From be3c610bd47f16cd67d9378cbff9202bb6d9f1ba Mon Sep 17 00:00:00 2001
From: Tobias Reisinger <tobias@msrg.cc>
Date: Sun, 13 Oct 2024 16:33:09 +0200
Subject: [PATCH] Improve lego service to be more dynamic

---
 modules/infrastructure/variables.tf           |  1 +
 modules/services/variables.tf                 |  1 +
 roles/backup/files/hooks/mailcow              |  2 +-
 .../files/{node002 => hooks}/auth.serguzim.me |  0
 .../files/{node002 => hooks}/db.serguzim.me   |  0
 roles/lego/files/lego.sh                      | 13 +++++++---
 roles/lego/files/node002/msrg.cc              | 18 -------------
 roles/lego/tasks/hooks.yml                    | 14 ++++++++++
 roles/lego/tasks/lego.d.yml                   | 16 ------------
 roles/lego/tasks/main.yml                     | 13 ++++++++--
 roles/lego/tasks/systemd.yml                  | 26 +++++++++++++++----
 roles/lego/vars/main.yml                      |  3 ++-
 services.auto.tfvars                          |  2 ++
 variables.tf                                  |  1 +
 14 files changed, 64 insertions(+), 46 deletions(-)
 rename roles/lego/files/{node002 => hooks}/auth.serguzim.me (100%)
 rename roles/lego/files/{node002 => hooks}/db.serguzim.me (100%)
 delete mode 100755 roles/lego/files/node002/msrg.cc
 create mode 100644 roles/lego/tasks/hooks.yml
 delete mode 100644 roles/lego/tasks/lego.d.yml

diff --git a/modules/infrastructure/variables.tf b/modules/infrastructure/variables.tf
index 8e95bde..f6707be 100644
--- a/modules/infrastructure/variables.tf
+++ b/modules/infrastructure/variables.tf
@@ -25,6 +25,7 @@ variable "services" {
       type = string
     })))
     ports = optional(list(string))
+    certificates = optional(list(string))
     auth = bool
     auth_cert = optional(string)
     auth_redirects = optional(list(string))
diff --git a/modules/services/variables.tf b/modules/services/variables.tf
index 8cee45d..1829584 100644
--- a/modules/services/variables.tf
+++ b/modules/services/variables.tf
@@ -16,6 +16,7 @@ variable "services" {
       type = string
     })))
     ports = optional(list(string))
+    certificates = optional(list(string))
     auth = bool
     auth_cert = optional(string)
     auth_redirects = optional(list(string))
diff --git a/roles/backup/files/hooks/mailcow b/roles/backup/files/hooks/mailcow
index 5d7426f..4cdd3c2 100755
--- a/roles/backup/files/hooks/mailcow
+++ b/roles/backup/files/hooks/mailcow
@@ -2,4 +2,4 @@
 
 export MAILCOW_BACKUP_LOCATION="$1"
 
-/opt/mailcow-dockerized/helper-scripts/backup_and_restore.sh backup all
+/opt/mailcow-dockerized/helper-scripts/backup_and_restore.sh backup all --delete-days 1
diff --git a/roles/lego/files/node002/auth.serguzim.me b/roles/lego/files/hooks/auth.serguzim.me
similarity index 100%
rename from roles/lego/files/node002/auth.serguzim.me
rename to roles/lego/files/hooks/auth.serguzim.me
diff --git a/roles/lego/files/node002/db.serguzim.me b/roles/lego/files/hooks/db.serguzim.me
similarity index 100%
rename from roles/lego/files/node002/db.serguzim.me
rename to roles/lego/files/hooks/db.serguzim.me
diff --git a/roles/lego/files/lego.sh b/roles/lego/files/lego.sh
index 98c7060..bcddfe6 100755
--- a/roles/lego/files/lego.sh
+++ b/roles/lego/files/lego.sh
@@ -5,15 +5,22 @@ set -a
 set +a
 
 domain="$1"
-action="${2:-renew}"
+action="run"
+
+exisiting_domains=$(docker compose run --rm app list -n)
+
+if echo "$exisiting_domains" | grep -q "$domain";
+then
+	action="renew"
+fi
 
 docker compose run --rm app \
 	--domains "$domain" \
 	"$action" \
 	"--$action-hook" "/config/hook.sh"
 
