From e44a6126c8c9f59aecb2bc832d5b0b8b43c327a1 Mon Sep 17 00:00:00 2001
From: Salt <rehashedsalt@cock.li>
Date: Thu, 20 Feb 2020 04:19:03 -0600
Subject: [PATCH] Have the https role do all the config changing Hopefully this
 should cut down on erroneous changes

---
 roles/https/tasks/main.yml               | 78 +++++++++++++++---------
 roles/https/templates/apache2-vhost.conf | 14 +++++
 2 files changed, 63 insertions(+), 29 deletions(-)
 create mode 100644 roles/https/templates/apache2-vhost.conf

diff --git a/roles/https/tasks/main.yml b/roles/https/tasks/main.yml
index b2041c1..a82b7da 100644
--- a/roles/https/tasks/main.yml
+++ b/roles/https/tasks/main.yml
@@ -43,35 +43,55 @@
         dest: "/etc/pki/cert/crt/{{ website_url }}.crt"
         fullchain_dest: "/etc/pki/cert/crt/{{ website_url }}-fullchain.crt"
       register: com_challenge
-    - name: Fulfill challenge
+    - name: Create or renew certificate
       block:
-      - name: Reload Apache
-        service:
-          name: apache2
-          state: reloaded
-      - name: Create well-known directory
-        file:
-          path: "{{ website_webroot }}/.well-known/acme-challenge"
-          mode: "0755"
-          recurse: yes
-          state: directory
-      - name: Copy challenge files
-        copy:
-          dest: "{{ website_webroot }}/{{ com_challenge['challenge_data'][website_url]['http-01']['resource'] }}"
-          content: "{{ com_challenge['challenge_data'][website_url]['http-01']['resource_value'] }}"
-      - name: Create certificate
-        acme_certificate:
-          acme_directory: "{{ acme_directory }}"
-          acme_version: 2
-          account_key: /etc/pki/cert/private/account.key
-          csr: "/etc/pki/cert/csr/{{ website_url }}.csr"
-          dest: "/etc/pki/cert/crt/{{ website_url }}.crt"
-          fullchain_dest: "/etc/pki/cert/crt/{{ website_url }}-fullchain.crt"
-          chain_dest: "/etc/pki/cert/crt/{{ website_url }}-intermediate.crt"
-          data: "{{ com_challenge }}"
-      - name: Clean up
-        file:
-          path: "{{ website_webroot }}/.well-known"
-          state: absent
+        - name: Back up website config
+          command: "/usr/bin/mv /etc/apache2/sites-enabled/{{ website_url }}.conf /etc/apache2/sites-disabled/{{ website_url }}.conf"
+          args:
+            creates: "/etc/apache2/sites-disabled/{{ website_url }}.conf"
+        - name: Create temporary config
+          template:
+            src: apache2-vhost.conf
+            dest: "/etc/apache2/sites-enabled/{{ website_url }}.conf"
+        - name: Reload Apache
+          service:
+            name: apache2
+            state: reloaded
+        - name: Create well-known directory
+          file:
+            path: "{{ acme_webroot }}/.well-known/acme-challenge"
+            mode: "0755"
+            recurse: yes
+            state: directory
+        - name: Copy challenge files
+          copy:
+            dest: "{{ acme_webroot }}/{{ com_challenge['challenge_data'][website_url]['http-01']['resource'] }}"
+            content: "{{ com_challenge['challenge_data'][website_url]['http-01']['resource_value'] }}"
+        - name: Create certificate
+          acme_certificate:
+            acme_directory: "{{ acme_directory }}"
+            acme_version: 2
+            account_key: /etc/pki/cert/private/account.key
+            csr: "/etc/pki/cert/csr/{{ website_url }}.csr"
+            dest: "/etc/pki/cert/crt/{{ website_url }}.crt"
+            fullchain_dest: "/etc/pki/cert/crt/{{ website_url }}-fullchain.crt"
+            chain_dest: "/etc/pki/cert/crt/{{ website_url }}-intermediate.crt"
+            data: "{{ com_challenge }}"
+        - name: Remove webroot
+          file:
+            path: "{{ acme_webroot }}/.well-known"
+            state: absent
+        - name: Remove temporary config
+          file:
+            path: "/etc/apache2/sites-enabled/{{ website_url }}.conf"
+            state: absent
+        - name: Restore original config
+          command: "/usr/bin/mv /etc/apache2/sites-disabled/{{ website_url }}.conf /etc/apache2/sites-enabled/{{ website_url }}.conf"
+          args:
+            creates: "/etc/apache2/sites-enabled/{{ website_url }}.conf"
+        - name: Reload Apache
+          service:
+            name: apache2
+            state: reloaded
       when: com_challenge is changed
   become: yes
diff --git a/roles/https/templates/apache2-vhost.conf b/roles/https/templates/apache2-vhost.conf
new file mode 100644
index 0000000..2851394
--- /dev/null
+++ b/roles/https/templates/apache2-vhost.conf
@@ -0,0 +1,14 @@
+# TEMPORARY configuration for {{ website_url }}
+# If this file doesn't disappear quickly, there's a HUGE PROBLEM
+# vim:ft=apache:
+
+# Website configuration
+<VirtualHost *:80>
+	ServerName {{ website_url }}
+	DocumentRoot {{ acme_webroot }}
+	<Directory "{{ acme_webroot }}">
+		Require all granted
+		AllowOverride All
+		Options MultiViews FollowSymlinks
+	</Directory>
+</VirtualHost>