From: Bernhard Tittelbach <bernhard@tittelbach.org>
Date: Sun, 9 Nov 2025 10:06:00 +0000 (+0100)
Subject: vex2: r3redirects bugfix
X-Git-Url: https://git.realraum.at/?a=commitdiff_plain;h=d0efed00e29ce6c0c4d2e24d43defd0a5994482c;p=noc.git

vex2: r3redirects bugfix
---

diff --git a/ansible/roles/web/r3redirects/tasks/nginx.yml b/ansible/roles/web/r3redirects/tasks/nginx.yml
index cc5c060..0708778 100644
--- a/ansible/roles/web/r3redirects/tasks/nginx.yml
+++ b/ansible/roles/web/r3redirects/tasks/nginx.yml
@@ -25,11 +25,16 @@
 
 - name: check if acme certs already exists
   stat:
-    path: /var/lib/acme/live/{{ r3rsrv.name }}
+    path: "/var/lib/acme/live/{{ item }}"
+  with_items: "{{ r3rsrv.urls }}"
   register: nginx_acme_cert
 
-- name: link nonexistent hostname to self-signed interim cert
-  when: not nginx_acme_cert.stat.exists
+- name: set acmecert_missing_hostnames variable
+  set_fact:
+    acmecert_missing_hostnames: "{{ nginx_acme_cert.results | acme_cert_nonexistent(r3rsrv.urls) }}"
+
+- name: link nonexistent hostnames to self-signed interim cert
+  when: acmecert_missing_hostnames | length > 0
   block:
     - name: get id of existing selfsigned interim certificate
       command: cat /var/lib/acme/.selfsigned-interim-cert
@@ -44,13 +49,14 @@
     - name: link to snakeoil cert for nonexistent hostnames
       file:
         src: "../certs/{{ selfsigned_interim_cert_id }}"
-        dest: "/var/lib/acme/live/{{ r3rsrv.name }}"
+        dest: "/var/lib/acme/live/{{ item }}"
         state: link
+      with_items: "{{ acmecert_missing_hostnames }}"
 
-- name: enable nginx vhost config
+- name: enable vhost config using acme cert
   file:
-    src: ../sites-available/{{ r3rsrv.name }}
-    dest: /etc/nginx/sites-enabled/{{ r3rsrv.name }}
+    src: "../sites-available/{{ r3rsrv.name }}"
+    dest: "/etc/nginx/sites-enabled/{{ r3rsrv.name }}"
     state: link
   notify: reload nginx
 
@@ -61,5 +67,5 @@
   import_role:
     name: acmetool/cert
   vars:
-    acmetool_cert_name: "{{ r3rsrv.name }}"
-
+    acmetool_cert_name: "{{ r3rsrv.urls[0] }}"
+    acmetool_cert_hostnames: "{{ r3rsrv.urls }}"
diff --git a/ansible/roles/web/r3redirects/templates/r3.at.j2 b/ansible/roles/web/r3redirects/templates/r3.at.j2
index 7bb5b46..b768010 100644
--- a/ansible/roles/web/r3redirects/templates/r3.at.j2
+++ b/ansible/roles/web/r3redirects/templates/r3.at.j2
@@ -6,8 +6,8 @@ server {
 
     include snippets/acmetool.conf;
     include snippets/ssl.conf;
-    ssl_certificate /var/lib/acme/live/{{ r3rsrv.name }}/fullchain;
-    ssl_certificate_key /var/lib/acme/live/{{ r3rsrv.name }}/privkey;
+    ssl_certificate /var/lib/acme/live/{{ r3rsrv.urls[0] }}/fullchain;
+    ssl_certificate_key /var/lib/acme/live/{{ r3rsrv.urls[0] }}/privkey;
     include snippets/hsts.conf;
 