-if [ "$?" = "33" ] && [ -x "./lego.d/$domain" ];
+if [ "$?" = "33" ] && [ -x "./hooks/$domain" ];
 then
 	echo "Running hook for $domain"
-	"./lego.d/$domain"
+	"./hooks/$domain"
 fi
diff --git a/roles/lego/files/node002/msrg.cc b/roles/lego/files/node002/msrg.cc
deleted file mode 100755
index 7797db0..0000000
--- a/roles/lego/files/node002/msrg.cc
+++ /dev/null
@@ -1,18 +0,0 @@
-#!/usr/bin/env sh
-
-domain="msrg.cc"
-
-tmpdir=$(mktemp -d)
-trap 'rm -rf $tmpdir' EXIT
-
-cp "$CERTIFICATES_PATH/$domain.crt" "$tmpdir/fullchain.pem"
-cp "$CERTIFICATES_PATH/$domain.key" "$tmpdir/privkey.pem"
-
-curl \
-	-F submit="submit" \
-	-F token="$WIUWIU_TOKEN" \
-	-F "cert=@$tmpdir/fullchain.pem" \
-	-F "key=@$tmpdir/privkey.pem" \
-	https://cert-upload.wiuwiu.de/
-
-# vim: ft=sh
diff --git a/roles/lego/tasks/hooks.yml b/roles/lego/tasks/hooks.yml
new file mode 100644
index 0000000..5aa0eb9
--- /dev/null
+++ b/roles/lego/tasks/hooks.yml
@@ -0,0 +1,14 @@
+---
+- name: Set hooks path
+  ansible.builtin.set_fact:
+    hooks_path: "{{ (service_path, 'hooks') | path_join }}"
+- name: Create hooks directory
+  ansible.builtin.file:
+    path: "{{ hooks_path }}"
+    state: directory
+    mode: "0755"
+- name: Copy the additional hooks
+  ansible.builtin.copy:
+    src: hooks/
+    dest: "{{ hooks_path }}"
+    mode: "0755"
diff --git a/roles/lego/tasks/lego.d.yml b/roles/lego/tasks/lego.d.yml
deleted file mode 100644
index 04acb4b..0000000
--- a/roles/lego/tasks/lego.d.yml
+++ /dev/null
@@ -1,16 +0,0 @@
----
-- name: Set lego.d path
-  ansible.builtin.set_fact:
-    lego_d_path: "{{ (service_path, 'lego.d') | path_join }}"
-- name: Create lego.d directory
-  ansible.builtin.file:
-    path: "{{ lego_d_path }}"
-    state: directory
-    mode: "0755"
-- name: Copy the additional lego scripts
-  ansible.builtin.copy:
-    src: "{{ item }}"
-    dest: "{{ lego_d_path }}"
-    mode: "0755"
-  with_fileglob:
-    - "{{ ansible_facts.hostname }}/*"
diff --git a/roles/lego/tasks/main.yml b/roles/lego/tasks/main.yml
index 3dc6de1..6bdbb49 100644
--- a/roles/lego/tasks/main.yml
+++ b/roles/lego/tasks/main.yml
@@ -20,8 +20,8 @@
 
     - name: Import tasks specific to the config directory
       ansible.builtin.import_tasks: config.yml
-    - name: Import tasks specific to lego.d
-      ansible.builtin.import_tasks: lego.d.yml
+    - name: Import tasks specific to hooks
+      ansible.builtin.import_tasks: hooks.yml
     - name: Import tasks specific to systemd
       ansible.builtin.import_tasks: systemd.yml
 
@@ -33,3 +33,12 @@
 
     - name: Import tasks create a service.env file
       ansible.builtin.import_tasks: tasks/steps/template-service-env.yml
+
+    - name: Run certificate-script for domains
+      ansible.builtin.command:
+        cmd: "./lego.sh {{ item }}"
+        chdir: "{{ service_path }}"
+      become: true
+      loop: "{{ lego_host_certificates }}"
+      register: cmd_result
+      changed_when: cmd_result.stderr | regex_search('Server responded with a certificate.')
diff --git a/roles/lego/tasks/systemd.yml b/roles/lego/tasks/systemd.yml
index dec3732..725f980 100644
--- a/roles/lego/tasks/systemd.yml
+++ b/roles/lego/tasks/systemd.yml
@@ -11,14 +11,30 @@
     dest: /etc/systemd/system/lego@.timer
     mode: "0644"
   become: true
+
+- name: Get all lego timers
+  ansible.builtin.shell:
+    cmd: "systemctl list-timers 'lego@*' --all --output=json | jq -r '.[].unit'"
+  register: systemd_timers_result
+  changed_when: false
+
+- name: Generate systemd timer names
+  ansible.builtin.set_fact:
+    lego_systemd_timers: "{{ lego_host_certificates | list_prefix_suffix('lego@', '.timer') }}"
+
+- name: Disable unused system timers
+  ansible.builtin.systemd_service:
+    name: "{{ item }}"
+    state: stopped
+    enabled: false
+  loop: "{{ systemd_timers_result.stdout_lines | difference(lego_systemd_timers) }}"
+  become: true
+
 - name: Enable the system timers
   ansible.builtin.systemd_service:
-    name: lego@{{ item }}.timer
+    name: "{{ item }}"
     state: started
     enabled: true
     daemon_reload: true
-  loop:
-    - msrg.cc
-    - db.serguzim.me
-    - auth.serguzim.me
+  loop: "{{ lego_systemd_timers }}"
   become: true
diff --git a/roles/lego/vars/main.yml b/roles/lego/vars/main.yml
index 3ceec71..3b4b26e 100644
--- a/roles/lego/vars/main.yml
+++ b/roles/lego/vars/main.yml
@@ -1,4 +1,6 @@
 ---
+lego_host_certificates: "{{ all_services | my_service_attributes(inventory_hostname, 'certificates') }}"
+
 lego_svc:
   name: lego
 
@@ -10,7 +12,6 @@ lego_env:
   LEGO_PATH: /data
 
   CERTIFICATES_PATH: "{{ certificates_path }}"
-  WIUWIU_TOKEN: "{{ vault_wiuwiu_token }}"
 
 lego_compose:
   watchtower: false
diff --git a/services.auto.tfvars b/services.auto.tfvars
index 6e58d1c..66a2c46 100644
--- a/services.auto.tfvars
+++ b/services.auto.tfvars
@@ -26,6 +26,7 @@ services = {
       url = "/-/health/live/"
       group = "4-services"
     }
+    certificates = ["auth.serguzim.me"]
     auth = false
     database = true
     s3 = false
@@ -325,6 +326,7 @@ services = {
         "[CONNECTED] == true"
       ]
     }
+    certificates = ["db.serguzim.me"]
     auth = false
     database = false
     s3 = false
diff --git a/variables.tf b/variables.tf
index 12fd053..735eb9e 100644
--- a/variables.tf
+++ b/variables.tf
@@ -147,6 +147,7 @@ variable "services" {
       conditions = optional(list(string))
     }))
     ports = optional(list(string))
+    certificates = optional(list(string))
     auth = bool
     auth_cert = optional(string)
     auth_redirects = optional(list(string))