Changeset - eff5e9720cff
Parent rev.
Child rev.
[Not reviewed]
0 4 0
x - 17 months ago 2023-12-14 19:58:30
xbr@c3l.lu
fix: become when root perms are necessary
4 files changed with 10 insertions and 0 deletions:
web/tasks/base_website_setup.yml
4
web/tasks/install_acme_sh.yml
2
web/tasks/issue_cert.yml
2
web/tasks/set_up_nginx_config.yml
2
0 comments (0 inline, 0 general)
web/tasks/base_website_setup.yml
Show inline comments
 
---
 
- name: Install nginx
 
  ansible.builtin.apt:
 
    name: nginx
 
    state: present
 
  become: true
 
- name: Copy snippets
 
  ansible.builtin.copy:
 
    src: "{{ server_config_dir }}/server_config/nginx/snippets/"
 
    dest: "/etc/nginx/snippets/"
 
    owner: root
 
    group: root
 
    mode: "0644"
 
  become: true
 
- name: Change default config
 
  ansible.builtin.copy:
 
    src: "{{ server_config_dir }}/server_config/nginx/configs/default"
 
    dest: "/etc/nginx/sites-available/default"
 
    owner: root
 
    group: root
 
    mode: "0644"
 
  become: true
 
- name: Enable + Restart nginx
 
  ansible.builtin.service:
 
    name: nginx
 
    state: reloaded
 
    enabled: true
 
  become: true
 
- name: Make sure acme.sh is installed
 
  ansible.builtin.include_tasks:
 
    file: "{{ ansible_repo_dir }}/web/tasks/install_acme_sh.yml"
 
- name: Issue certificate for domains
 
  ansible.builtin.include_tasks:
 
    file: "{{ ansible_repo_dir }}/web/tasks/issue_cert.yml"
 
- name: Set up nginx config
 
  ansible.builtin.include_tasks:
 
    file: "{{ ansible_repo_dir }}/web/tasks/set_up_nginx_config.yml"
web/tasks/install_acme_sh.yml
Show inline comments
 
---
 
# This just installs acme.sh for freifunk
 
- name: Check if acme.sh config files exists
 
  ansible.builtin.stat:
 
    path: "/root/.acme.sh"
 
    get_checksum: false
 
  become: true
 
  register: acme_config
 
- name: Download acme.sh
 
  ansible.builtin.get_url:
 
    url: "https://raw.githubusercontent.com/acmesh-official/acme.sh/master/acme.sh"
 
    dest: "/opt/downloaded_acme.sh"
 
    force: true
 
    mode: '755'
 
    owner: root
 
    group: root
 
  become: true
 
  become_method: sudo
 
  register: download_acme
 
  when: acme_config.stat.exists == false
 
- name: Install acme.sh
 
  ansible.builtin.command:
 
    cmd: "/bin/bash /opt/downloaded_acme.sh --install --nocron -m freifunk@c3l.lu"
 
  become: true
 
  become_method: sudo
 
  when: download_acme.changed && acme_config.stat.exists == false
 
- name: Update acme.sh if not newly installed
 
  ansible.builtin.command:
 
    cmd: "/bin/bash /root/.acme.sh/acme.sh --upgrade"
 
  become: true
 
  when: acme_config.stat.exists
 
- name: Add cronjob for acme.sh
 
  ansible.builtin.cron:
 
    name: "reissue certs if necessary"
 
    user: root
 
    job: "/root/.acme.sh/acme.sh --cron --home \"/root/.acme.sh/\" > /dev/null"
 
    state: "present"
 
    minute: "0"
 
    hour: "0"
 
    day: "*"
 
    month: "*"
 
    weekday: "*"
 
  become: true
web/tasks/issue_cert.yml
Show inline comments
 
---
 
# Inputs:
 
# - domain_name (e.g. freifunk.lu)
 
# - all_domain_names (e.g. -d freifunk.lu -d www.freifunk.lu)
 
# - reload_command (e.g. systemctl reload nginx)
 
- name: Make sure bogus certificate + group exists
 
  ansible.builtin.apt:
 
    name: ssl-cert
 
    state: present
 
  become: true
 
- name: Check if certificate already exists
 
  ansible.builtin.stat:
 
    path: "/root/.acme.sh/{{ domain_name }}_ecc"
 
  become: true
 
  register: acme_cert_dir
 
- name: Pre-copy cert files
 
  ansible.builtin.copy:
 
    src: "/etc/ssl/certs/ssl-cert-snakeoil.pem"
 
    dest: "/etc/ssl/certs/ssl-{{ item }}-{{ domain_name }}.pem"
 
    mode: '644'
 
    owner: 'root'
 
    group: 'root'
 
  become: true
 
  loop:
 
    - cert
 
    - ca
 
    - fullchain
 
  when: not acme_cert_dir.exists
 
- name: Pre-copy key file
 
  ansible.builtin.copy:
 
    src: "/etc/ssl/private/ssl-cert-snakeoil.key"
 
    dest: "/etc/ssl/private/ssl-cert-{{ domain_name }}.pem"
 
    mode: '640'
 
    owner: 'root'
 
    group: 'ssl-cert'
 
  become: true
 
  when: not acme_cert_dir.exists
 
- name: Issue certificate
 
  ansible.builtin.command:
 
    cmd: "/root/.acme.sh/acme.sh --issue --keylength ec-384
 
      -w /var/www/acme_root/ {{ all_domain_names }}"
 
  become: true
 
  when: not acme_cert_dir.exists
 
  register: cert_issued
 
  changed_when: cert_issued.rc == 0
 
- name: Deploy certs and keys
 
  ansible.builtin.command:
 
    cmd: "/root/.acme.sh/acme.sh --install-cert --ecc
 
      -d {{ domain_name }}
 
      --cert-file \"/etc/ssl/certs/ssl-cert-{{ domain_name }}.pem\"
 
      --key-file \"/etc/ssl/private/ssl-cert-{{ domain_name }}.pem\"
 
      --ca-file \"/etc/ssl/certs/ssl-ca-{{ domain_name }}.pem\"
 
      --fullchain-file \"/etc/ssl/certs/ssl-fullchain-{{ domain_name }}.pem\"
 
      --reloadcmd \"{{ reload_command }}\""
 
  become: true
 
  register: cert_deployed
 
  changed_when: cert_deployed.rc == 0
web/tasks/set_up_nginx_config.yml
Show inline comments
 
---
 
# Sets up nginx for the specific config file
 
- name: Install nginx config
 
  ansible.builtin.copy:
 
    src: "{{ server_config_dir }}/server_config/nginx/configs/{{ web_conf_file }}"
 
    dest: "/etc/nginx/sites-available/"
 
    owner: root
 
    group: root
 
    mode: "0644"
 
  become: true
 
- name: Enable new config site
 
  ansible.builtin.file:
 
    src: "/etc/nginx/sites-available/{{ web_conf_file }}"
 
    dest: "/etc/nginx/sites-enabled/{{ web_conf_file }}"
 
    owner: root
 
    group: root
 
    state: link
 
  become: true
0 comments (0 inline, 0 general)
Server instance: saturn-3028305 This site is powered by Kallithea, which is © 2010–2021 by various authors & licensed under GPLv3. – Support