From 89fd642b7828162f7f19ab33aa6ece1d4e9f3c3c Mon Sep 17 00:00:00 2001
From: Alan Orth <alan.orth@gmail.com>
Date: Mon, 27 Sep 2021 13:40:17 +0300
Subject: [PATCH] roles/nginx: minor rework of acme.sh tasks

After the inital acme.sh script is downloaded and bootstrapped we
can remove it. If a host already has been bootstrapped then there
is no need to download it and do it over again.
---
 roles/nginx/defaults/main.yml     |  4 ++--
 roles/nginx/tasks/letsencrypt.yml | 21 ++++++++++++++++++---
 2 files changed, 20 insertions(+), 5 deletions(-)

diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml
index 4d80341..316bb20 100644
--- a/roles/nginx/defaults/main.yml
+++ b/roles/nginx/defaults/main.yml
@@ -33,8 +33,8 @@ letsencrypt_root: /etc/ssl
 
 # Location where to save initial acme.sh script. After installation the script
 # will automatically create its home in the /root/.acme.sh directory (including
-# a copy of the script itself).
-letsencrypt_acme_script: /root/acme.sh
+# a copy of the script itself). The initial script is not needed after.
+letsencrypt_acme_script_temp: /root/acme.sh
 letsencrypt_acme_home: /root/.acme.sh
 
 # stable is 1.20.x
diff --git a/roles/nginx/tasks/letsencrypt.yml b/roles/nginx/tasks/letsencrypt.yml
index a724b9e..20a0681 100644
--- a/roles/nginx/tasks/letsencrypt.yml
+++ b/roles/nginx/tasks/letsencrypt.yml
@@ -16,24 +16,39 @@
       - /etc/letsencrypt/renewal-hooks/pre/stop-nginx.sh
       - /etc/letsencrypt/renewal-hooks/post/start-nginx.sh
 
+  - name: Check if acme.sh is installed
+    stat:
+      path: "{{ letsencrypt_acme_home }}"
+    register: acme_home
+
   - name: Download acme.sh
     get_url:
       url: https://raw.githubusercontent.com/acmesh-official/acme.sh/master/acme.sh
-      dest: "{{ letsencrypt_acme_script }}"
+      dest: "{{ letsencrypt_acme_script_temp }}"
       mode: 0700
+    register: acme_download
+    when: not acme_home.stat.exists
 
   # Run the "install" for acme.sh so it creates the .acme.sh dir (currently I
   # have to chdir to the /root directory where the script exists or else it
   # fails. Ansible runs it, but the script can't find itself...).
   - name: Install acme.sh
     ansible.builtin.command:
-      cmd: "{{ letsencrypt_acme_script }} --install --no-profile --no-cron"
+      cmd: "{{ letsencrypt_acme_script_temp }} --install --no-profile --no-cron"
       creates: "{{ letsencrypt_acme_home }}/acme.sh"
       chdir: /root
+    register: acme_install
+    when: acme_download is changed
+
+  - name: Remove temporary acme.sh script
+    file:
+      dest: "{{ letsencrypt_acme_script_temp }}"
+      state: absent
+    when: acme_install.rc is defined and acme_install.rc == 0
 
   - name: Set default certificate authority for acme.sh
     ansible.builtin.command:
-      cmd: "{{ letsencrypt_acme_script }} --set-default-ca --server letsencrypt"
+      cmd: "{{ letsencrypt_acme_home }}/acme.sh --set-default-ca --server letsencrypt"
 
   - name: Prepare Let's Encrypt well-known directory
     file: