1
0
Fork 0
mirror of https://github.com/roles-ansible/ansible_role_acmetool.git synced 2024-08-16 12:29:49 +02:00

Merge pull request #12 from roles-ansible/systemd

Manage systemd by acmetool
This commit is contained in:
L3D 2021-09-30 14:45:19 +02:00 committed by GitHub
commit 5ffcd85bb6
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 52 additions and 1 deletions

View file

@ -5,5 +5,8 @@ acme_notification_email: 'root@example.org'
acme_reload_services: [] acme_reload_services: []
acme_restart_services: [] acme_restart_services: []
# configure acmetool systemd service
acme_systemd_start_after: 'apache2.service nginx.service'
# should we do a version check? (recomended) # should we do a version check? (recomended)
submodules_versioncheck: false submodules_versioncheck: false

7
handlers/main.yml Normal file
View file

@ -0,0 +1,7 @@
---
- name: systemctl restart acmetool
become: true
ansible.builtin.systemd:
name: 'acmetool.service'
state: 'restarted'
enabled: true

View file

@ -6,6 +6,9 @@
- name: install acmetool - name: install acmetool
ansible.builtin.include_tasks: install.yml ansible.builtin.include_tasks: install.yml
- name: configure systemd
ansible.builtin.include_tasks: systemd.yml
- name: configure acmetool - name: configure acmetool
ansible.builtin.include_tasks: configure.yml ansible.builtin.include_tasks: configure.yml

17
tasks/systemd.yml Normal file
View file

@ -0,0 +1,17 @@
---
- name: deploy systemd service file
become: true
ansible.builtin.template:
src: 'templates/acmetool.service.j2'
dest: '/lib/systemd/system/acmetool.service'
owner: 'root'
group: 'root'
mode: '0644'
notify: systemctl restart acmetool
- name: force systemd to reread configs and start acmetool
ansible.builtin.systemd:
daemon_reload: true
name: 'acmetool.service'
state: 'started'
enabled: true

View file

@ -0,0 +1,21 @@
[Unit]
Description=Reconcile Let's Encrypt certificates
Documentation=man:acmetool(8)
After=nss-lookup.target
After={{ acme_systemd_start_after }}
[Service]
Type=oneshot
ExecStart=/usr/bin/acmetool --batch reconcile
TimeoutStartSec=5min
CapabilityBoundingSet=CAP_CHOWN CAP_NET_BIND_SERVICE
NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
ProtectSystem=strict
ReadWritePaths=/var/lib/acme /run/acme /etc/nginx
ProtectHome=yes
ProtectKernelTunables=yes
ProtectControlGroups=yes
RestrictRealtime=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6

View file

@ -33,5 +33,5 @@ acmetool__restart_hook:
- 'files' - 'files'
# versionscheck # versionscheck
playbook_version_number: 27 # should be a integer playbook_version_number: 28 # should be a integer
playbook_version_path: 'do1jlr.role-acmetool.version' playbook_version_path: 'do1jlr.role-acmetool.version'