From e55b37b54e34425329396da3244201c7acc2ab24 Mon Sep 17 00:00:00 2001
From: Kevin Veen-Birkenbach <kevin@veen.world>
Date: Tue, 21 Jan 2025 16:00:57 +0100
Subject: [PATCH] Refactored nginx-cert-deploy-to-docker in preparation for
 nginx

---
 group_vars/all                                |  2 +-
 roles/docker-mailu/handlers/main.yml          |  7 ----
 roles/docker-mailu/tasks/main.yml             | 37 +++----------------
 .../deploy-letsencrypt-mailu.service.j2       |  7 ----
 .../templates/deploy-letsencrypt-mailu.sh.j2  |  4 --
 .../templates/docker-compose.yml.j2           |  2 +-
 .../files/nginx-docker-cert-deploy.sh         | 24 ++++++++++++
 .../handlers/main.yml                         |  7 ++++
 .../meta/main.yml                             |  0
 roles/nginx-docker-cert-deploy/tasks/main.yml | 30 +++++++++++++++
 .../nginx-docker-cert-deploy.service.j2       |  7 ++++
 roles/nginx-docker-cert-deploy/vars/main.yml  |  2 +
 12 files changed, 77 insertions(+), 52 deletions(-)
 delete mode 100644 roles/docker-mailu/handlers/main.yml
 delete mode 100644 roles/docker-mailu/templates/deploy-letsencrypt-mailu.service.j2
 delete mode 100644 roles/docker-mailu/templates/deploy-letsencrypt-mailu.sh.j2
 create mode 100644 roles/nginx-docker-cert-deploy/files/nginx-docker-cert-deploy.sh
 create mode 100644 roles/nginx-docker-cert-deploy/handlers/main.yml
 rename roles/{docker-mailu => nginx-docker-cert-deploy}/meta/main.yml (100%)
 create mode 100644 roles/nginx-docker-cert-deploy/tasks/main.yml
 create mode 100644 roles/nginx-docker-cert-deploy/templates/nginx-docker-cert-deploy.service.j2
 create mode 100644 roles/nginx-docker-cert-deploy/vars/main.yml

diff --git a/group_vars/all b/group_vars/all
index 2d4299e5..f3721ad9 100644
--- a/group_vars/all
+++ b/group_vars/all
@@ -65,7 +65,7 @@ on_calendar_backup_remote_to_local:           "*-*-* 21:30:00"
 ## Schedule for Maintenance Tasks
 on_calendar_heal_docker:                      "*-*-* {{ hours_server_awake }}:30:00"  # Heal unhealthy docker instances once per hour
 on_calendar_renew_lets_encrypt_certificates:  "*-*-* 12,00:30:00"                     # Renew Mailu certificates twice per day
-on_calendar_deploy_mailu_certificates:        "*-*-* 13,01:30:00"                     # Deploy Mailu certificates twice per day
+on_calendar_deploy_certificates:              "*-*-* 13,01:30:00"                     # Deploy letsencrypt certificates twice per day to docker containers
 on_calendar_msi_keyboard_color:               "*-*-* *:*:00"                          # Change the keyboard color every minute
 on_calendar_cleanup_failed_docker:            "*-*-* 12:00:00"                        # Clean up failed docker backups every noon
 on_calendar_btrfs_auto_balancer:              "Sat *-*-01..07 00:00:00"               # Execute btrfs auto balancer every first Saturday of a month
diff --git a/roles/docker-mailu/handlers/main.yml b/roles/docker-mailu/handlers/main.yml
deleted file mode 100644
index fa1e3264..00000000
--- a/roles/docker-mailu/handlers/main.yml
+++ /dev/null
@@ -1,7 +0,0 @@
----
-- name: "restart deploy-letsencrypt-mailu.cymais.service"
-  systemd:
-    name: deploy-letsencrypt-mailu.cymais.service
-    state: restarted
-    enabled: yes
-    daemon_reload: yes
\ No newline at end of file
diff --git a/roles/docker-mailu/tasks/main.yml b/roles/docker-mailu/tasks/main.yml
index 6944c23d..d89c6e66 100644
--- a/roles/docker-mailu/tasks/main.yml
+++ b/roles/docker-mailu/tasks/main.yml
@@ -7,15 +7,9 @@
   vars:
     nginx_docker_reverse_proxy_extra_configuration: "client_max_body_size 31M;"
 
