evoacme: update for new certbot role
* certbot is installed by the certbot role * Apache/Nginx configuration is delegated to the certbot role * No more "acme" user, everything is done with "root".
This commit is contained in:
parent
8ab79d5ece
commit
bf0676cbf8
|
@ -39,6 +39,7 @@ The **patch** part changes incrementally at each release.
|
||||||
* elasticsearch: configure cluster with seed hosts and initial masters
|
* elasticsearch: configure cluster with seed hosts and initial masters
|
||||||
* evoacme: upstream release 20.06.1
|
* evoacme: upstream release 20.06.1
|
||||||
* evoacme: read values from environment before defaults file
|
* evoacme: read values from environment before defaults file
|
||||||
|
* evoacme: update for new certbot role
|
||||||
* haproxy: deport SSL tuning to Mozilla SSL generator
|
* haproxy: deport SSL tuning to Mozilla SSL generator
|
||||||
* haproxy: chroot and socket path are configurable
|
* haproxy: chroot and socket path are configurable
|
||||||
* haproxy: adapt backports installed package list to distibution
|
* haproxy: adapt backports installed package list to distibution
|
||||||
|
|
|
@ -1,61 +0,0 @@
|
||||||
---
|
|
||||||
- name: Create acme group
|
|
||||||
group:
|
|
||||||
name: acme
|
|
||||||
state: present
|
|
||||||
|
|
||||||
- name: Create acme user
|
|
||||||
user:
|
|
||||||
name: acme
|
|
||||||
group: acme
|
|
||||||
state: present
|
|
||||||
createhome: no
|
|
||||||
home: "{{ evoacme_acme_dir }}"
|
|
||||||
shell: /bin/false
|
|
||||||
system: yes
|
|
||||||
|
|
||||||
- name: Fix crt dir's right
|
|
||||||
file:
|
|
||||||
path: "{{ evoacme_crt_dir }}"
|
|
||||||
mode: "0755"
|
|
||||||
owner: acme
|
|
||||||
group: acme
|
|
||||||
state: directory
|
|
||||||
|
|
||||||
- name: "Fix hooks directory permissions"
|
|
||||||
file:
|
|
||||||
path: "{{ evoacme_hooks_dir }}"
|
|
||||||
mode: "0700"
|
|
||||||
owner: acme
|
|
||||||
group: acme
|
|
||||||
state: directory
|
|
||||||
|
|
||||||
- name: Fix log dir's right
|
|
||||||
file:
|
|
||||||
path: "{{ evoacme_log_dir }}"
|
|
||||||
mode: "0755"
|
|
||||||
owner: acme
|
|
||||||
group: acme
|
|
||||||
state: directory
|
|
||||||
|
|
||||||
- name: Fix challenge dir's right
|
|
||||||
file:
|
|
||||||
path: "{{ evoacme_acme_dir }}"
|
|
||||||
mode: "0755"
|
|
||||||
owner: acme
|
|
||||||
group: acme
|
|
||||||
state: directory
|
|
||||||
|
|
||||||
- name: Is /etc/aliases present?
