From 69e2aa435be758a6ace5d0731c199ac38a0ac42b Mon Sep 17 00:00:00 2001
From: Robert Kaussow <mail@thegeeklab.de>
Date: Sun, 14 Jul 2024 13:53:57 +0200
Subject: [PATCH] fix: add back tls cert handling

---
 defaults/main.yml |  4 ++++
 handlers/main.yml |  8 ++++++++
 tasks/main.yml    |  3 +++
 tasks/tls.yml     | 36 ++++++++++++++++++++++++++++++++++++
 4 files changed, 51 insertions(+)
 create mode 100644 handlers/main.yml
 create mode 100644 tasks/tls.yml

diff --git a/defaults/main.yml b/defaults/main.yml
index 3b7c5ad..1140775 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -2,6 +2,10 @@
 pve_nodes:
   - node1
 
+pve_tls_enabled: False
+pve_tls_cert_source: mycert.pem
+pve_tls_key_source: mykey.pem
+
 pve_pamd_motd_enabled: True
 
 pve_disk_mount: []
diff --git a/handlers/main.yml b/handlers/main.yml
new file mode 100644
index 0000000..5f63af6
--- /dev/null
+++ b/handlers/main.yml
@@ -0,0 +1,8 @@
+---
+- name: Restart pveproxy
+  service:
+    state: restarted
+    name: pveproxy
+  listen: __pveproxy_restart
+  become: True
+  become_user: root
diff --git a/tasks/main.yml b/tasks/main.yml
index 04c4de2..e7ee1b9 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -2,3 +2,6 @@
 - ansible.builtin.import_tasks: pve.yml
 - ansible.builtin.import_tasks: pam.yml
 - ansible.builtin.import_tasks: auth.yml
+- ansible.builtin.import_tasks: tls.yml
+  when: pve_tls_enabled | bool
+  tags: tls_renewal
diff --git a/tasks/tls.yml b/tasks/tls.yml
new file mode 100644
index 0000000..fc1bb7d
--- /dev/null
+++ b/tasks/tls.yml
@@ -0,0 +1,36 @@
+---
+- block:
+    - name: Create pki folder structure
+      file:
+        path: "{{ item }}"
+        state: directory
+        recurse: True
+      loop:
+        - /etc/pki/tls/certs
+        - /etc/pki/tls/private
+
+    - name: Copy certs and private key
+      copy:
+        src: "{{ item.src }}"
+        dest: "{{ item.dest }}"
+        mode: "{{ item.mode }}"
+      loop:
+        - src: "{{ pve_tls_cert_source }}"
+          dest: "/etc/pki/tls/certs/pveproxy-ssl.pem"
+          mode: "0750"
+        - src: "{{ pve_tls_key_source }}"
+          dest: "/etc/pki/tls/private/pveproxy-ssl.key"
+          mode: "0600"
+      loop_control:
+        label: "{{ item.dest }}"
+      register: __pve_tls_copy
+
+    - name: Copy cert/key to pve filesystem
+      command: "/bin/cp -rf {{ item[0].dest }} /etc/pve/nodes/{{ item[1] }}/{{ item[0].dest | basename }}"
+      changed_when: item[0].changed
+      loop: "{{ __pve_tls_copy.results | product(pve_nodes) | list }}"
+      loop_control:
+        label: "/etc/pve/nodes/{{ item[1] }}/{{ item[0].dest | basename }}"
+      notify: __pveproxy_restart
+  become: True
+  become_user: root