Release 10.1.0 #113
|
@ -39,6 +39,7 @@ The **patch** part changes incrementally at each release.
|
|||
* elasticsearch: configure cluster with seed hosts and initial masters
|
||||
* evoacme: upstream release 20.06.1
|
||||
* evoacme: read values from environment before defaults file
|
||||
* evoacme: update for new certbot role
|
||||
* haproxy: deport SSL tuning to Mozilla SSL generator
|
||||
* haproxy: chroot and socket path are configurable
|
||||
* haproxy: adapt backports installed package list to distibution
|
||||
|
|
|
@ -1,61 +0,0 @@
|
|||
---
|
||||
- name: Create acme group
|
||||
group:
|
||||
name: acme
|
||||
state: present
|
||||
|
||||
- name: Create acme user
|
||||
user:
|
||||
name: acme
|
||||
group: acme
|
||||
state: present
|
||||
createhome: no
|
||||
home: "{{ evoacme_acme_dir }}"
|
||||
shell: /bin/false
|
||||
system: yes
|
||||
|
||||
- name: Fix crt dir's right
|
||||
file:
|
||||
path: "{{ evoacme_crt_dir }}"
|
||||
mode: "0755"
|
||||
owner: acme
|
||||
group: acme
|
||||
state: directory
|
||||
|
||||
- name: "Fix hooks directory permissions"
|
||||
file:
|
||||
path: "{{ evoacme_hooks_dir }}"
|
||||
mode: "0700"
|
||||
owner: acme
|
||||
group: acme
|
||||
state: directory
|
||||
|
||||
- name: Fix log dir's right
|
||||
file:
|
||||
path: "{{ evoacme_log_dir }}"
|
||||
mode: "0755"
|
||||
owner: acme
|
||||
group: acme
|
||||
state: directory
|
||||
|
||||
- name: Fix challenge dir's right
|
||||
file:
|
||||
path: "{{ evoacme_acme_dir }}"
|
||||
mode: "0755"
|
||||
owner: acme
|
||||
group: acme
|
||||
state: directory
|
||||
|
||||
- name: Is /etc/aliases present?
|
||||
stat:
|
||||
path: /etc/aliases
|
||||
register: etc_aliases
|
||||
|
||||
- name: Set acme aliases
|
||||
lineinfile:
|
||||
state: present
|
||||
dest: /etc/aliases
|
||||
line: 'acme: root'
|
||||
regexp: 'acme:'
|
||||
when: etc_aliases.stat.exists
|
||||
notify: "newaliases"
|
|
@ -1,25 +0,0 @@
|
|||
- name: Create conf dirs
|
||||
file:
|
||||
path: "/etc/apache2/{{ item }}"
|
||||
state: directory
|
||||
with_items:
|
||||
- 'conf-available'
|
||||
- 'conf-enabled'
|
||||
|
||||
- name: Copy acme challenge conf
|
||||
template:
|
||||
src: templates/apache.conf.j2
|
||||
dest: /etc/apache2/conf-available/letsencrypt.conf
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
notify: reload apache2
|
||||
|
||||
- name: Enable acme challenge conf
|
||||
file:
|
||||
src: /etc/apache2/conf-available/letsencrypt.conf
|
||||
dest: /etc/apache2/conf-enabled/letsencrypt.conf
|
||||
state: link
|
||||
owner: root
|
||||
group: root
|
||||
notify: reload apache2
|
|
@ -1,45 +1,20 @@
|
|||
---
|
||||
|
||||
- name: Use backports for jessie
|
||||
block:
|
||||
- name: install jessie-backports
|
||||
include_role:
|
||||
name: evolix/apt
|
||||
tasks_from: backports.yml
|
||||
|
||||
- name: Add exceptions for certbot dependencies
|
||||
copy:
|
||||
src: backports-certbot
|
||||
dest: /etc/apt/preferences.d/z-backports-certbot
|
||||
notify: apt update
|
||||
|
||||
- meta: flush_handlers
|
||||
when: ansible_distribution_release == "jessie"
|
||||
|
||||
- name: Install certbot with apt
|
||||
apt:
|
||||
name: certbot
|
||||
state: latest
|
||||
- include_role:
|
||||
name: evolix/certbot
|
||||
|
||||
- include_role:
|
||||
name: evolix/remount-usr
|
||||
|
||||
- name: Remove certbot symlink for apt install
|
||||
file:
|
||||
path: /usr/local/bin/certbot
|
||||
state: absent
|
||||
|
||||
- name: Disable /etc/cron.d/certbot
|
||||
command: mv /etc/cron.d/certbot /etc/cron.d/certbot.disabled
|
||||
command: mv -f /etc/cron.d/certbot /etc/cron.d/certbot.disabled