-- name: "create {{path_docker_compose_instances}}mailu"
+- name: "create {{docker_compose_instance_directory}}"
   file:
-    path: "{{path_docker_compose_instances}}mailu"
-    state: directory
-    mode: 0755
-
-- name: "create {{path_administrator_scripts}}mailu"
-  file:
-    path: "{{path_administrator_scripts}}mailu"
+    path: "{{docker_compose_instance_directory}}"
     state: directory
     mode: 0755
 
@@ -25,11 +19,9 @@
     state: directory
     mode: 0755
 
-- name: "create /etc/mailu/certs"
-  file:
-    path: "/etc/mailu/certs"
-    state: directory
-    mode: 0755
+- name: "Include the nginx-docker-cert-deploy role"
+  include_role:
+    name: nginx-docker-cert-deploy
 
 - name: add docker-compose.yml
   template: 
@@ -43,25 +35,6 @@
     dest: "{{docker_compose_instance_directory}}mailu.env"
   notify: docker compose project setup
 
-- name: add deploy-letsencrypt-mailu.sh
-  template: 
-    src: "deploy-letsencrypt-mailu.sh.j2" 
-    dest: "{{path_administrator_scripts}}mailu/deploy-letsencrypt-mailu.sh"
-
-- name: configure deploy-letsencrypt-mailu.cymais.service
-  template: 
-    src:  "deploy-letsencrypt-mailu.service.j2"
-    dest: "/etc/systemd/system/deploy-letsencrypt-mailu.cymais.service"
-  notify: restart deploy-letsencrypt-mailu.cymais.service
-
-- name: "include role for systemd-timer for {{service_name}}"
-  include_role:
-    name: systemd-timer
-  vars:
-    on_calendar:  "{{on_calendar_deploy_mailu_certificates}}"
-    service_name: "deploy-letsencrypt-mailu"
-    persistent:   "true"
-
 - name: flush docker service
   meta: flush_handlers
   when: mode_setup |bool 
diff --git a/roles/docker-mailu/templates/deploy-letsencrypt-mailu.service.j2 b/roles/docker-mailu/templates/deploy-letsencrypt-mailu.service.j2
deleted file mode 100644
index c5fc533f..00000000
--- a/roles/docker-mailu/templates/deploy-letsencrypt-mailu.service.j2
+++ /dev/null
@@ -1,7 +0,0 @@
-[Unit]
-Description=Let's Encrypt Mailu Deploy
-OnFailure=systemd-notifier.cymais@%n.service
-
-[Service]
-Type=oneshot
-ExecStart=/usr/bin/bash {{path_administrator_scripts}}mailu/deploy-letsencrypt-mailu.sh
diff --git a/roles/docker-mailu/templates/deploy-letsencrypt-mailu.sh.j2 b/roles/docker-mailu/templates/deploy-letsencrypt-mailu.sh.j2
deleted file mode 100644
index 3a30c805..00000000
--- a/roles/docker-mailu/templates/deploy-letsencrypt-mailu.sh.j2
+++ /dev/null
@@ -1,4 +0,0 @@
-#!/bin/sh
-cp /etc/letsencrypt/live/{{domain}}/privkey.pem /etc/mailu/certs/key.pem || exit 1
-cp /etc/letsencrypt/live/{{domain}}/fullchain.pem /etc/mailu/certs/cert.pem || exit 1
-cd {{docker_compose_instance_directory}} && docker compose exec front nginx -s reload || exit 1
diff --git a/roles/docker-mailu/templates/docker-compose.yml.j2 b/roles/docker-mailu/templates/docker-compose.yml.j2
index 49af64ff..6cc0e76a 100644
--- a/roles/docker-mailu/templates/docker-compose.yml.j2
+++ b/roles/docker-mailu/templates/docker-compose.yml.j2
@@ -32,7 +32,7 @@ services:
       - "{{ ip4_address }}:4190:4190"
     volumes:
       - "/etc/mailu/overrides/nginx:/overrides:ro"
-      - "/etc/mailu/certs:/certs"
+      - "{{docker_compose_instance_directory}}/certs/:/certs"
 {% include 'templates/docker/container/depends-on-also-database.yml.j2' %}
       resolver:
         condition: service_started
diff --git a/roles/nginx-docker-cert-deploy/files/nginx-docker-cert-deploy.sh b/roles/nginx-docker-cert-deploy/files/nginx-docker-cert-deploy.sh
new file mode 100644
index 00000000..38fc9dc4
--- /dev/null
+++ b/roles/nginx-docker-cert-deploy/files/nginx-docker-cert-deploy.sh
@@ -0,0 +1,24 @@
+#!/bin/sh
+
+# Check if the necessary parameters are provided
+if [ "$#" -ne 2 ]; then
+    echo "Usage: $0 <domain> <docker_compose_instance_directory>"
+    exit 1
+fi
+
