "{{ static_sites }}"
+  when: letsencrypt and item.letsencrypt_cert is defined
 
-- name: "create list of domains for static sites to get Let's Encrypt certs for"
+- name: "create lists of domains for static sites to get Let's Encrypt certs for"
   shell: |
-    list="/etc/letsencrypt/static_sites.list"
-    wellknown="/srv/letsencrypt"
+    list="/etc/letsencrypt/{{ item.letsencrypt_cert|default('static_sites') }}.list"
+    wellknown="/srv/letsencrypt/{{ item.domain }}"
     if [ "{{ item.letsencrypt|default(false) }}" = True ]
     then
         echo "{{ item.domain }} {{ item.alias|default('') }}" >> "$list"
-        mkdir -p "$wellknown/{{ item.domain }}"
+        mkdir -p "$wellknown"
     fi
   with_items: "{{ static_sites }}"
   when: letsencrypt
@@ -31,16 +32,32 @@
 - name: install script to run certbot
   template:
     src: deploy_static_site_certs
-    dest: /usr/local/sbin/deploy_static_site_certs
+    dest: /usr/local/sbin/deploy_static_site_certs 
     owner: root
     group: root
-    mode: 755
+    mode: 0755
   when: letsencrypt
 
 - name: "get initial certificate from Let's Encrypt"
   shell: /usr/local/sbin/deploy_static_site_certs
   when: letsencrypt
 
+- name: install apache and related packages
+  apt:
+    name: "{{ item }}"
+  with_items:
+    - rsync
+    - apache2
+
+# This may fail if the TLS cert isnt' installed by a previous playbook
+# run, since it restarts Apache.
+- name: enable apache modules for ssl
+  apache2_module:
+    state: present
+    name: "{{ item }}"
+  with_items:
+    - ssl
+
 - name: create dirs for static site contents
   file:
     state: directory
@@ -49,7 +66,6 @@
     group: "{{ item.owner }}"
     mode: 0755
   with_items: "{{ static_sites }}"
-  when: letsencrypt
 
 - name: create log dirs for websites
   file:
@@ -69,6 +85,12 @@
     mode: 0644
   with_items: "{{ static_sites }}"
 
+- name: enable apache sites
+  shell: a2ensite "{{ item.domain }}"
+  with_items: "{{ static_sites }}"
+  notify:
+    - restart apache
+
 - name: "install htpasswd files"
   copy:
     content: "{{ item.htpasswd }}"
@@ -78,17 +100,3 @@
     mode: 0644
   with_items: "{{ static_sites }}"
   when: item.htpasswd is defined
-
-- name: enable apache modules for ssl
-  apache2_module:
-    state: present
-    name: "{{ item }}"
-  with_items:
-    - ssl
-    - rewrite
-
-- name: enable apache sites
-  shell: a2ensite "{{ item.domain }}"
-  with_items: "{{ static_sites }}"
-  notify:
-    - restart apache
diff --git a/roles/apache_server/templates/deploy_static_site_certs b/roles/apache_server/templates/deploy_static_site_certs
index b0227e8..440fe23 100644
--- a/roles/apache_server/templates/deploy_static_site_certs
+++ b/roles/apache_server/templates/deploy_static_site_certs
@@ -3,28 +3,37 @@
 set -eu
 
 
-domains()
-{
-    cd /etc/letsencrypt/static_sites
-    ls
-}
-
 opts()
 {
-    domains | while read domain alias
+    cat "$1" | while read domain alias
     do
-        echo -w "/srv/letsencrypt/$domain" -d "$domain"
+        printf "%s" "-w /srv/letsencrypt/$domain -d $domain"
         if [ -n "$alias" ]
         then
-            echo -d "$alias"
+            printf "%s" " -d $alias"
         fi
+        printf "\n"
     done
 }
 
-certbot certonly \
-     --noninteractive \
-     --email "{{ letsencrypt_email }}" \
-     --agree-tos \
-     --expand \
-     --cert-name static_sites \
-     --webroot $(opts)
+
+run_certbot()
+{
+    local list="$1"
+    local certname="$2"
+    certbot certonly \
+            --standalone \
+            --noninteractive \
+            --email "{{ letsencrypt_email }}" \
+            --agree-tos \
+            --expand \
+            --cert-name "$certname" \
+            $(opts "$list")
+}
+
+
+for list in /etc/letsencrypt/*.list
+do
+    certname="$(basename "$list" .list)"
+    run_certbot "$list" "$certname"
+done
diff --git a/roles/apache_server/templates/virtualhost.conf.tmpl b/roles/apache_server/templates/virtualhost.conf.tmpl
index c3d3b97..8d069ce 100644
--- a/roles/apache_server/templates/virtualhost.conf.tmpl
+++ b/roles/apache_server/templates/virtualhost.conf.tmpl
@@ -57,7 +57,7 @@
     </Directory>
 
     SSLEngine on
-    SSLCertificateFile	"/etc/letsencrypt/live/static_sites/fullchain.pem"
-    SSLCertificateKeyFile "/etc/letsencrypt/live/static_sites/privkey.pem"
+    SSLCertificateFile	"/etc/letsencrypt/live/{{ item.letsencrypt_cert|default('static_sites') }}/fullchain.pem"
+    SSLCertificateKeyFile "/etc/letsencrypt/live/{{ item.letsencrypt_cert|default('static_sites') }}/privkey.pem"
 </VirtualHost>
 {% endif %}
-- 
cgit v1.2.1