From f24d85bf402e22719a8bd189f6ca0de4f257bc18 Mon Sep 17 00:00:00 2001
From: Chris Croome <chris@webarchitects.co.uk>
Date: Wed, 1 Jan 2025 17:25:02 +0000
Subject: [PATCH] default to copying cert for exim4

---
 README.md         |  4 ++--
 defaults/main.yml | 33 ++++++++++++++++-----------------
 tasks/checks.yml  | 46 ++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 64 insertions(+), 19 deletions(-)

diff --git a/README.md b/README.md
index 2d9a1ce..7c72b69 100644
--- a/README.md
+++ b/README.md
@@ -1,4 +1,4 @@
-# Webarchitects Apache Ansible Role
+# Webarchitect Apache Ansible Role
 
 [![pipeline status](https://git.coop/webarch/apache/badges/master/pipeline.svg)](https://git.coop/webarch/apache/-/commits/master)
 
@@ -6,7 +6,7 @@ This repo contains an Ansible role for installing and configuring Apache on Debi
 
 If you use this role please use a tagged release, see [the release notes](https://git.coop/webarch/apache/-/releases).
 
-By default this role uses [mod_md](https://github.com/icing/mod_md/) for HTTPS certifiates, in addition the cert and key matching the `inventory_hostname` can be copied for use by other applications, such as Exim, using the `apache_md_cert_copy` list of dictionaries.
+By default this role uses [mod_md](https://github.com/icing/mod_md/) for HTTPS certifiates, in addition the cert and key matching the `inventory_hostname` are be copied for use by other applications, specifically Exim, see the `apache_md_cert_copy` list of dictionaries.
 
 ## Role variables
 
diff --git a/defaults/main.yml b/defaults/main.yml
index b568efb..5d43a4a 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -184,23 +184,22 @@ apache_mods_disabled: []
   # - usertrack
   # - vhost_alias
   # - xml2enc
-apache_md_cert_copy: []
-# Following is an example for copying the mod_md key pair for Exim4
-# apache_md_cert_copy:
-#   - name: exim4
-#     privkey:
-#       src: "/etc/apache2/md/domains/{{ inventory_hostname }}/privkey.pem"
-#       dest: /etc/exim4/exim.key
-#       owner: Debian-exim
-#       group: ssl-cert
-#       mode: "0640"
-#     pubcert:
-#       src: "/etc/apache2/md/domains/{{ inventory_hostname }}/pubcert.pem"
-#       dest: /etc/exim4/exim.crt
-#       owner: Debian-exim
-#       group: ssl-cert
-#       mode: "0640"
-#     special_time: daily
+apache_md_cert_copy:
+  # Copy the mod_md key pair for Exim4
+  - name: exim4
+    privkey:
+      src: "/etc/apache2/md/domains/{{ inventory_hostname }}/privkey.pem"
+      dest: /etc/exim4/exim.key
+      owner: Debian-exim
+      group: ssl-cert
+      mode: "0640"
+    pubcert:
+      src: "/etc/apache2/md/domains/{{ inventory_hostname }}/pubcert.pem"
+      dest: /etc/exim4/exim.crt
+      owner: Debian-exim
+      group: ssl-cert
+      mode: "0640"
+    special_time: daily
 # See this issue https://github.com/icing/mod_md/issues/260
 apache_md_private_keys:
   - rsa3072
diff --git a/tasks/checks.yml b/tasks/checks.yml
index ee51b24..eadb37c 100644
--- a/tasks/checks.yml
+++ b/tasks/checks.yml
@@ -85,6 +85,52 @@
         - apache_md_version is defined
         - apache_md_version != "default"
 
+    - name: Gather service facts
+      ansible.builtin.service_facts:
+
+    - name: Debug the services
+      ansible.builtin.debug:
+        var: ansible_facts.services.keys()
+        verbosity: "{% if ansible_check_mode | bool or ansible_diff_mode | bool %}1{% else %}2{% endif %}"
+
+    - name: Debug the services that certs are to be copied for
+      ansible.builtin.debug:
+        var: apache_md_cert_copy_service.name
+        verbosity: "{% if ansible_check_mode | bool or ansible_diff_mode | bool %}1{% else %}2{% endif %}"
+      loop: "{{ apache_md_cert_copy }}"
+      loop_control:
+        loop_var: apache_md_cert_copy_service
+        label: "{{ apache_md_cert_copy_service.name }}"
+      when: apache_md_cert_copy != []
+
+    - name: Debug the JMESPath query for services that certs are to be copied for
+      ansible.builtin.debug:
+        var: apache_md_cert_copy_service_jpq
+        verbosity: "{% if ansible_check_mode | bool or ansible_diff_mode | bool %}1{% else %}2{% endif %}"
+      vars:
+        apache_md_cert_copy_service_jpq: '["{{ apache_md_cert_copy_service.name }}.service"]|[0]'
+      loop: "{{ apache_md_cert_copy }}"
+      loop_control:
+        loop_var: apache_md_cert_copy_service
+        label: "{{ apache_md_cert_copy_service.name }}"
+      when: apache_md_cert_copy != []
+
+    - name: Check that the services that certs are to be copied for are running
+      ansible.builtin.assert:
+        that:
+          - apache_md_cert_copy_service_name in ansible_facts.services.keys()
+          - (ansible_facts.services | community.general.json_query(apache_md_cert_copy_service_jpq)).state == "running"
+        quiet: "{% if ansible_verbosity == 0 %}true{% else %}false{% endif %}"
+        fail_msg: "The {{ apache_md_cert_copy_service_name }} service need to be running if certs are to be copied for it."
+      vars:
+        apache_md_cert_copy_service_name: "{{ apache_md_cert_copy_service.name }}.service"
+        apache_md_cert_copy_service_jpq: '["{{ apache_md_cert_copy_service.name }}.service"]|[0]'
+      loop: "{{ apache_md_cert_copy }}"
+      loop_control:
+        loop_var: apache_md_cert_copy_service
+        label: "{{ apache_md_cert_copy_service.name }}"
+      when: apache_md_cert_copy != []
+
     - name: Check that at least one module is in apache_mods_enabled and that either mpm_event or mpm_prefork is enabled
       ansible.builtin.assert:
         that:
-- 
GitLab