+# Assign parameters
+domain="$1"
+docker_compose_instance_directory="$2"
+
+# Copy certificates
+cp "/etc/letsencrypt/live/$domain/privkey.pem" "$docker_compose_instance_directory/certs/key.pem" || exit 1
+cp "/etc/letsencrypt/live/$domain/fullchain.pem" $docker_compose_instance_directory/certs/cert.pem || exit 1
+
+# Reload Nginx in all containers within the Docker Compose setup
+cd "$docker_compose_instance_directory" || exit 1
+docker compose ps --services | while read -r service; do
+    docker compose exec "$service" nginx -s reload && exit 0
+done
+
+# Restart all docker containers if no nginx reload is possible
+docker compose restart || exit 1
\ No newline at end of file
diff --git a/roles/nginx-docker-cert-deploy/handlers/main.yml b/roles/nginx-docker-cert-deploy/handlers/main.yml
new file mode 100644
index 00000000..4056f057
--- /dev/null
+++ b/roles/nginx-docker-cert-deploy/handlers/main.yml
@@ -0,0 +1,7 @@
+---
+- name: "restart nginx-docker-cert-deploy.cymais.service"
+  systemd:
+    name:           nginx-docker-cert-deploy.{{domain}}.cymais.service
+    state:          restarted
+    enabled:        yes
+    daemon_reload:  yes
\ No newline at end of file
diff --git a/roles/docker-mailu/meta/main.yml b/roles/nginx-docker-cert-deploy/meta/main.yml
similarity index 100%
rename from roles/docker-mailu/meta/main.yml
rename to roles/nginx-docker-cert-deploy/meta/main.yml
diff --git a/roles/nginx-docker-cert-deploy/tasks/main.yml b/roles/nginx-docker-cert-deploy/tasks/main.yml
new file mode 100644
index 00000000..b104de04
--- /dev/null
+++ b/roles/nginx-docker-cert-deploy/tasks/main.yml
@@ -0,0 +1,30 @@
+- name: add nginx-docker-cert-deploy.sh
+  copy: 
+    src: "nginx-docker-cert-deploy.sh" 
+    dest: "{{nginx_docker_cert_deploy_script}}"
+  when: run_once_nginx_docker_cert_deploy is not defined
+
+- name: run the nginx_docker_cert_deploy tasks once
+  set_fact:
+    run_once_backup_directory_validator: true
+  when: run_once_nginx_docker_cert_deploy is not defined
+
+- name: "create {{cert_mount_directory}}"
+  file:
+    path:     "{{cert_mount_directory}}"
+    state:    directory
+    mode:     0755
+
+- name: configure nginx-docker-cert-deploy.cymais.service
+  template: 
+    src:  "nginx-docker-cert-deploy.service.j2"
+    dest: "/etc/systemd/system/nginx-docker-cert-deploy.{{docker_compose_project_name}}.cymais.service"
+  notify: restart nginx-docker-cert-deploy.cymais.service
+
+- name: "include role for systemd-timer for {{service_name}}"
+  include_role:
+    name: systemd-timer
+  vars:
+    on_calendar:  "{{on_calendar_deploy_certificates}}"
+    service_name: "nginx-docker-cert-deploy.{{docker_compose_project_name}}"
+    persistent:   "true"
\ No newline at end of file
diff --git a/roles/nginx-docker-cert-deploy/templates/nginx-docker-cert-deploy.service.j2 b/roles/nginx-docker-cert-deploy/templates/nginx-docker-cert-deploy.service.j2
new file mode 100644
index 00000000..eb0378b7
--- /dev/null
+++ b/roles/nginx-docker-cert-deploy/templates/nginx-docker-cert-deploy.service.j2
@@ -0,0 +1,7 @@
+[Unit]
+Description=Let's Encrypt deploy to {{docker_compose_instance_directory}}
+OnFailure=systemd-notifier.cymais@%n.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/bash {{path_administrator_scripts}}/nginx-docker-cert-deploy.sh {{domain}} {{docker_compose_instance_directory}}
diff --git a/roles/nginx-docker-cert-deploy/vars/main.yml b/roles/nginx-docker-cert-deploy/vars/main.yml
new file mode 100644
index 00000000..9a4e5225
--- /dev/null
+++ b/roles/nginx-docker-cert-deploy/vars/main.yml
@@ -0,0 +1,2 @@
+cert_mount_directory:             "{{docker_compose_instance_directory}}/certs/"
+nginx_docker_cert_deploy_script:  "{{path_administrator_scripts}}nginx-docker-cert-deploy.sh"
\ No newline at end of file