From 1c1bc2fe9f8a190f0b0b76a524deb4019e39d410 Mon Sep 17 00:00:00 2001
From: Mathieu Gauthier-Pilote <mgauthier+git@evolix.ca>
Date: Thu, 12 Jan 2023 16:27:00 -0500
Subject: [PATCH] Install LE cert. when there is none

---
 webapps/mastodon/tasks/main.yml     | 67 ++++++++++++++++-------------
 webapps/mastodon/templates/vhost.j2 |  4 +-
 2 files changed, 39 insertions(+), 32 deletions(-)

diff --git a/webapps/mastodon/tasks/main.yml b/webapps/mastodon/tasks/main.yml
index fed52d83..bcd8f887 100644
--- a/webapps/mastodon/tasks/main.yml
+++ b/webapps/mastodon/tasks/main.yml
@@ -174,37 +174,42 @@
     path: "/etc/letsencrypt/live/{{ domains |first }}/fullchain.pem"
   register: ssl
 
-#- name: Generate certificate only if required (first time)
-  #block:
-  #- name: Template vhost without SSL for successfull LE challengce
-    #template: 
-      #src: "vhost.j2"
-      #dest: "/etc/nginx/sites-available/{{ service }}"
-  #- name: Enable temporary nginx vhost for LE
-    #file:
-      #src: "/etc/nginx/sites-available/{{ service }}"
-      #dest: "/etc/nginx/sites-enabled/{{ service }}"
-      #state: link
-  #- name: Reload nginx conf
-    #service:
-      #name: nginx
-      #state: reloaded
-  #- name: Generate certificate with certbot
-    #shell: certbot certonly --webroot --webroot-path /var/lib/letsencrypt -d {{ domains |first }}
-  #when: ssl.stat.exists == false
+- name: Generate certificate only if required (first time)
+  block:
+  - name: Template vhost without SSL for successfull LE challengce
+    template: 
+      src: "vhost.j2"
+      dest: "/etc/nginx/sites-available/{{ service }}"
+  - name: Enable temporary nginx vhost for LE
+    file:
+      src: "/etc/nginx/sites-available/{{ service }}"
+      dest: "/etc/nginx/sites-enabled/{{ service }}"
+      state: link
+  - name: Reload nginx conf
+    service:
+      name: nginx
+      state: reloaded
+  - name: Generate certificate with certbot
+    shell: certbot certonly --webroot --webroot-path /var/lib/letsencrypt -d {{ domains |first }}
+  when: ssl.stat.exists == false
 
-#- name: (Re)template conf file for nginx vhost with SSL
-  #template:
-    #src: "vhost.j2"
-    #dest: "/etc/nginx/sites-available/{{ service }}"
+- name: (Re)check if SSL certificate is present and register result
+  stat:
+    path: "/etc/letsencrypt/live/{{ domains |first }}/fullchain.pem"
+  register: ssl
 
-#- name: Enable nginx vhost for mastodon
-  #file:
-    #src: "/etc/nginx/sites-available/{{ service }}"
-    #dest: "/etc/nginx/sites-enabled/{{ service }}"
-    #state: link
+- name: (Re)template conf file for nginx vhost with SSL
+  template:
+    src: "vhost.j2"
+    dest: "/etc/nginx/sites-available/{{ service }}"
 
-#- name: Reload nginx conf
-  #service:
-    #name: nginx
-    #state: reloaded
+- name: Enable nginx vhost for mastodon
+  file:
+    src: "/etc/nginx/sites-available/{{ service }}"
+    dest: "/etc/nginx/sites-enabled/{{ service }}"
+    state: link
+
+- name: Reload nginx conf
+  service:
+    name: nginx
+    state: reloaded
diff --git a/webapps/mastodon/templates/vhost.j2 b/webapps/mastodon/templates/vhost.j2
index fc27c041..673cb186 100644
--- a/webapps/mastodon/templates/vhost.j2
+++ b/webapps/mastodon/templates/vhost.j2
@@ -19,8 +19,10 @@ server {
   listen [::]:443 ssl http2;
   server_name {{ domains |first }};
 
-  include /etc/nginx/ssl/{{ service }}.conf;
   include /etc/nginx/snippets/letsencrypt.conf;
+  ssl_certificate /etc/letsencrypt/live/{{ domains |first }}/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/{{ domains |first }}/privkey.pem;
+  ssl_trusted_certificate /etc/letsencrypt/live/{{ domains |first }}/chain.pem;
 
   # OCSP stapling
   ssl_stapling on;