From ea7c30606b3c6c899ca2d162976d9b77383ccfc9 Mon Sep 17 00:00:00 2001
From: Rottler Tamas <tom@bitfit.hu>
Date: Wed, 23 Apr 2025 11:18:14 +0200
Subject: [PATCH] first commit

---
 certdistrib.yml.example | 11 +++++++++
 tasks/main.yml          | 53 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 64 insertions(+)
 create mode 100644 certdistrib.yml.example
 create mode 100644 tasks/main.yml

diff --git a/certdistrib.yml.example b/certdistrib.yml.example
new file mode 100644
index 0000000..5178fdc
--- /dev/null
+++ b/certdistrib.yml.example
@@ -0,0 +1,11 @@
+---
+- name: certdistrib
+  hosts: certdistrib
+  become: yes
+  roles:
+    - role: certdistrib
+  vars:
+    dns_dehydratedpath: hws-ns1:/etc/dehydrated/certs
+    local_certpath: /opt/certdistrib/certs
+
+# vim: set tabstop=2 shiftwidth=2 expandtab smarttab:
diff --git a/tasks/main.yml b/tasks/main.yml
new file mode 100644
index 0000000..8070e9b
--- /dev/null
+++ b/tasks/main.yml
@@ -0,0 +1,53 @@
+---
+- name: "copy certificates from dns master's dehydrated"
+  command: "rsync -a --info=NAME {{ dns_dehydratedpath }}/ {{ local_certpath }}"
+  delegate_to: localhost
+  run_once: yes
+  register: dns_rsync
+  changed_when: "dns_rsync.stdout != ''"
+
+- name: "create cert directory"
+  file:
+    path: "/etc/ssl/{{ item }}"
+    state: directory
+  loop: "{{ certdistrib }}"
+
+- name: "copy fullchain"
+  copy:
+    src: "{{ local_certpath }}/{{ item }}/fullchain.pem"
+    dest: "/etc/ssl/{{ item }}/fullchain.pem"
+  loop: "{{ certdistrib }}"
+  register: copy_cert
+
+- name: "copy key"
+  copy:
+    src: "{{ local_certpath }}/{{ item }}/privkey.pem"
+    dest: "/etc/ssl/{{ item }}/privkey.pem"
+  loop: "{{ certdistrib }}"
+  register: copy_key
+
+- name: "create privfull"
+  copy:
+    content: "{{ lookup('file', local_certpath +'/'+ item +'/privkey.pem') }}\n{{ lookup('file', local_certpath +'/'+ item +'/fullchain.pem') }}\n"
+    dest: "/etc/ssl/{{ item }}/privfull.pem"
+  loop: "{{ certdistrib }}"
+  register: create_privfull
+
+- name: reload services
+  shell: "if systemctl is-active {{ item }}; then systemctl reload {{ item }}; fi"
+  changed_when: no
+  loop:
+    - apache2
+    - httpd
+    - nginx
+    - haproxy
+  when: "copy_cert.changed or copy_key.changed or create_privfull.changed"
+
+- name: extra reload command
+  shell: "{{ certdistrib_reload }}"
+  when:
+    - "copy_cert.changed or copy_key.changed or create_privfull.changed"
+    - certdistrib_reload is defined
+
+
+# vim: set tabstop=2 shiftwidth=2 expandtab smarttab: