#!/usr/bin/ansible-playbook
# vim:ft=ansible:
---
- name: "Register certificate for {{ website_url }}"
  block:
    - name: Debug info
      debug:
        msg: "Installing cert for {{ website_url }}"
    - name: Install SSL-required packages
      apt:
        name: python3-openssl
    - name: Set up PKI filesystem hierarchy
      file:
        path: "{{ item.dir }}"
        mode: "{{ item.mode }}"
        owner: root
        group: www-data
        state: directory
      loop:
        - { dir: "/etc/pki", mode: "0750" }
        - { dir: "/etc/pki/cert", mode: "0750" }
        - { dir: "/etc/pki/cert/crt", mode: "0750" }
        - { dir: "/etc/pki/cert/csr", mode: "0750" }
        - { dir: "/etc/pki/cert/private", mode: "0750" }
    - name: Create ACME account key
      openssl_privatekey:
        path: "/etc/pki/cert/private/account.key"
    - name: Create certificate key
      openssl_privatekey:
        path: "/etc/pki/cert/private/{{ website_url }}.key"
        mode: "0750"
    - name: Create CSR
      openssl_csr:
        path: "/etc/pki/cert/csr/{{ website_url }}.csr"
        common_name: "{{ website_url }}"
        privatekey_path: /etc/pki/cert/private/{{ website_url }}.key
        email_address: "rehashedsalt@cock.li"
    - name: Create challenge for CSR
      acme_certificate:
        acme_directory: "{{ acme.directory }}"
        acme_version: 2
        terms_agreed: yes
        account_email: "rehashedsalt@cock.li"
        account_key: "/etc/pki/cert/private/account.key"
        csr: "/etc/pki/cert/csr/{{ website_url }}.csr"
        dest: "/etc/pki/cert/crt/{{ website_url }}.crt"
        fullchain_dest: "/etc/pki/cert/crt/{{ website_url }}-fullchain.crt"
      register: com_challenge
    - name: Create or renew certificate
      block:
        - name: Fulfill challenge
          block:
            - name: Disable website
              command:
                cmd: "a2dissite {{ website_url }}.conf"
                removes: "/etc/apache2/sites-enabled/{{ website_url }}.conf"
            - name: Create temporary config
              template:
                src: apache2-vhost.conf
                dest: "/etc/apache2/sites-enabled/{{ website_url }}.conf"
            - name: Reload Apache
              service:
                name: apache2
                state: reloaded
            - name: Create well-known directory
              file:
                path: "{{ acme.webroot }}/.well-known/acme-challenge"
                mode: "0755"
                recurse: yes
                state: directory
            - name: Copy challenge files
              copy:
                dest: "{{ acme.webroot }}/{{ com_challenge['challenge_data'][website_url]['http-01']['resource'] }}"
                content: "{{ com_challenge['challenge_data'][website_url]['http-01']['resource_value'] }}"
          when: com_challenge['challenge_data']|length > 0
        - name: Create certificate
          acme_certificate:
            acme_directory: "{{ acme.directory }}"
            acme_version: 2
            account_key: /etc/pki/cert/private/account.key
            csr: "/etc/pki/cert/csr/{{ website_url }}.csr"
            dest: "/etc/pki/cert/crt/{{ website_url }}.crt"
            fullchain_dest: "/etc/pki/cert/crt/{{ website_url }}-fullchain.crt"
            chain_dest: "/etc/pki/cert/crt/{{ website_url }}-intermediate.crt"
            data: "{{ com_challenge }}"
        - name: Assign appropriate permissions to certificate
          file:
            path: "{{ item }}"
            owner: root
            group: www-data
            mode: "0640"
          loop:
            - "/etc/pki/cert/crt/{{ website_url }}.crt"
            - "/etc/pki/cert/crt/{{ website_url }}-fullchain.crt"
            - "/etc/pki/cert/crt/{{ website_url }}-intermediate.crt"
        - name: Clean up fulfillment
          block:
            - name: Remove webroot
              file:
                path: "{{ acme.webroot }}/.well-known/acme-challenge"
                state: absent
            - name: Remove temporary config
              file:
                path: "/etc/apache2/sites-enabled/{{ website_url }}.conf"
                state: absent
            - name: Restore original config
              command:
                cmd: "a2ensite {{ website_url }}.conf"
                creates: "/etc/apache2/sites-enabled/{{ website_url }}.conf"
          when: com_challenge['challenge_data']|length > 0
        - name: Reload Apache
          service:
            name: apache2
            state: reloaded
      when: com_challenge is changed
  become: yes