From 9b71c5754f61a2cacf6a4f8de21f699aa3983a3b Mon Sep 17 00:00:00 2001 From: muppeth Date: Sat, 2 Mar 2024 00:03:57 +0100 Subject: [PATCH 1/5] improved certificate redistrobution --- handlers/main.yml | 12 ++++++++++++ tasks/cert.yml | 2 +- tasks/copy_ssl.yml | 27 +++++++++++++++++++-------- 3 files changed, 32 insertions(+), 9 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index 140d79e..52ddb85 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -9,3 +9,15 @@ name: nginx state: reloaded +- name: reload prosdy + systemd: + name: prosody + state: reloaded + +- name: reload mumble + systemd: + name: mumble-server + state: restarted + + + diff --git a/tasks/cert.yml b/tasks/cert.yml index a448cfc..5d22946 100644 --- a/tasks/cert.yml +++ b/tasks/cert.yml @@ -1,7 +1,7 @@ --- - name: '[CERT] - Generate or renew certificates' - command: /usr/bin/certbot certonly --key-type ecdsa --agree-tos --keep-until-expiring --non-interactive --webroot --webroot-path {{ letsencrypt_webroot_path }} -m {{ letsencrypt_email }} --domains {{ item.name }} --cert-name {{ item.name }} {{ '--reuse-key = true' if item.reuse_key is defined else '' }} --preferred-chain "ISRG Root X1" {{ '--force-renewal' if item.force_renewal is defined else '' }} + command: /usr/bin/certbot certonly --key-type ecdsa --agree-tos --keep-until-expiring --non-interactive --webroot --webroot-path {{ letsencrypt_webroot_path }} -m {{ letsencrypt_email }} --domains {{ item.name }} --cert-name {{ item.name }} {{ '--reuse-key' if item.reuse_key is defined else '' }} --preferred-chain "ISRG Root X1" {{ '--force-renewal' if item.force_renewal is defined else '' }} with_items: "{{ letsencrypt_domains }}" notify: - reload nginx diff --git a/tasks/copy_ssl.yml b/tasks/copy_ssl.yml index 5bedff9..8366b32 100644 --- a/tasks/copy_ssl.yml +++ b/tasks/copy_ssl.yml @@ -1,6 +1,6 @@ --- -- name: '[COPY SSL] - Fetch SSL Certificates' +- name: '[COPY SSL] - Fetch Certificates' synchronize: mode: pull src: '/etc/letsencrypt/' @@ -9,12 +9,23 @@ notify: - reload nginx - -- name: '[COPY SSL] - Copy SSL certificates to containers behind proxy' - synchronize: - src: '/etc/ansible/ssl/{{ item.name }}/' - dest: '/etc/letsencrypt/' +- name: '[COPY CERTS] - Make sure direcotry permissions to cert path is correct' + file: + path: '/etc/letsencrypt/live' + state: 'directory' + owner: '{{ item.owner }}' + group: '{{ item.group }}' when: letsencrypt_copy_certs == 'true' - with_items: '{{ letsencrypt_copy_cert_from }}' + loop: '{{ letsencrypt_copy_cert_from }}' + +- name: '[COPY CERTS] - Copy certs archive to webservers' + synchronize: + src: '/etc/ansible/ssl/{{ item.name }}/live/{{ item.letsencrypt_domains }}' + dest: '/etc/letsencrypt/live/{{ item.domain }}' + owner: '{{ item.owner }}' + group: '{{ item.group }}' + when: letsencrypt_copy_certs == 'true' + loop: '{{ letsencrypt_copy_cert_from }}' notify: - - reload nginx + - reload {{ item.service }} + From 659818149dd994cc5a34087c21e21903fcd7868c Mon Sep 17 00:00:00 2001 From: muppeth Date: Thu, 7 Mar 2024 10:47:35 +0100 Subject: [PATCH 2/5] added virtualenv to apt list --- tasks/client.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/client.yml b/tasks/client.yml index 32a1472..4b04284 100644 --- a/tasks/client.yml +++ b/tasks/client.yml @@ -8,6 +8,7 @@ - python3-venv - libaugeas0 - ca-certificates + - virtualenv - name: '[CERTBOT] - Create app dir' file: From 26793093a05fcea9796ba9881f9654efea54655d Mon Sep 17 00:00:00 2001 From: muppeth Date: Fri, 8 Mar 2024 23:10:23 +0100 Subject: [PATCH 3/5] cert distribution task fix --- tasks/copy_ssl.