From fbf79137632d9e4b9a914ac25c1d412a9d92bac6 Mon Sep 17 00:00:00 2001
From: VC <veretcle+framagit@mateu.be>
Date: Thu, 10 Apr 2025 11:56:09 +0200
Subject: [PATCH 1/3] =?UTF-8?q?=F0=9F=9A=91:=20authorize=20letsencrypt=20f?=
 =?UTF-8?q?or=20giteu.be?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 roles/nsd/templates/zones/giteu.be.zone.j2 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/nsd/templates/zones/giteu.be.zone.j2 b/roles/nsd/templates/zones/giteu.be.zone.j2
index cb84312..4e5248a 100644
--- a/roles/nsd/templates/zones/giteu.be.zone.j2
+++ b/roles/nsd/templates/zones/giteu.be.zone.j2
@@ -13,7 +13,7 @@ $TTL 86400
 {% endfor %}
 
 $ORIGIN {{ item.name }}.
-@		IN CAA 0 issue ";"
+@		IN CAA 0 issue "letsencrypt.org"
 @		IN MX 0 .
 @		IN TXT "v=spf1 -all"
 @		IN TXT "spf2.0/mfrom -all"
-- 
2.39.5


From 72326fab41e57dd487afcb8147586b3250e67bb0 Mon Sep 17 00:00:00 2001
From: VC <veretcle+framagit@mateu.be>
Date: Thu, 10 Apr 2025 11:56:46 +0200
Subject: [PATCH 2/3] =?UTF-8?q?=E2=9C=A8:=20automate=20acme.sh=20certifica?=
 =?UTF-8?q?te=20issue?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 inventory/host_vars/jabber.yml    |  1 +
 inventory/host_vars/ks3370405.yml |  1 +
 inventory/host_vars/mail.yml      |  2 ++
 inventory/host_vars/web1.yml      |  2 ++
 inventory/host_vars/web2.yml      |  2 ++
 roles/nginx/tasks/acme.yml        | 27 +++++++++++++++++++++++++++
 roles/nginx/tasks/main.yml        |  9 +++++++++
 7 files changed, 44 insertions(+)
 create mode 100644 roles/nginx/tasks/acme.yml

diff --git a/inventory/host_vars/jabber.yml b/inventory/host_vars/jabber.yml
index 71dc45c..9cad1aa 100644
--- a/inventory/host_vars/jabber.yml
+++ b/inventory/host_vars/jabber.yml
@@ -1,6 +1,7 @@
 ---
 web_hostname:
   - host: libertus.eu
+    acme_reload_cmd: "systemctl restart prosody.service"
   - host: upload.libertus.eu
   - host: xmpp.libertus.eu
 
diff --git a/inventory/host_vars/ks3370405.yml b/inventory/host_vars/ks3370405.yml
index 7206014..c5ec593 100644
--- a/inventory/host_vars/ks3370405.yml
+++ b/inventory/host_vars/ks3370405.yml
@@ -2,6 +2,7 @@
 
 web_hostname:
   - host: mail-relay.mateu.be
+    acme_reload_cmd: "systemctl restart postfix.service"
 
 allowed_smtp_ips: "{{ [global_public_ip_address] + ['80.67.179.200'] }}"
 
diff --git a/inventory/host_vars/mail.yml b/inventory/host_vars/mail.yml
index d0cb333..817fdc1 100644
--- a/inventory/host_vars/mail.yml
+++ b/inventory/host_vars/mail.yml
@@ -1,4 +1,6 @@
 ---
 web_hostname:
   - host: imap.libertus.eu
+    acme_reload_cmd: "systemctl restart dovecot.service"
   - host: smtp.libertus.eu
+    acme_reload_cmd: "systemctl restart postfix.service"
diff --git a/inventory/host_vars/web1.yml b/inventory/host_vars/web1.yml
index 1ef4aa3..e8f0c91 100644
--- a/inventory/host_vars/web1.yml
+++ b/inventory/host_vars/web1.yml
@@ -14,7 +14,9 @@ web_hostname:
   - host: mail.libertus.eu
     type: roundcube
   - host: perso.nintendojo.fr
+    acme_unmanaged: true
   - host: perso.libertus.eu
+    acme_unmanaged: true
   - host: r.mateu.be
   - host: ff.libertus.eu
     type: firefly3
diff --git a/inventory/host_vars/web2.yml b/inventory/host_vars/web2.yml
index 63b273d..99bd9f1 100644
--- a/inventory/host_vars/web2.yml
+++ b/inventory/host_vars/web2.yml
@@ -3,10 +3,12 @@ php_modules: ['opcache', 'mysql', 'mbstring', 'gd', 'intl', 'xml', 'bcmath', 'cu
 
