copr/certbot: support certificate backup

2022-01-30 18:50:28 +01:00 · 2022-01-30 18:50:28 +01:00 · 9ce266360f
commit 9ce266360f
parent 23adf9ca69
2 changed files with 58 additions and 0 deletions
--- a/inventory/group_vars/copr_back_dev_aws
+++ b/inventory/group_vars/copr_back_dev_aws
@ -32,6 +32,8 @@ letsencrypt:
      domains:
        - copr-be-dev.cloud.fedoraproject.org
      mail: copr-devel@lists.fedorahosted.org
+  backup_to: copr-be.aws.fedoraproject.org
+
  predefined_deploy_script: lighttpd
 # consumed by roles/messaging/base
 messaging:
--- a/roles/copr/certbot/tasks/letsencrypt.yml
+++ b/roles/copr/certbot/tasks/letsencrypt.yml
@ -1,3 +1,14 @@
+---
+- set_fact:
+    le_backup_certbot_files:
+      - cert.pem
+      - chain.pem
+      - combined.pem
+      - fullchain.pem
+      - privkey.pem
+    le_source_path: /etc/letsencrypt/live
+    le_backup_path: /root/letsencrypt-cert-backup
+
 - name: install certbot package
  package: name=certbot state=present

@ -79,3 +90,48 @@
  when:
    - letsencrypt.predefined_deploy_script is defined
    - letsencrypt.predefined_deploy_script == 'lighttpd'
+
+- name: load certificate files into variables
+  slurp:
+    src: "{{ le_source_path }}/{{ item.0.0 }}/{{ item.1 }}"
+  register: certbot_backup_files
+  ignore_errors: true
+  loop: "{{letsencrypt.certificates|dictsort|product(le_backup_certbot_files)|list}}"
+  when:
+    - letsencrypt.backup_to is defined
+
+- name: create the restore directory
+  delegate_to: "{{ letsencrypt.backup_to }}"
+  file:
+    path: "{{ le_backup_path }}"
+    owner: root
+    group: root
+    mode: 0700
+    state: directory
+  when:
+    - letsencrypt.backup_to is defined
+
+- name: create the host restore directories
+  delegate_to: "{{ letsencrypt.backup_to }}"
+  file:
+    owner: root
+    group: root
+    mode: 0700
+    path: "{{ le_backup_path }}/{{ item.0 }}"
+    state: directory
+  loop: "{{ letsencrypt.certificates|dictsort }}"
+  when:
+    - letsencrypt.backup_to is defined
+
+- name: store files
+  delegate_to: "{{ letsencrypt.backup_to }}"
+  copy:
+    dest: "{{ le_backup_path }}/{{ item.item.0.0 }}/{{ item.item.1 }}"
+    owner: root
+    group: root
+    mode: 0600
+    content: "{{ item.content | b64decode }}"
+  when:
+    - item.content is defined
+  loop: "{{ certbot_backup_files.results }}"
+  no_log: true