From d4d46bd7a27efa0c3521b2cf6c15c65e04b30338 Mon Sep 17 00:00:00 2001
From: Matt Birkholz <matt@birchwood-abbey.net>
Date: Mon, 22 Dec 2025 08:55:09 -0700
Subject: [PATCH] Re-work tasks installing server certificates.

Postfix does not seem to need to reload an updated certificate file.
And a =/etc/server.crt= file installed by the institute should not
clobber.
---
 README.org                   | 38 +++++++++++++++++++-----------------
 roles_t/core/tasks/main.yml  | 16 ++++++++-------
 roles_t/front/tasks/main.yml | 15 +++++++-------
 3 files changed, 37 insertions(+), 32 deletions(-)

diff --git a/README.org b/README.org
index 1cbd6ff..b4e49bf 100644
--- a/README.org
+++ b/README.org
@@ -1522,9 +1522,8 @@ recipient" replies.  The [[*Account Management][Account Management]] chapter des
 ** Install Server Certificate
 
 The servers on Front use the same certificate (and key) to
-authenticate themselves to institute clients.  They share the
-=/etc/server.crt= and =/etc/server.key= files, the latter only
-readable by ~root~.
+authenticate to institute clients.  They share the =/etc/server.crt=
+and =/etc/server.key= files, the latter only readable by ~root~.
 
 #+CAPTION: [[file:roles_t/front/tasks/main.yml][=roles_t/front/tasks/main.yml=]]
 #+BEGIN_SRC conf :tangle roles_t/front/tasks/main.yml
@@ -1532,17 +1531,18 @@ readable by ~root~.
 - name: Install server certificate/key.
   become: yes
   copy:
-    src: ../Secret/CA/pki/{{ item.path }}.{{ item.typ }}
-    dest: /etc/server.{{ item.typ }}
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
     mode: "{{ item.mode }}"
     force: no
   loop:
-  - { path: "issued/{{ domain_name }}", typ: crt,
-      mode: "u=r,g=r,o=r" }
-  - { path: "private/{{ domain_name }}", typ: key,
-      mode: "u=r,g=,o=" }
+  - src: "../Secret/CA/pki/issued/{{ domain_name }}.crt"
+    dest: "/etc/server.crt"
+    mode: "u=r,g=r,o=r"
+  - src: "../Secret/CA/pki/private/{{ domain_name }}.key"
+    dest: "/etc/server.key"
+    mode: "u=r,g=,o="
   notify:
-  - Restart Postfix.
   - Restart Dovecot.
 #+END_SRC
 
@@ -2962,7 +2962,7 @@ describes the ~members~ and ~usernames~ variables.
 ** Install Server Certificate
 
 The servers on Core use the same certificate (and key) to authenticate
-themselves to institute clients.  They share the =/etc/server.crt= and
+to institute clients.  They share the =/etc/server.crt= and
 =/etc/server.key= files, the latter only readable by ~root~.
 
 #+CAPTION: [[file:roles_t/core/tasks/main.yml][=roles_t/core/tasks/main.yml=]]
@@ -2971,16 +2971,18 @@ themselves to institute clients.  They share the =/etc/server.crt= and
 - name: Install server certificate/key.
   become: yes
   copy:
-    src: ../Secret/CA/pki/{{ item.path }}.{{ item.typ }}
-    dest: /etc/server.{{ item.typ }}
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
     mode: "{{ item.mode }}"
+    force: no
   loop:
-  - { path: "issued/core.{{ domain_priv }}", typ: crt,
-      mode: "u=r,g=r,o=r" }
-  - { path: "private/core.{{ domain_priv }}", typ: key,
-      mode: "u=r,g=,o=" }
+  - src: "../Secret/CA/pki/issued/core.{{ domain_priv }}.crt"
+    dest: "/etc/server.crt"
+    mode: "u=r,g=r,o=r"
+  - src: "../Secret/CA/pki/private/core.{{ domain_priv }}.key"
+    dest: "/etc/server.key"
+    mode: "u=r,g=,o="
   notify:
-  - Restart Postfix.
   - Restart Dovecot.
 #+END_SRC
 
diff --git a/roles_t/core/tasks/main.yml b/roles_t/core/tasks/main.yml
index 1adde76..94e9114 100644
--- a/roles_t/core/tasks/main.yml
+++ b/roles_t/core/tasks/main.yml
@@ -283,16 +283,18 @@
 - name: Install server certificate/key.
   become: yes
   copy:
-    src: ../Secret/CA/pki/{{ item.path }}.{{ item.typ }}
-    dest: /etc/server.{{ item.typ }}
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
     mode: "{{ item.mode }}"
+    force: no
   loop:
-  - { path: "issued/core.{{ domain_priv }}", typ: crt,
-      mode: "u=r,g=r,o=r" }
-  - { path: "private/core.{{ domain_priv }}", typ: key,
-      mode: "u=r,g=,o=" }
+  - src: "../Secret/CA/pki/issued/core.{{ domain_priv }}.crt"
+    dest: "/etc/server.crt"
+    mode: "u=r,g=r,o=r"
+  - src: "../Secret/CA/pki/private/core.{{ domain_priv }}.key"
+    dest: "/etc/server.key"
+    mode: "u=r,g=,o="
   notify:
-  - Restart Postfix.
   - Restart Dovecot.
 
 - name: Install Chrony.
diff --git a/roles_t/front/tasks/main.yml b/roles_t/front/tasks/main.yml
index 1256286..afa0415 100644
--- a/roles_t/front/tasks/main.yml
+++ b/roles_t/front/tasks/main.yml
@@ -91,17 +91,18 @@
 - name: Install server certificate/key.
   become: yes
   copy:
-    src: ../Secret/CA/pki/{{ item.path }}.{{ item.typ }}
-    dest: /etc/server.{{ item.typ }}
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
     mode: "{{ item.mode }}"
     force: no
   loop:
-  - { path: "issued/{{ domain_name }}", typ: crt,
-      mode: "u=r,g=r,o=r" }
-  - { path: "private/{{ domain_name }}", typ: key,
-      mode: "u=r,g=,o=" }
+  - src: "../Secret/CA/pki/issued/{{ domain_name }}.crt"
+    dest: "/etc/server.crt"
+    mode: "u=r,g=r,o=r"
+  - src: "../Secret/CA/pki/private/{{ domain_name }}.key"
+    dest: "/etc/server.key"
+    mode: "u=r,g=,o="
   notify:
-  - Restart Postfix.
   - Restart Dovecot.
 
 - name: Install Postfix.
-- 
2.47.3