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tasks/copy_ssl.yml b/tasks/copy_ssl.yml index 8366b32..b3238e7 100644 --- a/tasks/copy_ssl.yml +++ b/tasks/copy_ssl.yml @@ -20,7 +20,7 @@ - name: '[COPY CERTS] - Copy certs archive to webservers' synchronize: - src: '/etc/ansible/ssl/{{ item.name }}/live/{{ item.letsencrypt_domains }}' + src: '/etc/ansible/ssl/{{ item.server }}/live/{{ item.domain }}' dest: '/etc/letsencrypt/live/{{ item.domain }}' owner: '{{ item.owner }}' group: '{{ item.group }}' From 6b11e05f633ab32f2abe1995a2995a12d4e78dd8 Mon Sep 17 00:00:00 2001 From: muppeth Date: Fri, 8 Mar 2024 23:44:06 +0100 Subject: [PATCH 4/5] improved copy_ssl task --- tasks/copy_ssl.yml | 19 ++++++++----------- 1 file changed, 8 insertions(+), 11 deletions(-) diff --git a/tasks/copy_ssl.yml b/tasks/copy_ssl.yml index b3238e7..62848e9 100644 --- a/tasks/copy_ssl.yml +++ b/tasks/copy_ssl.yml @@ -9,23 +9,20 @@ notify: - reload nginx -- name: '[COPY CERTS] - Make sure direcotry permissions to cert path is correct' - file: - path: '/etc/letsencrypt/live' - state: 'directory' - owner: '{{ item.owner }}' - group: '{{ item.group }}' - when: letsencrypt_copy_certs == 'true' - loop: '{{ letsencrypt_copy_cert_from }}' - - name: '[COPY CERTS] - Copy certs archive to webservers' synchronize: src: '/etc/ansible/ssl/{{ item.server }}/live/{{ item.domain }}' dest: '/etc/letsencrypt/live/{{ item.domain }}' - owner: '{{ item.owner }}' - group: '{{ item.group }}' when: letsencrypt_copy_certs == 'true' loop: '{{ letsencrypt_copy_cert_from }}' notify: - reload {{ item.service }} +- name: '[COPY CERTS] - Make sure direcotry permissions to cert path is correct' + file: + path: '/etc/letsencrypt/live/{{ item.domain }}' + state: 'directory' + owner: '{{ item.owner }}' + group: '{{ item.group }}' + when: letsencrypt_copy_certs == 'true' + loop: '{{ letsencrypt_copy_cert_from }}' From 9c585c643afc3e161bfccfe2d1f1b73e4d8f660d Mon Sep 17 00:00:00 2001 From: muppeth Date: Sat, 9 Mar 2024 00:59:40 +0100 Subject: [PATCH 5/5] last fix --- tasks/copy_ssl.yml | 31 +++++++++++++++++++++---------- 1 file changed, 21 insertions(+), 10 deletions(-) diff --git a/tasks/copy_ssl.yml b/tasks/copy_ssl.yml index 62848e9..488040e 100644 --- a/tasks/copy_ssl.yml +++ b/tasks/copy_ssl.yml @@ -3,21 +3,13 @@ - name: '[COPY SSL] - Fetch Certificates' synchronize: mode: pull - src: '/etc/letsencrypt/' + src: '/etc/letsencrypt/live' dest: '/etc/ansible/ssl/{{ inventory_hostname }}' + copy_links: 'true' when: install_letsencrypt == 'true' notify: - reload nginx -- name: '[COPY CERTS] - Copy certs archive to webservers' - synchronize: - src: '/etc/ansible/ssl/{{ item.server }}/live/{{ item.domain }}' - dest: '/etc/letsencrypt/live/{{ item.domain }}' - when: letsencrypt_copy_certs == 'true' - loop: '{{ letsencrypt_copy_cert_from }}' - notify: - - reload {{ item.service }} - - name: '[COPY CERTS] - Make sure direcotry permissions to cert path is correct' file: path: '/etc/letsencrypt/live/{{ item.domain }}' @@ -26,3 +18,22 @@ group: '{{ item.group }}' when: letsencrypt_copy_certs == 'true' loop: '{{ letsencrypt_copy_cert_from }}' + +- name: '[COPY CERTS] - Copy certs archive to webservers' + synchronize: + src: '/etc/ansible/ssl/{{ item.server }}/live/{{ item.domain }}' + dest: '/etc/letsencrypt/live/' + copy_links: 'true' + when: letsencrypt_copy_certs == 'true' + loop: '{{ letsencrypt_copy_cert_from }}' + notify: + - reload {{ item.service }} + +- name: '[COPY CERTS] - Make sure direcotry permissions to cert path is correct' + file: + dest: '/etc/letsencrypt/live/{{ item.domain }}' + owner: '{{ item.owner }}' + group: '{{ item.group }}' + recurse: 'yes' + when: letsencrypt_copy_certs == 'true' + loop: '{{ letsencrypt_copy_cert_from }}'