|
||||
args:
|
||||
removes: /etc/cron.d/certbot
|
||||
creates: /etc/cron.d/certbot.disabled
|
||||
|
||||
- name: Disable /etc/cron.daily/certbot
|
||||
command: mv /etc/cron.daily/certbot /etc/cron.daily/certbot.disabled
|
||||
command: mv -f /etc/cron.daily/certbot /etc/cron.daily/certbot.disabled
|
||||
args:
|
||||
removes: /etc/cron.daily/certbot
|
||||
creates: /etc/cron.daily/certbot.disabled
|
||||
|
||||
- name: Install evoacme custom cron
|
||||
copy:
|
||||
|
|
|
@ -1,5 +1,10 @@
|
|||
---
|
||||
|
||||
- name: "Create {{ hook_name }} hook directory"
|
||||
file:
|
||||
dest: "{{ evoacme_hooks_dir }}"
|
||||
state: directory
|
||||
|
||||
- name: "Search for {{ hook_name }} hook"
|
||||
command: "find {{ evoacme_hooks_dir }} -type f \\( -name '{{ hook_name }}' -o -name '{{ hook_name }}.*' \\)"
|
||||
check_mode: no
|
||||
|
|
|
@ -7,7 +7,7 @@
|
|||
|
||||
- include: certbot.yml
|
||||
|
||||
- include: acme.yml
|
||||
- include: permissions.yml
|
||||
|
||||
- include: evoacme_hook.yml
|
||||
vars:
|
||||
|
@ -22,21 +22,3 @@
|
|||
- include: conf.yml
|
||||
|
||||
- include: scripts.yml
|
||||
|
||||
- name: Determine Apache presence
|
||||
stat:
|
||||
path: /etc/apache2/apache2.conf
|
||||
check_mode: no
|
||||
register: sta
|
||||
|
||||
- name: Determine Nginx presence
|
||||
stat:
|
||||
path: /etc/nginx/nginx.conf
|
||||
check_mode: no
|
||||
register: stn
|
||||
|
||||
- include: apache.yml
|
||||
when: sta.stat.isreg is defined and sta.stat.isreg
|
||||
|
||||
- include: nginx.yml
|
||||
when: stn.stat.isreg is defined and stn.stat.isreg
|
||||
|
|
|
@ -1,35 +0,0 @@
|
|||
---
|
||||
|
||||
- name: move acme challenge conf if missplaced
|
||||
command: mv /etc/nginx/letsencrypt.conf /etc/nginx/snippets/letsencrypt.conf
|
||||
args:
|
||||
removes: /etc/nginx/letsencrypt.conf
|
||||
creates: /etc/nginx/snippets/letsencrypt.conf
|
||||
|
||||
- name: Copy acme challenge conf
|
||||
template:
|
||||
src: templates/nginx.conf.j2
|
||||
dest: /etc/nginx/snippets/letsencrypt.conf
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
|
||||
- name: look for old path
|
||||
command: grep -r /etc/nginx/letsencrypt.conf /etc/nginx
|
||||
changed_when: False
|
||||
failed_when: False
|
||||
check_mode: no
|
||||
register: grep_letsencrypt_old_path
|
||||
|
||||
- name: Keep a symlink for vhosts with old path
|
||||
file:
|
||||
src: /etc/nginx/snippets/letsencrypt.conf
|
||||
dest: /etc/nginx/letsencrypt.conf
|
||||
state: link
|
||||
when: grep_letsencrypt_old_path.rc == 0
|
||||
|
||||
- name: Remove symlink if no vhost with old path
|
||||
file:
|
||||
dest: /etc/nginx/letsencrypt.conf
|
||||
state: absent
|
||||
when: grep_letsencrypt_old_path.rc == 1
|
33
evoacme/tasks/permissions.yml
Normal file
33
evoacme/tasks/permissions.yml
Normal file
|
@ -0,0 +1,33 @@
|
|||
---
|
||||
|
||||
- name: Fix crt directory permissions
|
||||
file:
|
||||
path: "{{ evoacme_crt_dir }}"
|
||||
mode: "0755"
|
||||
owner: root
|
||||
group: root
|
||||
state: directory
|
||||
|
||||
- name: "Fix hooks directory permissions"
|
||||
file:
|
||||
path: "{{ evoacme_hooks_dir }}"
|
||||
mode: "0700"
|
||||
owner: root
|
||||
group: root
|
||||
state: directory
|
||||
|
||||
- name: Fix log directory permissions
|
||||
file:
|
||||
path: "{{ evoacme_log_dir }}"
|
||||
mode: "0755"
|
||||
owner: root
|
||||
group: root
|
||||
state: directory
|
||||
|
||||
- name: Fix challenge directory permissions
|
||||
file:
|
||||
path: "{{ evoacme_acme_dir }}"
|
||||
mode: "0755"
|
||||
owner: root
|
||||
group: root
|
||||
state: directory
|
Loading…
Reference in a new issue