From 4adada983a95bfcc97f00be14977e4e7587c082f Mon Sep 17 00:00:00 2001
From: Pavel Raiskup <praiskup@redhat.com>
Date: Sun, 30 Jan 2022 20:02:33 +0100
Subject: [PATCH] copr/backend: restore letsencrypt cert from backup

---
 roles/copr/backend/tasks/main.yml        |  3 --
 roles/copr/certbot/tasks/letsencrypt.yml | 61 +++++++++++++++++++++++-
 2 files changed, 60 insertions(+), 4 deletions(-)

diff --git a/roles/copr/backend/tasks/main.yml b/roles/copr/backend/tasks/main.yml
index b8328a0be9..4c65a41e35 100644
--- a/roles/copr/backend/tasks/main.yml
+++ b/roles/copr/backend/tasks/main.yml
@@ -121,9 +121,6 @@
   include_role: name=copr/certbot
   when:
   - devel|bool
-  # When we have birthday for backend, we use a temporary copr-be-dev-temp
-  # hostname for it and we don't want to generate a certificate for that.
-  - birthday is not defined
   tags:
   - config
   - certbot
diff --git a/roles/copr/certbot/tasks/letsencrypt.yml b/roles/copr/certbot/tasks/letsencrypt.yml
index 3ce3bbce3b..983ae0238c 100644
--- a/roles/copr/certbot/tasks/letsencrypt.yml
+++ b/roles/copr/certbot/tasks/letsencrypt.yml
@@ -37,6 +37,64 @@
   tags:
     - certbot
 
+- name: load the backed up certificates
+  delegate_to: "{{ letsencrypt.backup_to }}"
+  slurp:
+    src: "{{ le_backup_path }}/{{ item.0.item.key }}/{{ item.1 }}"
+  register: backed_up_certificates
+  loop: "{{ le_stat_checks.results|product(le_backup_certbot_files)|list }}"
+  ignore_errors: true
+  tags:
+    - certbot
+  when:
+    - letsencrypt.backup_to is defined
+    - not item.0.stat.exists
+
+- name: create the host directory
+  file:
+    state: directory
+    path: "{{ le_source_path }}/{{ item.item.0.item.key }}"
+    owner: root
+    group: root
+    # this is readable by anyone, per certbot defaults
+    mode: 0755
+  loop: "{{ backed_up_certificates.results }}"
+  tags:
+    - certbot
+  when:
+    - letsencrypt.backup_to is defined
+    - item.content is defined
+
+- name: create the host live directory
+  file:
+    state: directory
+    path: "{{ le_source_path }}/{{ item.item.0.item.key }}/live"
+    owner: root
+    group: root
+    # this is readable by anyone, per certbot defaults
+    mode: 0755
+  loop: "{{ backed_up_certificates.results }}"
+  tags:
+    - certbot
+  when:
+    - letsencrypt.backup_to is defined
+    - item.content is defined
+
+- name: restore the backed up certificates
+  copy:
+    content: "{{ item.content | b64decode }}"
+    dest: "{{ le_source_path }}/{{ item.item.0.item.key }}/live/{{ item.item.1 }}"
+    owner: root
+    group: root
+    mode: 0644
+  loop: "{{ backed_up_certificates.results }}"
+  tags:
+    - certbot
+  when:
+    - letsencrypt.backup_to is defined
+    - item.content is defined
+  register: some_cert_restored
+
 - name: initialize certbot configuration
   shell: |
       certbot certonly --standalone \
@@ -47,7 +105,8 @@
             --agree-tos \
             -n >> /tmp/call
   when:
-  - not item.stat.exists
+    - not item.stat.exists
+    - not some_cert_restored.changed
   with_items: "{{ le_stat_checks.results }}"
   tags:
     - certbot