From 2437728f94f4aae12b9fbf7a6f62e5df85b59213 Mon Sep 17 00:00:00 2001
From: Salt <rehashedsalt@cock.li>
Date: Wed, 5 Feb 2020 21:06:44 -0600
Subject: [PATCH] Maybe set up PKI fully? Probably not

---
 roles/nextcloud/tasks/main.yml | 32 ++++++++++++++++++++++----------
 1 file changed, 22 insertions(+), 10 deletions(-)

diff --git a/roles/nextcloud/tasks/main.yml b/roles/nextcloud/tasks/main.yml
index 0c45feb..fa29675 100644
--- a/roles/nextcloud/tasks/main.yml
+++ b/roles/nextcloud/tasks/main.yml
@@ -45,34 +45,46 @@
         loop:
           - { dir: "/etc/pki", mode: "0600" }
           - { dir: "/etc/pki/cert", mode: "0600" }
+          - { dir: "/etc/pki/cert/crt", mode: "0600" }
           - { dir: "/etc/pki/cert/csr", mode: "0600" }
-          - { dir: "/etc/pki/cert/fullchain", mode: "0600" }
           - { dir: "/etc/pki/cert/private", mode: "0600" }
           - { dir: "/etc/pki/cert/challenge/{{ website_url }}", mode: "0600" }
       - name: Create ACME account key
         openssl_privatekey:
           path: "/etc/pki/cert/private/account.key"
           size: 4096
-      - name: Register ACME account
-        acme_account:
-          account_key: "/etc/pki/cert/private/account.key"
-          acme_directory: "{{ acme_directory }}"
-          acme_version: "{{ acme_version }}"
-          terms_agreed: yes
+      - name: Create certificate key
+        openssl_privatekey:
+          path: "/etc/pki/cert/private/{{ website_url }}.key"
+          size: 4096
       - name: Create CSR
         openssl_csr:
           path: "/etc/pki/cert/csr/{{ website_url }}.csr"
           common_name: "{{ website_url }}"
           privatekey_path: /etc/pki/cert/private/account.key
           email_address: "rehashedsalt@cock.li"
-      - name: Register LE cert
+      - name: Create challenge for CSR
         acme_certificate:
           acme_directory: "https://acme-staging-v02.api.letsencrypt.org/directory"
           acme_version: 2
           terms_agreed: yes
           account_email: "rehashedsalt@cock.li"
+          account_key: "/etc/pki/cert/private/account.key"
+          csr: "/etc/pki/cert/csr/{{ website_url }}.csr"
+          dest: "/etc/pki/cert/crt/{{ website_url }}.crt"
+          fullchain_dest: "/etc/pki/cert/crt/{{ website_url }}-fullchain.crt"
+        register: com_challenge
+      - name: Fulfill challenge
+        copy:
+          dest: "/var/www/html/{{ com_challenge['challenge_data'][website_url]['http-01']['resource'] }}"
+          content: "{{ com_challenge['challenge_data'][website_url]['http-01']['resource_value'] }}"
+        when: com_challenge is changed
+      - name: Create certificate
+        acme_certificate:
           account_key: /etc/pki/cert/private/account.key
           csr: "/etc/pki/cert/csr/{{ website_url }}.csr"
-          dest: "/etc/pki/cert/{{ website_url }}.crt"
-          fullchain_dest: "/etc/pki/cert/fullchain/{{ website_url }}.crt"
+          dest: "/etc/pki/cert/crt/{{ website_url }}.crt"
+          fullchain_dest: "/etc/pki/cert/crt/{{ website_url }}-fullchain.crt"
+          chain_dest: "/etc/pki/cert/crt/{{ website_url }}-intermediate.crt"
+          data: "{{ com_challenge }}"
   become: true