|
|
||||||
stat:
|
|
||||||
path: /etc/aliases
|
|
||||||
register: etc_aliases
|
|
||||||
|
|
||||||
- name: Set acme aliases
|
|
||||||
lineinfile:
|
|
||||||
state: present
|
|
||||||
dest: /etc/aliases
|
|
||||||
line: 'acme: root'
|
|
||||||
regexp: 'acme:'
|
|
||||||
when: etc_aliases.stat.exists
|
|
||||||
notify: "newaliases"
|
|
|
@ -1,25 +0,0 @@
|
||||||
- name: Create conf dirs
|
|
||||||
file:
|
|
||||||
path: "/etc/apache2/{{ item }}"
|
|
||||||
state: directory
|
|
||||||
with_items:
|
|
||||||
- 'conf-available'
|
|
||||||
- 'conf-enabled'
|
|
||||||
|
|
||||||
- name: Copy acme challenge conf
|
|
||||||
template:
|
|
||||||
src: templates/apache.conf.j2
|
|
||||||
dest: /etc/apache2/conf-available/letsencrypt.conf
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: "0644"
|
|
||||||
notify: reload apache2
|
|
||||||
|
|
||||||
- name: Enable acme challenge conf
|
|
||||||
file:
|
|
||||||
src: /etc/apache2/conf-available/letsencrypt.conf
|
|
||||||
dest: /etc/apache2/conf-enabled/letsencrypt.conf
|
|
||||||
state: link
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
notify: reload apache2
|
|
|
@ -1,45 +1,20 @@
|
||||||
---
|
---
|
||||||
|
- include_role:
|
||||||
- name: Use backports for jessie
|
name: evolix/certbot
|
||||||
block:
|
|
||||||
- name: install jessie-backports
|
|
||||||
include_role:
|
|
||||||
name: evolix/apt
|
|
||||||
tasks_from: backports.yml
|
|
||||||
|
|
||||||
- name: Add exceptions for certbot dependencies
|
|
||||||
copy:
|
|
||||||
src: backports-certbot
|
|
||||||
dest: /etc/apt/preferences.d/z-backports-certbot
|
|
||||||
notify: apt update
|
|
||||||
|
|
||||||
- meta: flush_handlers
|
|
||||||
when: ansible_distribution_release == "jessie"
|
|
||||||
|
|
||||||
- name: Install certbot with apt
|
|
||||||
apt:
|
|
||||||
name: certbot
|
|
||||||
state: latest
|
|
||||||
|
|
||||||
- include_role:
|
- include_role:
|
||||||
name: evolix/remount-usr
|
name: evolix/remount-usr
|
||||||
|
|
||||||
- name: Remove certbot symlink for apt install
|
|
||||||
file:
|
|
||||||
path: /usr/local/bin/certbot
|
|
||||||
state: absent
|
|
||||||
|
|
||||||
- name: Disable /etc/cron.d/certbot
|
- name: Disable /etc/cron.d/certbot
|
||||||
command: mv /etc/cron.d/certbot /etc/cron.d/certbot.disabled
|
command: mv -f /etc/cron.d/certbot /etc/cron.d/certbot.disabled
|
||||||
args:
|
args:
|
||||||
removes: /etc/cron.d/certbot
|
removes: /etc/cron.d/certbot
|
||||||
creates: /etc/cron.d/certbot.disabled
|
|
||||||
|
|
||||||
- name: Disable /etc/cron.daily/certbot
|
- name: Disable /etc/cron.daily/certbot
|
||||||
command: mv /etc/cron.daily/certbot /etc/cron.daily/certbot.disabled
|
command: mv -f /etc/cron.daily/certbot /etc/cron.daily/certbot.disabled
|
||||||
args:
|
args:
|
||||||
removes: /etc/cron.daily/certbot
|
removes: /etc/cron.daily/certbot
|
||||||
creates: /etc/cron.daily/certbot.disabled
|
|
||||||
|
|
||||||
- name: Install evoacme custom cron
|
- name: Install evoacme custom cron
|
||||||
copy:
|
copy:
|
||||||
|
|
|
@ -1,5 +1,10 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
|
- name: "Create {{ hook_name }} hook directory"
|
||||||
|
file:
|
||||||
|
dest: "{{ evoacme_hooks_dir }}"
|
||||||
|
state: directory
|
||||||
|
|
||||||
- name: "Search for {{ hook_name }} hook"
|
- name: "Search for {{ hook_name }} hook"
|
||||||
command: "find {{ evoacme_hooks_dir }} -type f \\( -name '{{ hook_name }}' -o -name '{{ hook_name }}.*' \\)"
