From 3cb5135ceeebf5cf2685dddf02c12a0f1bf8ce7f Mon Sep 17 00:00:00 2001
From: f <f@sutty.nl>
Date: Sat, 7 Dec 2024 13:21:10 -0300
Subject: [PATCH] fix: issue a single certificate per site

---
 ansible/roles/distributed_press/tasks/main.yml            | 6 +++++-
 ansible/roles/distributed_press/templates/nginx-static.j2 | 4 ++--
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/ansible/roles/distributed_press/tasks/main.yml b/ansible/roles/distributed_press/tasks/main.yml
index 381a68f8..16808c7c 100644
--- a/ansible/roles/distributed_press/tasks/main.yml
+++ b/ansible/roles/distributed_press/tasks/main.yml
@@ -206,7 +206,11 @@
     name: nginx
 
 - name: "Register certbot certificate"
-  shell: "certbot --nginx --non-interactive -d {{distributed_press_domain}} {{ distributed_press_served_sites | map('regex_replace', '^', '-d ') | join(' ') }} {% if (social_inbox_enabled) %} -d {{ social_inbox_domain }} {% endif %}--expand --agree-tos --no-eff-email --email {{distributed_press_letsencrypt_email}}"
+  shell: "certbot --nginx --non-interactive -d {{distributed_press_domain}} {% if (social_inbox_enabled) %} -d {{ social_inbox_domain }} {% endif %}--expand --agree-tos --no-eff-email --email {{distributed_press_letsencrypt_email}}"
+
+- name: "Register certbot certificate for each site"
+  shell: "certbot --nginx --non-interactive -d {{item}} --expand --agree-tos --no-eff-email --email {{distributed_press_letsencrypt_email}}"
+  loop: "{{distributed_press_served_sites}}"
 
 - name: "Copy over default site config"
   template:
diff --git a/ansible/roles/distributed_press/templates/nginx-static.j2 b/ansible/roles/distributed_press/templates/nginx-static.j2
index 89ed386e..58afdfe9 100644
--- a/ansible/roles/distributed_press/templates/nginx-static.j2
+++ b/ansible/roles/distributed_press/templates/nginx-static.j2
@@ -36,8 +36,8 @@ server {
 
   listen [::]:443 ssl; # managed by Certbot
   listen 443 ssl; # managed by Certbot
-  ssl_certificate /etc/letsencrypt/live/{{distributed_press_cert_name}}/fullchain.pem; # managed by Certbot
-  ssl_certificate_key /etc/letsencrypt/live/{{distributed_press_cert_name}}/privkey.pem; # managed by Certbot
+  ssl_certificate /etc/letsencrypt/live/{{item}}/fullchain.pem; # managed by Certbot
+  ssl_certificate_key /etc/letsencrypt/live/{{item}}/privkey.pem; # managed by Certbot
   include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
   ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
 }