From f068684a76411a3d69ad1ec1f432ef6c0a3ef1ff Mon Sep 17 00:00:00 2001
From: Jeremy Lecour <jlecour@evolix.fr>
Date: Tue, 16 May 2017 10:30:17 +0200
Subject: [PATCH] evoacme: add squid whitelist for ocsp server

---
 evoacme/handlers/main.yml |  5 +++++
 evoacme/tasks/certbot.yml | 22 ++++++++++++++++++++++
 2 files changed, 27 insertions(+)

diff --git a/evoacme/handlers/main.yml b/evoacme/handlers/main.yml
index 03538de9..c619715c 100644
--- a/evoacme/handlers/main.yml
+++ b/evoacme/handlers/main.yml
@@ -13,3 +13,8 @@
 - name: apt update
   apt:
     update_cache: yes
+
+- name: reload squid3
+  service:
+    name: squid3
+    state: reloaded
diff --git a/evoacme/tasks/certbot.yml b/evoacme/tasks/certbot.yml
index 6b978604..5fb29c3c 100644
--- a/evoacme/tasks/certbot.yml
+++ b/evoacme/tasks/certbot.yml
@@ -53,3 +53,25 @@
     src: certbot.cron
     dest: /etc/cron.daily/certbot
     mode: "0755"
+
+- name: Is Squid installed?
+  command: "command -v squid3"
+  failed_when: false
+  changed_when: false
+  check_mode: no
+  register: is_squid3_installed
+
+- name: Find squid3 config whitelist
+  shell: find /etc/squid3/whitelist-custom.conf /etc/squid3/whitelist.conf 2> /dev/null
+  failed_when: false
+  changed_when: false
+  check_mode: no
+  register: squid3_whitelist_files
+
+- name: Let's Encrypt OCSP server is authorized by squid
+  lineinfile:
+    dest: "{{ squid3_whitelist_files.stdout_lines | first }}"
+    line: "http://ocsp.int-x3.letsencrypt.org/.*"
+    state: present
+  notify: reload squid3
+  when: is_squid3_installed.rc == 0 and squid3_whitelist_files.stdout != ""