     include snippets/security-headers.conf;
diff --git a/ansible/roles/web/r3redirects/templates/sensors.realraum.at.j2 b/ansible/roles/web/r3redirects/templates/sensors.realraum.at.j2
index 8fe195d..aaced74 100644
--- a/ansible/roles/web/r3redirects/templates/sensors.realraum.at.j2
+++ b/ansible/roles/web/r3redirects/templates/sensors.realraum.at.j2
@@ -6,8 +6,8 @@ server {
 
     include snippets/acmetool.conf;
     include snippets/ssl.conf;
-    ssl_certificate /var/lib/acme/live/{{ r3rsrv.name }}/fullchain;
-    ssl_certificate_key /var/lib/acme/live/{{ r3rsrv.name }}/privkey;
+    ssl_certificate /var/lib/acme/live/{{ r3rsrv.urls[0] }}/fullchain;
+    ssl_certificate_key /var/lib/acme/live/{{ r3rsrv.urls[0] }}/privkey;
     include snippets/hsts.conf;
 
     include snippets/security-headers.conf;
diff --git a/ansible/roles/web/r3redirects/templates/w.r3.at.j2 b/ansible/roles/web/r3redirects/templates/w.r3.at.j2
index b89bab8..974e7f8 100644
--- a/ansible/roles/web/r3redirects/templates/w.r3.at.j2
+++ b/ansible/roles/web/r3redirects/templates/w.r3.at.j2
@@ -6,8 +6,8 @@ server {
 
     include snippets/acmetool.conf;
     include snippets/ssl.conf;
-    ssl_certificate /var/lib/acme/live/{{ r3rsrv.name }}/fullchain;
-    ssl_certificate_key /var/lib/acme/live/{{ r3rsrv.name }}/privkey;
+    ssl_certificate /var/lib/acme/live/{{ r3rsrv.urls[0] }}/fullchain;
+    ssl_certificate_key /var/lib/acme/live/{{ r3rsrv.urls[0] }}/privkey;
     include snippets/hsts.conf;
 
     include snippets/security-headers.conf;
diff --git a/ansible/roles/web/r3redirects/templates/wiki.realraum.at.j2 b/ansible/roles/web/r3redirects/templates/wiki.realraum.at.j2
index b89bab8..974e7f8 100644
--- a/ansible/roles/web/r3redirects/templates/wiki.realraum.at.j2
+++ b/ansible/roles/web/r3redirects/templates/wiki.realraum.at.j2
@@ -6,8 +6,8 @@ server {
 
     include snippets/acmetool.conf;
     include snippets/ssl.conf;
-    ssl_certificate /var/lib/acme/live/{{ r3rsrv.name }}/fullchain;
-    ssl_certificate_key /var/lib/acme/live/{{ r3rsrv.name }}/privkey;
+    ssl_certificate /var/lib/acme/live/{{ r3rsrv.urls[0] }}/fullchain;
+    ssl_certificate_key /var/lib/acme/live/{{ r3rsrv.urls[0] }}/privkey;
     include snippets/hsts.conf;
 
     include snippets/security-headers.conf;
diff --git a/ansible/roles/web/r3redirects/templates/www.realraum.at.j2 b/ansible/roles/web/r3redirects/templates/www.realraum.at.j2
index ed236f9..a3309e5 100644
--- a/ansible/roles/web/r3redirects/templates/www.realraum.at.j2
+++ b/ansible/roles/web/r3redirects/templates/www.realraum.at.j2
@@ -10,8 +10,8 @@ server {
 
     include snippets/acmetool.conf;
     include snippets/ssl.conf;
-    ssl_certificate /var/lib/acme/live/{{ r3rsrv.name }}/fullchain;
-    ssl_certificate_key /var/lib/acme/live/{{ r3rsrv.name }}/privkey;
+    ssl_certificate /var/lib/acme/live/{{ r3rsrv.urls[0] }}/fullchain;
+    ssl_certificate_key /var/lib/acme/live/{{ r3rsrv.urls[0] }}/privkey;
     include snippets/hsts.conf;
 
     include snippets/security-headers.conf;