From ed62f2c98059a605ead1a9b4838c75fbd55ead19 Mon Sep 17 00:00:00 2001
From: Lars Wirzenius <liw@liw.fi>
Date: Tue, 3 Jul 2018 16:59:00 +0300
Subject: Change: let user group Let's Encrypt certs

---
 roles/apache_server/tasks/main.yml | 68 +++++++++++++++++++++-----------------
 1 file changed, 38 insertions(+), 30 deletions(-)

(limited to 'roles/apache_server/tasks/main.yml')

diff --git a/roles/apache_server/tasks/main.yml b/roles/apache_server/tasks/main.yml
index 5f9c39f..bd5db50 100644
--- a/roles/apache_server/tasks/main.yml
+++ b/roles/apache_server/tasks/main.yml
@@ -1,29 +1,30 @@
-- name: install apache and related packages
-  apt:
-    name: "{{ item }}"
-  with_items:
-    - rsync
-    - apache2
-
 - name: install certbot
   apt:
     name: certbot
     default_release: stretch-backports
   when: letsencrypt
 
-- name: "empty list of domains for Let's Encrypt"
+- name: "empty default list of domains for Let's Encrypt"
+  file:
+    path: "/etc/letsencrypt/static_sites.list"
+    state: absent
+  when: letsencrypt
+
+- name: "empty lists of domains for Let's Encrypt"
   file:
-    path: /etc/letsencrypt/static_sites.list
+    path: "/etc/letsencrypt/{{ item.letsencrypt_cert }}.list"
     state: absent
+  with_items: "{{ static_sites }}"
+  when: letsencrypt and item.letsencrypt_cert is defined
 
-- name: "create list of domains for static sites to get Let's Encrypt certs for"
+- name: "create lists of domains for static sites to get Let's Encrypt certs for"
   shell: |
-    list="/etc/letsencrypt/static_sites.list"
-    wellknown="/srv/letsencrypt"
+    list="/etc/letsencrypt/{{ item.letsencrypt_cert|default('static_sites') }}.list"
+    wellknown="/srv/letsencrypt/{{ item.domain }}"
     if [ "{{ item.letsencrypt|default(false) }}" = True ]
     then
         echo "{{ item.domain }} {{ item.alias|default('') }}" >> "$list"
-        mkdir -p "$wellknown/{{ item.domain }}"
+        mkdir -p "$wellknown"
     fi
   with_items: "{{ static_sites }}"
   when: letsencrypt
@@ -31,16 +32,32 @@
 - name: install script to run certbot
   template:
     src: deploy_static_site_certs
-    dest: /usr/local/sbin/deploy_static_site_certs
+    dest: /usr/local/sbin/deploy_static_site_certs 
     owner: root
     group: root
-    mode: 755
+    mode: 0755
   when: letsencrypt
 
 - name: "get initial certificate from Let's Encrypt"
   shell: /usr/local/sbin/deploy_static_site_certs
   when: letsencrypt
 
+- name: install apache and related packages
+  apt:
+    name: "{{ item }}"
+  with_items:
+    - rsync
+    - apache2
+
+# This may fail if the TLS cert isnt' installed by a previous playbook
+# run, since it restarts Apache.
+- name: enable apache modules for ssl
+  apache2_module:
+    state: present
+    name: "{{ item }}"
+  with_items:
+    - ssl
+
 - name: create dirs for static site contents
   file:
     state: directory
@@ -49,7 +66,6 @@
     group: "{{ item.owner }}"
     mode: 0755
   with_items: "{{ static_sites }}"
-  when: letsencrypt
 
 - name: create log dirs for websites
   file:
@@ -69,6 +85,12 @@
     mode: 0644
   with_items: "{{ static_sites }}"
 
+- name: enable apache sites
+  shell: a2ensite "{{ item.domain }}"
+  with_items: "{{ static_sites }}"
+  notify:
+    - restart apache
+
 - name: "install htpasswd files"
   copy:
     content: "{{ item.htpasswd }}"
@@ -78,17 +100,3 @@
     mode: 0644
   with_items: "{{ static_sites }}"
   when: item.htpasswd is defined
-
-- name: enable apache modules for ssl
-  apache2_module:
-    state: present
-    name: "{{ item }}"
-  with_items:
-    - ssl
-    - rewrite
-
-- name: enable apache sites
-  shell: a2ensite "{{ item.domain }}"
-  with_items: "{{ static_sites }}"
-  notify:
-    - restart apache
-- 
cgit v1.2.1