From 2ed64846a5fc6c086a1c555b0efb8eb2fe4ed71e Mon Sep 17 00:00:00 2001
From: fhiss <fhiss@ro.ru>
Date: Oct 22 2022 18:38:57 +0000
Subject: [PATCH 1/2] Add Buypass


---

diff --git a/roles/copr/certbot/tasks/buypass.yml b/roles/copr/certbot/tasks/buypass.yml
new file mode 100644
index 0000000..5aad8a1
--- /dev/null
+++ b/roles/copr/certbot/tasks/buypass.yml
@@ -0,0 +1,150 @@
+---
+- set_fact:
+    bp_source_path: /etc/letsencrypt
+    # https://pagure.io/copr/copr/issue/2250
+    bp_backup_path: /srv/certbot-certs
+  tags:
+    - certbot
+
+- name: install certbot package
+  package: name=certbot state=present
+  tags:
+    - certbot
+
+- name: install certbot config
+  template: src=certbot.j2 dest=/etc/sysconfig/certbot
+            mode=0644
+  tags:
+    - certbot
+
+- name: install certbot deploy script
+  template: src={{ buypass.predefined_deploy_script }}
+            dest=/usr/libexec/auto-certbot-deploy
+            mode=0755
+  when: buypass.predefined_deploy_script is defined
+  tags:
+    - certbot
+
+- name: check whether we need to initialize buypass first
+  stat: path="/etc/letsencrypt/live/{{ item.key }}"
+  register: bp_stat_checks
+  with_dict: "{{ buypass.certificates }}"
+  tags:
+    - certbot
+
+- name: check if we already have the backup
+  delegate_to: localhost
+  stat:
+    path: "{{ bp_backup_path }}/{{ (buypass.certificates|dictsort)[0][0] }}"
+  register: bp_stat_backup_dir
+  tags:
+    - certbot
+
+- name: restore the certificates from backup (backed up on batcave)
+  synchronize:
+    src: "{{ bp_backup_path }}/{{ (buypass.certificates|dictsort)[0][0] }}/"
+    dest: "{{ bp_source_path }}"
+    mode: push
+  tags:
+    - certbot
+  when:
+    - not bp_stat_checks.results[0].stat.exists
+    - bp_stat_backup_dir.stat.exists
+  register: some_cert_restored
+
+- name: initialize certbot configuration
+  shell: |
+      certbot certonly --standalone \
+            -w {{ item.item.value.challenge_dir }} \
+            -d {{ item.item.value.domains | join(' -d ') }} \
+            --cert-name {{ item.item.key }} \
+            -m {{ item.item.value.mail }} \
+            --agree-tos \
+            -n >> /tmp/call
+  when:
+    - not item.stat.exists
+    - not some_cert_restored.changed
+  with_items: "{{ bp_stat_checks.results }}"
+  tags:
+    - certbot
+
+- name: configure certbot to use webroot next time
+  ini_file: dest="/etc/letsencrypt/renewal/{{ item.item.key }}.conf"
+            section=renewalparams
+            option=authenticator
+            value=webroot
+  with_items: "{{ bp_stat_checks.results }}"
+  tags:
+    - certbot
+
+- name: configure certbot to use webroot next time
+  ini_file: dest="/etc/letsencrypt/renewal/{{ item.item.key }}.conf"
+            section=renewalparams
+            option=webroot_path
+            value="{{ item.item.value.challenge_dir }}"
+  with_items: "{{ bp_stat_checks.results }}"
+  tags:
+    - certbot
+
+- name: post init script
+  shell: |
+      /usr/libexec/auto-certbot-deploy \
+            --init {{ item.item.key }}
+  when:
+    - buypass.predefined_deploy_script is defined
+    - not item.stat.exists
+  with_items: "{{ bp_stat_checks.results }}"
+  tags:
+    - certbot
+
+- name: Automatize cert renewal
+  service:
+    name: certbot-renew.timer
+    state: started
+    enabled: yes
+  tags:
+    - certbot
+
+# When we do 'systemctl restart', lighttpd is initially started as "root"
+# process (when the config is loaded) and later it does setuid(lighttpd).
+# So "restart" is just fine.   Though we also do 'killall -HUP lighttpd' in
+# several occasions and then 'lighttpd' user needs to have the access.  See the
+# following issues:
+#   https://pagure.io/copr/copr/issue/2001 Resolves:
+#   https://pagure.io/fedora-infrastructure/issue/10391
+- name: allow lighttpd to step into certbots directories
+  acl:
+    path: "{{ item }}"
+    entity: lighttpd
+    etype: user
+    permissions: --x
+    state: present
+  with_items:
+    - /etc/letsencrypt/archive
+    - /etc/letsencrypt/live
+  when:
+    - buypass.predefined_deploy_script is defined
+    - buypass.predefined_deploy_script == 'lighttpd'
+  tags:
+    - certbot
+
+- name: prepare the certbot backup directory on batcave
+  delegate_to: localhost
+  file:
+    path: "{{ bp_backup_path }}"
+    # nobody, except for root, can step into this directory (on batcave)
+    mode: 0700
+    owner: root
+    group: root
+    state: directory
+  tags:
+    certbot
+
+- name: backup the buypass certs to batcave directory
+  synchronize:
+    src: "{{ bp_source_path }}/"
+    dest: "{{ bp_backup_path }}/{{ item.key }}"
+    mode: pull
+  with_dict: "{{ buypass.certificates }}"
+  tags:
+    - certbot
\ No newline at end of file

From 15697c3e11739c193b5321bffaf6371ca09c4688 Mon Sep 17 00:00:00 2001
From: fhiss <fhiss@ro.ru>
Date: Oct 22 2022 18:54:27 +0000
Subject: [PATCH 2/2] Update 'roles/copr/certbot/tasks/buypass.yml'


---

diff --git a/roles/copr/certbot/tasks/buypass.yml b/roles/copr/certbot/tasks/buypass.yml
index 5aad8a1..58835ff 100644
--- a/roles/copr/certbot/tasks/buypass.yml
+++ b/roles/copr/certbot/tasks/buypass.yml
@@ -147,4 +147,4 @@
     mode: pull
   with_dict: "{{ buypass.certificates }}"
   tags:
-    - certbot
\ No newline at end of file
+    - certbot