From 5e3c8066f9672afaf6b4490803a7565a26888f8b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= <greg@karekinian.com>
Date: Mon, 20 Apr 2020 19:10:15 +0200
Subject: [PATCH] Add the missing certbot command to generate the LDAP TLS cert

This had been done manually on barnard. This will not be executed on
barnard again since the cert exists
---
 site-cookbooks/kosmos-dirsrv/resources/instance.rb | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/site-cookbooks/kosmos-dirsrv/resources/instance.rb b/site-cookbooks/kosmos-dirsrv/resources/instance.rb
index 97cd492..0ef689b 100644
--- a/site-cookbooks/kosmos-dirsrv/resources/instance.rb
+++ b/site-cookbooks/kosmos-dirsrv/resources/instance.rb
@@ -129,9 +129,21 @@ nsslapd-allow-anonymous-access: off
       source 'nginx_conf_empty.erb'
       owner node["nginx"]["user"]
       mode 0640
+      notifies :reload, 'service[nginx]', :delayed
     end
 
     nginx_certbot_site new_resource.hostname do
+      notifies :run, "letsencrypt cert for #{domain}", :delayed
+    end
+
+    # Generate a Let's Encrypt cert (only if the nginx vhost exists and no cert
+    # has been generated before. The renew cron will take care of renewing
+    execute "letsencrypt cert for #{domain}" do
+      command "/usr/bin/certbot certonly --webroot --agree-tos --email ops@kosmos.org --webroot-path #{root_directory} --deploy-hook /etc/letsencrypt/renewal-hooks/deploy/dirsrv -d #{domain} -n"
+      only_if do
+        ::File.exist?("#{node['nginx']['dir']}/sites-enabled/#{domain}_certbot") &&
+          !::File.exist?("/etc/letsencrypt/live/#{domain}/fullchain.pem")
+      end
       notifies :run, "execute[add tls config]", :immediately
     end