Ensure certificates are installed

This commit ensures certificates are installed, via Lets Encrypt.

2 files changed, 22 insertions, 0 deletions

diff --git a/files/on_renew.sh b/files/on_renew.sh
new file mode 100755
index 0000000..7f710ae
--- /dev/null
+++ b/files/on_renew.sh
@@ -0,0 +1,6 @@
+#!/bin/sh
+# SPDX-FileCopyrightText: 2024 Matthew Fennell <matthew@fennell.dev>
+#
+# SPDX-License-Identifier: AGPL-3.0-only
+
+/usr/bin/prosodyctl --root cert import /etc/letsencrypt/live
diff --git a/playbook.yaml b/playbook.yaml
index da17227..3a151f7 100644
--- a/playbook.yaml
+++ b/playbook.yaml
@@ -26,6 +26,22 @@
       - WWW
       - XMPP
      become: true
+   - name: Ensure certbot on-renew hook is installed
+     ansible.builtin.copy:
+      src: "{{ playbook_dir }}/files/on_renew.sh"
+      dest: /etc/letsencrypt/renewal-hooks/deploy/prosody.sh
+      owner: root
+      group: root
+      mode: "0755"
+     become: true
+   - name: Ensure certificates are installed
+     ansible.builtin.command: >-
+      certbot --non-interactive --agree-tos --post-hook "/bin/true"
+      --email {{ certbot_email }} --no-eff-email --apache
+      --domains {{ virtual_host }}
+     become: true
+     register: certbot
+     changed_when: "'Running post-hook command' in certbot.stdout"
    - name: Ensure top-level prosody configuration is installed
      ansible.builtin.copy:
       src: "{{ playbook_dir }}/files/prosody.cfg.lua"