Have the https role do all the config changing

Hopefully this should cut down on erroneous changes
2020-02-20 04:19:03 -06:00 · 2020-02-20 04:19:03 -06:00 · e44a6126c8
commit e44a6126c8
parent d41b4ebbdf
2 changed files with 63 additions and 29 deletions
--- a/roles/https/tasks/main.yml
+++ b/roles/https/tasks/main.yml
@ -43,35 +43,55 @@
        dest: "/etc/pki/cert/crt/{{ website_url }}.crt"
        fullchain_dest: "/etc/pki/cert/crt/{{ website_url }}-fullchain.crt"
      register: com_challenge
-    - name: Fulfill challenge
+    - name: Create or renew certificate
      block:
-      - name: Reload Apache
-        service:
-          name: apache2
-          state: reloaded
-      - name: Create well-known directory
-        file:
-          path: "{{ website_webroot }}/.well-known/acme-challenge"
-          mode: "0755"
-          recurse: yes
-          state: directory
-      - name: Copy challenge files
-        copy:
-          dest: "{{ website_webroot }}/{{ com_challenge['challenge_data'][website_url]['http-01']['resource'] }}"
-          content: "{{ com_challenge['challenge_data'][website_url]['http-01']['resource_value'] }}"
-      - name: Create certificate
-        acme_certificate:
-          acme_directory: "{{ acme_directory }}"
-          acme_version: 2
-          account_key: /etc/pki/cert/private/account.key
-          csr: "/etc/pki/cert/csr/{{ website_url }}.csr"
-          dest: "/etc/pki/cert/crt/{{ website_url }}.crt"
-          fullchain_dest: "/etc/pki/cert/crt/{{ website_url }}-fullchain.crt"
-          chain_dest: "/etc/pki/cert/crt/{{ website_url }}-intermediate.crt"
-          data: "{{ com_challenge }}"
-      - name: Clean up
-        file:
-          path: "{{ website_webroot }}/.well-known"
-          state: absent
+        - name: Back up website config
+          command: "/usr/bin/mv /etc/apache2/sites-enabled/{{ website_url }}.conf /etc/apache2/sites-disabled/{{ website_url }}.conf"
+          args:
+            creates: "/etc/apache2/sites-disabled/{{ website_url }}.conf"
+        - name: Create temporary config
+          template:
+            src: apache2-vhost.conf
+            dest: "/etc/apache2/sites-enabled/{{ website_url }}.conf"
+        - name: Reload Apache
+          service:
+            name: apache2
+            state: reloaded
+        - name: Create well-known directory
+          file:
+            path: "{{ acme_webroot }}/.well-known/acme-challenge"
+            mode: "0755"
+            recurse: yes
+            state: directory
+        - name: Copy challenge files
+          copy:
+            dest: "{{ acme_webroot }}/{{ com_challenge['challenge_data'][website_url]['http-01']['resource'] }}"
+            content: "{{ com_challenge['challenge_data'][website_url]['http-01']['resource_value'] }}"
+        - name: Create certificate
+          acme_certificate:
+            acme_directory: "{{ acme_directory }}"
+            acme_version: 2
+            account_key: /etc/pki/cert/private/account.key
+            csr: "/etc/pki/cert/csr/{{ website_url }}.csr"
+            dest: "/etc/pki/cert/crt/{{ website_url }}.crt"
+            fullchain_dest: "/etc/pki/cert/crt/{{ website_url }}-fullchain.crt"
+            chain_dest: "/etc/pki/cert/crt/{{ website_url }}-intermediate.crt"
+            data: "{{ com_challenge }}"
+        - name: Remove webroot
+          file:
+            path: "{{ acme_webroot }}/.well-known"
+            state: absent
+        - name: Remove temporary config
+          file:
+            path: "/etc/apache2/sites-enabled/{{ website_url }}.conf"
+            state: absent
+        - name: Restore original config
+          command: "/usr/bin/mv /etc/apache2/sites-disabled/{{ website_url }}.conf /etc/apache2/sites-enabled/{{ website_url }}.conf"
+          args:
+            creates: "/etc/apache2/sites-enabled/{{ website_url }}.conf"
+        - name: Reload Apache
+          service:
+            name: apache2
+            state: reloaded
      when: com_challenge is changed
  become: yes
--- a/roles/https/templates/apache2-vhost.conf
+++ b/roles/https/templates/apache2-vhost.conf
@ -0,0 +1,14 @@
+# TEMPORARY configuration for {{ website_url }}
+# If this file doesn't disappear quickly, there's a HUGE PROBLEM
+# vim:ft=apache:
+
+# Website configuration
+<VirtualHost *:80>
+	ServerName {{ website_url }}
+	DocumentRoot {{ acme_webroot }}
+	<Directory "{{ acme_webroot }}">
+		Require all granted
+		AllowOverride All
+		Options MultiViews FollowSymlinks
+	</Directory>
+</VirtualHost>