evoacme: add squid whitelist for ocsp server

2017-05-16 10:30:17 +02:00 · 2017-05-16 10:30:17 +02:00 · f068684a76
parent 708860770a
commit f068684a76
2 changed files with 27 additions and 0 deletions
--- a/evoacme/handlers/main.yml
+++ b/evoacme/handlers/main.yml
@ -13,3 +13,8 @@
 - name: apt update
  apt:
    update_cache: yes
+
+- name: reload squid3
+  service:
+    name: squid3
+    state: reloaded
--- a/evoacme/tasks/certbot.yml
+++ b/evoacme/tasks/certbot.yml
@ -53,3 +53,25 @@
    src: certbot.cron
    dest: /etc/cron.daily/certbot
    mode: "0755"
+
+- name: Is Squid installed?
+  command: "command -v squid3"
+  failed_when: false
+  changed_when: false
+  check_mode: no
+  register: is_squid3_installed
+
+- name: Find squid3 config whitelist
+  shell: find /etc/squid3/whitelist-custom.conf /etc/squid3/whitelist.conf 2> /dev/null
+  failed_when: false
+  changed_when: false
+  check_mode: no
+  register: squid3_whitelist_files
+
+- name: Let's Encrypt OCSP server is authorized by squid
+  lineinfile:
+    dest: "{{ squid3_whitelist_files.stdout_lines | first }}"
+    line: "http://ocsp.int-x3.letsencrypt.org/.*"
+    state: present
+  notify: reload squid3
+  when: is_squid3_installed.rc == 0 and squid3_whitelist_files.stdout != ""