From cbd61fa6bad1f25cd17667852679aff8d62b1704 Mon Sep 17 00:00:00 2001
From: Damien Dart <damiendart@pobox.com>
Date: Tue, 3 Sep 2024 21:36:36 +0100
Subject: [PATCH] Add lego-installing role.

---
 playbook-provision.yml       |  1 +
 roles/lego/defaults/main.yml | 21 +++++++++++++++++++++
 roles/lego/meta/main.yml     |  7 +++++++
 roles/lego/tasks/main.yml    | 32 ++++++++++++++++++++++++++++++++
 4 files changed, 61 insertions(+)
 create mode 100644 roles/lego/defaults/main.yml
 create mode 100644 roles/lego/meta/main.yml
 create mode 100644 roles/lego/tasks/main.yml

diff --git a/playbook-provision.yml b/playbook-provision.yml
index 6e7c2ee..033532a 100644
--- a/playbook-provision.yml
+++ b/playbook-provision.yml
@@ -55,6 +55,7 @@
     - 'base'
     - 'certbot'
     - 'imagemagick'
+    - 'lego'
     - 'livepatch'
     - 'monitoring'
     - 'webserver'
diff --git a/roles/lego/defaults/main.yml b/roles/lego/defaults/main.yml
new file mode 100644
index 0000000..44e0bae
--- /dev/null
+++ b/roles/lego/defaults/main.yml
@@ -0,0 +1,21 @@
+# This file was written by Damien Dart, <damiendart@pobox.com>. This is
+# free and unencumbered software released into the public domain. For
+# more information, please refer to the accompanying "UNLICENCE" file.
+
+---
+# A string containing a checksum used to verify the integrity of the
+# lego binary archive "lego_4.18.0_linux_amd64.tar.gz". See
+# <https://github.com/go-acme/lego/releases> for archives and checksums.
+lego__lego_archive_checksum: 'sha256:6f42e9ac93cd604951c0cf94a7c4a26ac98251741523ce67eea86ad72c77e6e5'
+
+# A string containing the version of lego to install.
+lego__lego_version: '4.18.0'
+
+
+# The following variables will have host-specific and/or sensitive
+# values and must be defined elsewhere (in an inventory, playbook, at
+# runtime, etc).
+
+# A string containing the directory where downloaded files are stored to
+# prevent unnecessary downloading when tasks are rerun.
+lego__download_cache_directory: '{{ undef() }}'
diff --git a/roles/lego/meta/main.yml b/roles/lego/meta/main.yml
new file mode 100644
index 0000000..bdbb708
--- /dev/null
+++ b/roles/lego/meta/main.yml
@@ -0,0 +1,7 @@
+# This file was written by Damien Dart, <damiendart@pobox.com>. This is
+# free and unencumbered software released into the public domain. For
+# more information, please refer to the accompanying "UNLICENCE" file.
+
+---
+dependencies:
+  - role: 'webserver'
diff --git a/roles/lego/tasks/main.yml b/roles/lego/tasks/main.yml
new file mode 100644
index 0000000..af1b720
--- /dev/null
+++ b/roles/lego/tasks/main.yml
@@ -0,0 +1,32 @@
+# This file was written by Damien Dart, <damiendart@pobox.com>. This is
+# free and unencumbered software released into the public domain. For
+# more information, please refer to the accompanying "UNLICENCE" file.
+
+---
+- name: 'Ensure download cache directory exists'
+  ansible.builtin.file:
+    path: '{{ lego__download_cache_directory }}'
+    group: 'root'
+    mode: '0777'
+    owner: 'root'
+    state: 'directory'
+
+- name: 'Ensure the lego binary archive is downloaded'
+  ansible.builtin.get_url:
+    checksum: '{{ lego__lego_archive_checksum }}'
+    dest: '{{ lego__download_cache_directory }}/lego_v{{ lego__lego_version }}_linux_amd64.tar.gz'
+    group: 'root'
+    mode: 0755
+    owner: 'root'
+    url: 'https://github.com/go-acme/lego/releases/download/v{{ lego__lego_version }}/lego_v{{ lego__lego_version }}_linux_amd64.tar.gz'
+
+- name: 'Ensure the lego binary is installed'
+  ansible.builtin.unarchive:
+    dest: '/usr/local/bin'
+    include:
+      - 'lego'
+    group: 'root'
+    mode: 0755
+    owner: 'root'
+    remote_src: true
+    src: '{{ lego__download_cache_directory }}/lego_v{{ lego__lego_version }}_linux_amd64.tar.gz'