ctucx.git: ansible-configs

roles/acme-redirect: set correct permissions on cert-renewal

diff --git a/roles/acme-redirect/tasks/configure.yml b/roles/acme-redirect/tasks/configure.yml
@@ -1,15 +1,21 @@
 ---
 
+- name: "Create file: /usr/local/bin/acme-redirect-fixpermissions"
+  copy:
+    content: "#!/bin/sh\n/bin/chown -R acme-redirect:acme-redirect /var/lib/acme-redirect/live\n/bin/chown -R acme-redirect:acme-redirect /var/lib/acme-redirect/certs"
+    dest: /usr/local/bin/acme-redirect-fixpermissions
+    mode: 0755
+
 - name: "[Alpine] create sudoers file for acme-redirect"
   copy:
-    content: "acme-redirect ALL=NOPASSWD:/sbin/rc-service\n"
+    content: "acme-redirect ALL=NOPASSWD:/sbin/rc-service,/usr/local/bin/acme-redirect-fixpermissions\n"
     dest: /etc/sudoers.d/acme-redirect
   when:
     - ansible_distribution == "Alpine"
 
 - name: "[Archlinux] create sudoers file for acme-redirect"
   copy:
-    content: "acme-redirect ALL=NOPASSWD:/usr/bin/systemctl\n"
+    content: "acme-redirect ALL=NOPASSWD:/usr/bin/systemctl,/usr/local/bin/acme-redirect-fixpermissions\n"
     dest: /etc/sudoers.d/acme-redirect
   when:
     - ansible_distribution == "Archlinux"

diff --git a/roles/acme-redirect/tasks/remove.yml b/roles/acme-redirect/tasks/remove.yml
@@ -47,6 +47,7 @@
     - /etc/acme-redirect.d
     - /var/lib/acme-redirect
     - /etc/acme-redirect.conf
+    - /usr/local/bin/acme-redirect-fixpermissions
 
 - name: "[nftables] Delete rule for: acme-redirect"
   file:

diff --git a/roles/acme-redirect/templates/acme-redirect.conf.j2 b/roles/acme-redirect/templates/acme-redirect.conf.j2
@@ -13,7 +13,7 @@ dns_names = [
 {% endif %}
 ]
 exec = [
-	"chown -R acme-redirect:acme-redirect /var/lib/acme-redirect/live/{{ item.key }}",
+	"sudo /usr/local/bin/acme-redirect-fixpermissions",
 {% if item.value.renewTasks is defined %}
 {% for task in item.value.renewTasks %}
     "{{ task }}",