From 016cb84bdb37d56d811348a6e6e9a23177af9ffc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20Fra=C3=9F?= <frass@greenscale.de>
Date: Mon, 20 Nov 2023 16:34:59 +0100
Subject: [PATCH] [fix] role:tlscert_acme_netcup

---
 .../tlscert_acme_netcup/defaults/main.json    |  1 +
 .../roles/tlscert_acme_netcup/tasks/main.json | 50 +++++++++++++++----
 2 files changed, 42 insertions(+), 9 deletions(-)

diff --git a/ansible/roles/tlscert_acme_netcup/defaults/main.json b/ansible/roles/tlscert_acme_netcup/defaults/main.json
index 3364a26..4518788 100644
--- a/ansible/roles/tlscert_acme_netcup/defaults/main.json
+++ b/ansible/roles/tlscert_acme_netcup/defaults/main.json
@@ -1,5 +1,6 @@
 {
 	"var_tlscert_acme_netcup_acme_account_email": "REPLACE_ME",
+	"var_tlscert_acme_netcup_letsencrypt_account_key_path": "/etc/letsencrypt/key",
 	"var_tlscert_acme_netcup_netcup_customer_id": "REPLACE_ME",
 	"var_tlscert_acme_netcup_netcup_api_password": "REPLACE_ME",
 	"var_tlscert_acme_netcup_netcup_api_key": "REPLACE_ME",
diff --git a/ansible/roles/tlscert_acme_netcup/tasks/main.json b/ansible/roles/tlscert_acme_netcup/tasks/main.json
index 0a2f60e..ba89d7d 100644
--- a/ansible/roles/tlscert_acme_netcup/tasks/main.json
+++ b/ansible/roles/tlscert_acme_netcup/tasks/main.json
@@ -4,13 +4,12 @@
 		"become": true,
 		"ansible.builtin.apt": {
 			"pkg": [
-				"openssl",
-				"certbot"
+				"openssl"
 			]
 		}
 	},
 	{
-		"name": "csr | setup private key directory",
+		"name": "setup directories | keys",
 		"become": true,
 		"ansible.builtin.file": {
 			"state": "directory",
@@ -18,20 +17,44 @@
 		}
 	},
 	{
-		"name": "csr | generate private key",
+		"name": "setup directories | certs",
 		"become": true,
-		"community.crypto.openssl_privatekey": {
-			"path": "{{var_tlscert_acme_netcup_ssl_directory}}/private/{{var_tlscert_acme_netcup_domain_path}}.{{var_tlscert_acme_netcup_domain_base}}.pem"
+		"ansible.builtin.file": {
+			"state": "directory",
+			"path": "{{var_tlscert_acme_netcup_ssl_directory}}/certs"
 		}
 	},
 	{
-		"name": "csr | setup csr directory",
+		"name": "setup directories | csr",
 		"become": true,
 		"ansible.builtin.file": {
 			"state": "directory",
 			"path": "{{var_tlscert_acme_netcup_ssl_directory}}/csr"
 		}
 	},
+	{
+		"name": "setup directories | fullchains",
+		"become": true,
+		"ansible.builtin.file": {
+			"state": "directory",
+			"path": "{{var_tlscert_acme_netcup_ssl_directory}}/fullchains"
+		}
+	},
+	{
+		"name": "setup directories | Let's Encrypt account key",
+		"become": true,
+		"ansible.builtin.file": {
+			"state": "directory",
+			"path": "{{var_tlscert_acme_netcup_letsencrypt_account_key_path | dirname}}"
+		}
+	},
+	{
+		"name": "csr | generate private key",
+		"become": true,
+		"community.crypto.openssl_privatekey": {
+			"path": "{{var_tlscert_acme_netcup_ssl_directory}}/private/{{var_tlscert_acme_netcup_domain_path}}.{{var_tlscert_acme_netcup_domain_base}}.pem"
+		}
+	},
 	{
 		"name": "csr | execute",
 		"become": true,
@@ -41,6 +64,13 @@
 			"path": "{{var_tlscert_acme_netcup_ssl_directory}}/csr/{{var_tlscert_acme_netcup_domain_path}}.{{var_tlscert_acme_netcup_domain_base}}.pem"
 		}
 	},
+	{
+		"name": "acme | generate account key",
+		"become": true,
+		"ansible.builtin.shell": {
+			"cmd": "test -f {{var_tlscert_acme_netcup_letsencrypt_account_key_path}} || openssl genrsa 4096 > {{var_tlscert_acme_netcup_letsencrypt_account_key_path}}"
+		}
+	},
 	{
 		"name": "acme | init",
 		"become": true,
@@ -48,7 +78,7 @@
 			"acme_version": 2,
 			"acme_directory": "https://acme-v02.api.letsencrypt.org/directory",
 			"account_email": "{{var_tlscert_acme_netcup_acme_account_email}}",
-			"account_key_src": "{{var_tlscert_acme_netcup_ssl_directory}}/private/{{var_tlscert_acme_netcup_domain_path}}.{{var_tlscert_acme_netcup_domain_base}}.pem",
+			"account_key_src": "{{var_tlscert_acme_netcup_letsencrypt_account_key_path}}",
 			"terms_agreed": true,
 			"csr": "{{var_tlscert_acme_netcup_ssl_directory}}/csr/{{var_tlscert_acme_netcup_domain_path}}.{{var_tlscert_acme_netcup_domain_base}}.pem",
 			"challenge": "dns-01",
@@ -59,6 +89,7 @@
 	},
 	{
 		"name": "dns challenge | execute",
+		"when": "'challenge_data' in temp_acme_data",
 		"community.general.netcup_dns": {
 			"customer_id": "{{var_tlscert_acme_netcup_netcup_customer_id}}",
 			"api_password": "{{var_tlscert_acme_netcup_netcup_api_password}}",
@@ -71,6 +102,7 @@
 	},
 	{
 		"name": "dns challenge | wait",
+		"when": "'challenge_data' in temp_acme_data",
 		"ansible.builtin.pause": {
 			"seconds": 60
 		}
@@ -82,7 +114,7 @@
 			"acme_version": 2,
 			"acme_directory": "https://acme-v02.api.letsencrypt.org/directory",
 			"account_email": "{{var_tlscert_acme_netcup_acme_account_email}}",
-			"account_key_src": "{{var_tlscert_acme_netcup_ssl_directory}}/private/{{var_tlscert_acme_netcup_domain_path}}.{{var_tlscert_acme_netcup_domain_base}}.pem",
+			"account_key_src": "{{var_tlscert_acme_netcup_letsencrypt_account_key_path}}",
 			"terms_agreed": true,
 			"csr": "{{var_tlscert_acme_netcup_ssl_directory}}/csr/{{var_tlscert_acme_netcup_domain_path}}.{{var_tlscert_acme_netcup_domain_base}}.pem",
 			"challenge": "dns-01",