source: darkpeak-services/roles/tls/tasks/configure-tls-cert.yml @ 10c10fd5

ansiblekeycloakmatrixpleroma
Last change on this file since 10c10fd5 was 10c10fd5, checked in by Mat Booth <mat.booth@…>, 3 years ago

Fix a mistake in previous commit ae8976b

  • Property mode set to 100644
File size: 2.1 KB
Line 
1# If a service requires read access to a cert, the system user that
2# the service runs as should be a member of the "ssl-cert" group.
3
4- name: Add stretch-backports
5  apt_repository:
6    repo: "deb http://mirror.bytemark.co.uk/debian stretch-backports main"
7
8- name: Install ssl-cert package
9  apt:
10    name: ssl-cert
11    state: present
12    update_cache: yes
13    cache_valid_time: 10800   # 3 hours
14
15- name: Install CertBot from backports
16  apt:
17    name: certbot
18    default_release: stretch-backports
19    state: present
20    update_cache: yes
21    cache_valid_time: 10800   # 3 hours
22
23- name: Create certbot www directory
24  file:
25    path: /usr/share/certbot
26    owner: root
27    group: www-data
28    state: directory
29    mode: 0755
30
31- name: Ensure private directories for TLS certs have correct permissions
32  file:
33    path: "{{ item }}"
34    state: directory
35    owner: root
36    group: ssl-cert
37    mode: 0710
38  with_items:
39    - "/etc/ssl/private"
40    - "/etc/letsencrypt/archive/{{ domain }}"
41    - "/etc/letsencrypt/live/{{ domain }}"
42
43- name: Check for already installed certificate
44  stat:
45    path: "/etc/letsencrypt/live/{{ domain }}/fullchain.pem"
46  register: tls_cert
47
48- name: Install self-signed TLS certificate
49  copy:
50    src: "../../tls/files/ssl/{{ domain_name }}.pem"
51    dest: "/etc/letsencrypt/live/{{ domain }}/fullchain.pem"
52    owner: root
53    group: ssl-cert
54    mode: 0640
55  when: not tls_cert.stat.exists
56
57- name: Check for already installed key
58  stat:
59    path: "/etc/letsencrypt/live/{{ domain }}/privkey.pem"
60  register: tls_key
61
62- name: Install self-signed TLS certificate key
63  copy:
64    src: "../../tls/files/ssl/{{ domain_name }}.key"
65    dest: "/etc/letsencrypt/live/{{ domain }}/privkey.pem"
66    owner: root
67    group: ssl-cert
68    mode: 0640
69  when: not tls_key.stat.exists
70
71- name: Install symlinks to TLS certificate and key
72  file:
73    src: "/etc/letsencrypt/live/{{ item.src }}"
74    dest: "/etc/ssl/private/{{ item.dest }}"
75    owner: root
76    group: ssl-cert
77    state: link
78    force: yes
79  with_items:
80    - { src: "{{ domain }}/fullchain.pem", dest: "{{ domain }}.pem" }
81    - { src: "{{ domain }}/privkey.pem",   dest: "{{ domain }}.key" }
82
Note: See TracBrowser for help on using the repository browser.