cert-perms: set www-data access per playbook

[fredericmoulins]

Set wwww-data access to the certificates using the cert-perms role in each playbook needing it.

Use import_role to call the cert-perms role.

[arodier]

I will check this tomorrow, it is a big one ;-)

[fredericmoulins]

it is a big one ;-)

Yes, it is :)

In the certificate role, the task removed set the ACL for www-data on all the certificate directories. It is not setting the default ACL, so it works on Stretch because the certificates files created by certbot are world readable. I don't know if nginx can read the certificates in Buster as they should'nt be world readable anymore.

About the changes:

• remove the task in the certificate role;
• use the cert-perms role for the user www-data with the same logic as for dovecot, ldap and postfix roles for their users;
• use import_role as it does the same in one task (it is static; don't see the need for dynamic include);
• use the certificate type declared as var in the playbook, originally for the certificate role, and gather the roles in a single list in the playbooks if needed (eg mta-sts);
• there is an exception for website-simple, the www and root domains are somewhat hard-coded.

I hope I did not miss any.

[arodier]

I will launch the CI on this, let's see if it breaks anything. It worked on my side.