Add transfer role from the Certbot container

This role will install logic to transfer the (renewed) certificates
from the Certbot container to a directory easily accessible by a
distribution-installed nginx.

roles/podman_certbot_root_transfer/handlers/main.yml

@@ -0,0 +1,7 @@
+---
+- name: Reload user systemd daemon
+  ansible.builtin.systemd_service:
+    daemon_reload: true
+    scope: user
+  become_method: community.general.machinectl
+  become_user: podman

roles/podman_certbot_root_transfer/tasks/machinectl.yml

@@ -0,0 +1,24 @@
+---
+- name: Install systemd files for certbot certificate renewal
+  ansible.builtin.template:
+    src: "{{ filename }}.j2"
+    dest: ~/.config/systemd/user/{{ filename }}
+    mode: "0640"
+  vars:
+    filename: certbot-move-certificates.service
+  notify: Reload user systemd daemon
+
+- name: Create systemd user override drop-in directory
+  ansible.builtin.file:
+    dest: ~/.config/systemd/user/container-certbot.service.d
+    state: directory
+    mode: "0750"
+
+- name: Install override file to move the generated Certbot certificates
+  ansible.builtin.template:
+    src: "{{ filename }}.j2"
+    dest: ~/.config/systemd/user/container-certbot.service.d/{{ filename }}
+    mode: "0640"
+  vars:
+    filename: certbot-dropin.conf
+  notify: Reload user systemd daemon

roles/podman_certbot_root_transfer/tasks/main.yml

@@ -0,0 +1,32 @@
+---
+- name: Create SCE certbot directories
+  ansible.builtin.file:
+    dest: /etc/sce-certbot
+    state: directory
+    mode: "0750"
+
+- name: Install script to move the TLS certificates to root
+  ansible.builtin.template:
+    src: move-certificate-files-to-root.j2
+    dest: /usr/local/bin/move-certificate-files-to-root
+    mode: "0740"
+
+- name: Install script to extract the certificate files from the Podman volume
+  ansible.builtin.template:
+    src: extract-certificate-files.j2
+    dest: /usr/local/bin/extract-certificate-files
+    mode: "0755"
+
+- name: Allow podman user to execute the move command
+  community.general.sudoers:
+    name: allow-podman-move-certificates
+    user: podman
+    state: present
+    commands:
+      - /usr/local/bin/move-certificate-files-to-root
+    nopassword: true
+
+- name: Configure Certbot service
+  ansible.builtin.import_tasks: machinectl.yml
+  become_method: community.general.machinectl
+  become_user: podman

roles/podman_certbot_root_transfer/templates/certbot-dropin.conf.j2

@@ -0,0 +1,3 @@
+# {{ ansible_managed }}
+[Unit]
+OnSuccess=certbot-move-certificates.service

roles/podman_certbot_root_transfer/templates/certbot-move-certificates.service.j2

@@ -0,0 +1,7 @@
+# {{ ansible_managed }}
+[Unit]
+Description=Move generated certbot certificates to root path
+
+[Service]
+Type=oneshot
+ExecStart=/usr/local/bin/extract-certificate-files

roles/podman_certbot_root_transfer/templates/extract-certificate-files.j2

@@ -0,0 +1,8 @@
+#!/bin/bash
+# {{ ansible_managed }}
+
+MOUNT=$(podman volume inspect certbot-etc --format "{{ '{{' }} .Mountpoint {{ '}}' }}")
+
+mkdir -p certbot-tx
+cp -rL $MOUNT/live/* certbot-tx
+sudo /usr/local/bin/move-certificate-files-to-root $(realpath certbot-tx)

roles/podman_certbot_root_transfer/templates/move-certificate-files-to-root.j2

@@ -0,0 +1,5 @@
+#!/bin/bash
+# {{ ansible_managed }}
+
+# TODO: evaluate proper argument escaping
+cp -r $1/* /etc/sce-certbot