From 4a68510bac93a8d824e8634dc01ef25d21faddce Mon Sep 17 00:00:00 2001
From: Matthew Fennell <matthew@fennell.dev>
Date: Sun, 7 Jan 2024 14:08:57 +0000
Subject: Ensure certificates are installed

This commit ensures certificates are installed, via Lets Encrypt.
---
 files/on_renew.sh |  6 ++++++
 playbook.yaml     | 16 ++++++++++++++++
 2 files changed, 22 insertions(+)
 create mode 100755 files/on_renew.sh

diff --git a/files/on_renew.sh b/files/on_renew.sh
new file mode 100755
index 0000000..7f710ae
--- /dev/null
+++ b/files/on_renew.sh
@@ -0,0 +1,6 @@
+#!/bin/sh
+# SPDX-FileCopyrightText: 2024 Matthew Fennell <matthew@fennell.dev>
+#
+# SPDX-License-Identifier: AGPL-3.0-only
+
+/usr/bin/prosodyctl --root cert import /etc/letsencrypt/live
diff --git a/playbook.yaml b/playbook.yaml
index da17227..3a151f7 100644
--- a/playbook.yaml
+++ b/playbook.yaml
@@ -26,6 +26,22 @@
       - WWW
       - XMPP
      become: true
+   - name: Ensure certbot on-renew hook is installed
+     ansible.builtin.copy:
+      src: "{{ playbook_dir }}/files/on_renew.sh"
+      dest: /etc/letsencrypt/renewal-hooks/deploy/prosody.sh
+      owner: root
+      group: root
+      mode: "0755"
+     become: true
+   - name: Ensure certificates are installed
+     ansible.builtin.command: >-
+      certbot --non-interactive --agree-tos --post-hook "/bin/true"
+      --email {{ certbot_email }} --no-eff-email --apache
+      --domains {{ virtual_host }}
+     become: true
+     register: certbot
+     changed_when: "'Running post-hook command' in certbot.stdout"
    - name: Ensure top-level prosody configuration is installed
      ansible.builtin.copy:
       src: "{{ playbook_dir }}/files/prosody.cfg.lua"
-- 
cgit v1.2.3