|
command: "find {{ evoacme_hooks_dir }} -type f \\( -name '{{ hook_name }}' -o -name '{{ hook_name }}.*' \\)"
|
||||||
check_mode: no
|
check_mode: no
|
||||||
|
|
|
@ -7,7 +7,7 @@
|
||||||
|
|
||||||
- include: certbot.yml
|
- include: certbot.yml
|
||||||
|
|
||||||
- include: acme.yml
|
- include: permissions.yml
|
||||||
|
|
||||||
- include: evoacme_hook.yml
|
- include: evoacme_hook.yml
|
||||||
vars:
|
vars:
|
||||||
|
@ -22,21 +22,3 @@
|
||||||
- include: conf.yml
|
- include: conf.yml
|
||||||
|
|
||||||
- include: scripts.yml
|
- include: scripts.yml
|
||||||
|
|
||||||
- name: Determine Apache presence
|
|
||||||
stat:
|
|
||||||
path: /etc/apache2/apache2.conf
|
|
||||||
check_mode: no
|
|
||||||
register: sta
|
|
||||||
|
|
||||||
- name: Determine Nginx presence
|
|
||||||
stat:
|
|
||||||
path: /etc/nginx/nginx.conf
|
|
||||||
check_mode: no
|
|
||||||
register: stn
|
|
||||||
|
|
||||||
- include: apache.yml
|
|
||||||
when: sta.stat.isreg is defined and sta.stat.isreg
|
|
||||||
|
|
||||||
- include: nginx.yml
|
|
||||||
when: stn.stat.isreg is defined and stn.stat.isreg
|
|
||||||
|
|
|
@ -1,35 +0,0 @@
|
||||||
---
|
|
||||||
|
|
||||||
- name: move acme challenge conf if missplaced
|
|
||||||
command: mv /etc/nginx/letsencrypt.conf /etc/nginx/snippets/letsencrypt.conf
|
|
||||||
args:
|
|
||||||
removes: /etc/nginx/letsencrypt.conf
|
|
||||||
creates: /etc/nginx/snippets/letsencrypt.conf
|
|
||||||
|
|
||||||
- name: Copy acme challenge conf
|
|
||||||
template:
|
|
||||||
src: templates/nginx.conf.j2
|
|
||||||
dest: /etc/nginx/snippets/letsencrypt.conf
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: "0644"
|
|
||||||
|
|
||||||
- name: look for old path
|
|
||||||
command: grep -r /etc/nginx/letsencrypt.conf /etc/nginx
|
|
||||||
changed_when: False
|
|
||||||
failed_when: False
|
|
||||||
check_mode: no
|
|
||||||
register: grep_letsencrypt_old_path
|
|
||||||
|
|
||||||
- name: Keep a symlink for vhosts with old path
|
|
||||||
file:
|
|
||||||
src: /etc/nginx/snippets/letsencrypt.conf
|
|
||||||
dest: /etc/nginx/letsencrypt.conf
|
|
||||||
state: link
|
|
||||||
when: grep_letsencrypt_old_path.rc == 0
|
|
||||||
|
|
||||||
- name: Remove symlink if no vhost with old path
|
|
||||||
file:
|
|
||||||
dest: /etc/nginx/letsencrypt.conf
|
|
||||||
state: absent
|
|
||||||
when: grep_letsencrypt_old_path.rc == 1
|
|
33
evoacme/tasks/permissions.yml
Normal file
33
evoacme/tasks/permissions.yml
Normal file
|
@ -0,0 +1,33 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: Fix crt directory permissions
|
||||||
|
file:
|
||||||
|
path: "{{ evoacme_crt_dir }}"
|
||||||
|
mode: "0755"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
state: directory
|
||||||
|
|
||||||
|
- name: "Fix hooks directory permissions"
|
||||||
|
file:
|
||||||
|
path: "{{ evoacme_hooks_dir }}"
|
||||||
|
mode: "0700"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
state: directory
|
||||||
|
|
||||||
|
- name: Fix log directory permissions
|
||||||
|
file:
|
||||||
|
path: "{{ evoacme_log_dir }}"
|
||||||
|
mode: "0755"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
state: directory
|
||||||
|
|
||||||
|
- name: Fix challenge directory permissions
|
||||||
|
file:
|
||||||
|
path: "{{ evoacme_acme_dir }}"
|
||||||
|
mode: "0755"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
state: directory
|
Loading…
Reference in a new issue