michaelschiemer/deployment/ansible/playbooks/fix-traefik-acme-permissions.yml

---
# Fix Traefik ACME JSON Permissions
# Prüft und korrigiert Berechtigungen für acme.json Datei
- name: Fix Traefik ACME JSON Permissions
  hosts: production
  gather_facts: yes
  become: no

  tasks:
    - name: Check if Traefik stack directory exists
      ansible.builtin.stat:
        path: "{{ traefik_stack_path | default('/home/deploy/deployment/stacks/traefik') }}"
      register: traefik_stack_exists

    - name: Fail if Traefik stack directory does not exist
      ansible.builtin.fail:
        msg: "Traefik stack directory not found at {{ traefik_stack_path | default('/home/deploy/deployment/stacks/traefik') }}"
      when: not traefik_stack_exists.stat.exists

    - name: Check if acme.json exists
      ansible.builtin.stat:
        path: "{{ traefik_stack_path | default('/home/deploy/deployment/stacks/traefik') }}/acme.json"
      register: acme_json_exists

    - name: Create acme.json if it doesn't exist
      ansible.builtin.file:
        path: "{{ traefik_stack_path | default('/home/deploy/deployment/stacks/traefik') }}/acme.json"
        state: file
        mode: '0600'
        owner: "{{ ansible_user | default('deploy') }}"
        group: "{{ ansible_user | default('deploy') }}"
      when: not acme_json_exists.stat.exists

    - name: Get current acme.json permissions
      ansible.builtin.stat:
        path: "{{ traefik_stack_path | default('/home/deploy/deployment/stacks/traefik') }}/acme.json"
      register: acme_json_stat

    - name: Display current acme.json permissions
      ansible.builtin.debug:
        msg: |
          ================================================================================
          Aktuelle acme.json Berechtigungen:
          ================================================================================
          Path: {{ acme_json_stat.stat.path }}
          Owner: {{ acme_json_stat.stat.pw_name }} (UID: {{ acme_json_stat.stat.uid }})
          Group: {{ acme_json_stat.stat.gr_name }} (GID: {{ acme_json_stat.stat.gid }})
          Mode: {{ acme_json_stat.stat.mode | string | regex_replace('^0o?', '') }}
          Size: {{ acme_json_stat.stat.size }} bytes
          ================================================================================

    - name: Fix acme.json permissions (chmod 600)
      ansible.builtin.file:
        path: "{{ traefik_stack_path | default('/home/deploy/deployment/stacks/traefik') }}/acme.json"
        mode: '0600'
        owner: "{{ ansible_user | default('deploy') }}"
        group: "{{ ansible_user | default('deploy') }}"
      register: acme_json_permissions_fixed

    - name: Verify acme.json permissions after fix
      ansible.builtin.stat:
        path: "{{ traefik_stack_path | default('/home/deploy/deployment/stacks/traefik') }}/acme.json"
      register: acme_json_stat_after

    - name: Display fixed acme.json permissions
      ansible.builtin.debug:
        msg: |
          ================================================================================
          Korrigierte acme.json Berechtigungen:
          ================================================================================
          Path: {{ acme_json_stat_after.stat.path }}
          Owner: {{ acme_json_stat_after.stat.pw_name }} (UID: {{ acme_json_stat_after.stat.uid }})
          Group: {{ acme_json_stat_after.stat.gr_name }} (GID: {{ acme_json_stat_after.stat.gid }})
          Mode: {{ acme_json_stat_after.stat.mode | string | regex_replace('^0o?', '') }}
          Size: {{ acme_json_stat_after.stat.size }} bytes
          ================================================================================
          ✅ acme.json hat jetzt chmod 600 (nur Owner kann lesen/schreiben)
          ================================================================================

    - name: Check Traefik container can write to acme.json
      ansible.builtin.shell: |
        cd {{ traefik_stack_path | default('/home/deploy/deployment/stacks/traefik') }}
        docker compose exec -T traefik sh -c "test -w /acme.json && echo 'WRITABLE' || echo 'NOT_WRITABLE'" 2>&1 || echo "CONTAINER_CHECK_FAILED"
      register: acme_json_writable_check
      changed_when: false
      failed_when: false

    - name: Display acme.json writable check
      ansible.builtin.debug:
        msg: |
          ================================================================================
          Traefik Container Schreibzugriff auf acme.json:
          ================================================================================
          {% if 'WRITABLE' in acme_json_writable_check.stdout %}
          ✅ Traefik Container kann auf acme.json schreiben
          {% elif 'NOT_WRITABLE' in acme_json_writable_check.stdout %}
          ⚠️  Traefik Container kann NICHT auf acme.json schreiben
          {% else %}
          ⚠️  Konnte Container-Zugriff nicht prüfen: {{ acme_json_writable_check.stdout }}
          {% endif %}
          ================================================================================

    - name: Check Docker volume mount for acme.json
      ansible.builtin.shell: |
        docker inspect traefik --format '{{ '{{' }}json .Mounts{{ '}}' }}' 2>/dev/null | jq '.[] | select(.Destination=="/acme.json")' || echo "Could not check volume mount"
      register: acme_json_mount
      changed_when: false
      failed_when: false

    - name: Display acme.json volume mount
      ansible.builtin.debug:
        msg: |
          ================================================================================
          Docker Volume Mount für acme.json:
          ================================================================================
          {{ acme_json_mount.stdout }}
          ================================================================================

    - name: Summary
      ansible.builtin.debug:
        msg: |
          ================================================================================
          ZUSAMMENFASSUNG - acme.json Berechtigungen:
          ================================================================================
          
          ✅ acme.json Berechtigungen auf chmod 600 gesetzt
          ✅ Owner/Group auf {{ ansible_user | default('deploy') }} gesetzt
          
          Wichtig:
          - acme.json muss beschreibbar sein für Traefik Container
          - Port 80/443 müssen vom Host auf Traefik zeigen
          - Traefik muss stabil laufen (keine häufigen Restarts)
          
          Nächste Schritte:
          - Stelle sicher, dass Traefik stabil läuft
          - Warte 5-10 Minuten auf ACME-Challenge-Abschluss
          - Prüfe Traefik-Logs auf ACME-Fehler
          ================================================================================