 web_hostname:
   - host: nintendojo.fr
+    acme_unmanaged: true
   - host: www.nintendojo.fr
   - host: forum.nintendojo.fr
     type: phpbb
   - host: nintendojofr.com
+    acme_unmanaged: true
   - host: www.nintendojofr.com
     type: retrodojo
   - host: forum.nintendojofr.com
diff --git a/roles/nginx/tasks/acme.yml b/roles/nginx/tasks/acme.yml
new file mode 100644
index 0000000..fb52ba8
--- /dev/null
+++ b/roles/nginx/tasks/acme.yml
@@ -0,0 +1,27 @@
+---
+
+- name: Issue certificate
+  ansible.builtin.command:
+    cmd: "/etc/x509/acme.sh --issue --domain {{ host.host }} --webroot {{ nginx_letsencrypt_dir }} --reloadcmd \"{{ acme_reload_cmd | default('systemctl reload nginx.service') }}\""
+    creates: "/etc/x509/{{ host.host }}*"
+  environment:
+    LE_WORKING_DIR: "/etc/x509"
+
+- name: Check if ecc dir
+  ansible.builtin.stat:
+    path: "/etc/x509/{{ host.host }}_ecc"
+  register: _nginx_x509_ecc_dir
+
+- name: Move dir if exists
+  block:
+    - name: Copy ecc dir
+      ansible.builtin.copy:
+        remote_src: true
+        src: "/etc/x509/{{ host.host }}_ecc/"
+        dest: "/etc/x509/{{ host.host }}"
+
+    - name: Remove ecc dir
+      ansible.builtin.file:
+        path: "/etc/x509/{{ host.host }}_ecc/"
+        state: absent
+  when: _nginx_x509_ecc_dir.stat.exists
diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml
index e94d40c..c794f1f 100644
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@@ -41,5 +41,14 @@
     mode: 'u+rwx,g+rs,o-rwx'
     state: directory
 
+- name: Flush handlers
+  ansible.builtin.meta: flush_handlers
+
+- name: Include acme auto cert
+  ansible.builtin.include_tasks: acme.yml
+  loop: "{{ web_hostname | rejectattr('acme_unmanaged', 'defined') }}"
+  loop_control:
+    loop_var: "host"
+
 - name: Include vhosts
   ansible.builtin.include_tasks: vhosts.yml
-- 
2.39.5


From f4fcaca041f620bca1f2892959258fd42d0b7aca Mon Sep 17 00:00:00 2001
From: VC <veretcle+framagit@mateu.be>
Date: Thu, 10 Apr 2025 13:31:11 +0200
Subject: [PATCH 3/3] =?UTF-8?q?=F0=9F=9A=A8:=20lint=20properly=20acme.yml?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 roles/nginx/tasks/acme.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/roles/nginx/tasks/acme.yml b/roles/nginx/tasks/acme.yml
index fb52ba8..f61449b 100644
--- a/roles/nginx/tasks/acme.yml
+++ b/roles/nginx/tasks/acme.yml
@@ -13,15 +13,16 @@
   register: _nginx_x509_ecc_dir
 
 - name: Move dir if exists
+  when: _nginx_x509_ecc_dir.stat.exists
   block:
     - name: Copy ecc dir
       ansible.builtin.copy:
         remote_src: true
         src: "/etc/x509/{{ host.host }}_ecc/"
         dest: "/etc/x509/{{ host.host }}"
+        mode: "{{ _nginx_x509_ecc_dir.stat.mode }}"
 
     - name: Remove ecc dir
       ansible.builtin.file:
         path: "/etc/x509/{{ host.host }}_ecc/"
         state: absent
-  when: _nginx_x509_ecc_dir.stat.exists
-- 
2.39.5