mirror of
https://github.com/roles-ansible/ansible_role_acmetool.git
synced 2024-08-16 12:29:49 +02:00
Merge pull request #12 from roles-ansible/systemd
Manage systemd by acmetool
This commit is contained in:
commit
5ffcd85bb6
6 changed files with 52 additions and 1 deletions
|
@ -5,5 +5,8 @@ acme_notification_email: 'root@example.org'
|
||||||
acme_reload_services: []
|
acme_reload_services: []
|
||||||
acme_restart_services: []
|
acme_restart_services: []
|
||||||
|
|
||||||
|
# configure acmetool systemd service
|
||||||
|
acme_systemd_start_after: 'apache2.service nginx.service'
|
||||||
|
|
||||||
# should we do a version check? (recomended)
|
# should we do a version check? (recomended)
|
||||||
submodules_versioncheck: false
|
submodules_versioncheck: false
|
||||||
|
|
7
handlers/main.yml
Normal file
7
handlers/main.yml
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
---
|
||||||
|
- name: systemctl restart acmetool
|
||||||
|
become: true
|
||||||
|
ansible.builtin.systemd:
|
||||||
|
name: 'acmetool.service'
|
||||||
|
state: 'restarted'
|
||||||
|
enabled: true
|
|
@ -6,6 +6,9 @@
|
||||||
- name: install acmetool
|
- name: install acmetool
|
||||||
ansible.builtin.include_tasks: install.yml
|
ansible.builtin.include_tasks: install.yml
|
||||||
|
|
||||||
|
- name: configure systemd
|
||||||
|
ansible.builtin.include_tasks: systemd.yml
|
||||||
|
|
||||||
- name: configure acmetool
|
- name: configure acmetool
|
||||||
ansible.builtin.include_tasks: configure.yml
|
ansible.builtin.include_tasks: configure.yml
|
||||||
|
|
||||||
|
|
17
tasks/systemd.yml
Normal file
17
tasks/systemd.yml
Normal file
|
@ -0,0 +1,17 @@
|
||||||
|
---
|
||||||
|
- name: deploy systemd service file
|
||||||
|
become: true
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: 'templates/acmetool.service.j2'
|
||||||
|
dest: '/lib/systemd/system/acmetool.service'
|
||||||
|
owner: 'root'
|
||||||
|
group: 'root'
|
||||||
|
mode: '0644'
|
||||||
|
notify: systemctl restart acmetool
|
||||||
|
|
||||||
|
- name: force systemd to reread configs and start acmetool
|
||||||
|
ansible.builtin.systemd:
|
||||||
|
daemon_reload: true
|
||||||
|
name: 'acmetool.service'
|
||||||
|
state: 'started'
|
||||||
|
enabled: true
|
21
templates/acmetool.service.j2
Normal file
21
templates/acmetool.service.j2
Normal file
|
@ -0,0 +1,21 @@
|
||||||
|
[Unit]
|
||||||
|
Description=Reconcile Let's Encrypt certificates
|
||||||
|
Documentation=man:acmetool(8)
|
||||||
|
After=nss-lookup.target
|
||||||
|
After={{ acme_systemd_start_after }}
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
ExecStart=/usr/bin/acmetool --batch reconcile
|
||||||
|
TimeoutStartSec=5min
|
||||||
|
CapabilityBoundingSet=CAP_CHOWN CAP_NET_BIND_SERVICE
|
||||||
|
NoNewPrivileges=yes
|
||||||
|
PrivateTmp=yes
|
||||||
|
PrivateDevices=yes
|
||||||
|
ProtectSystem=strict
|
||||||
|
ReadWritePaths=/var/lib/acme /run/acme /etc/nginx
|
||||||
|
ProtectHome=yes
|
||||||
|
ProtectKernelTunables=yes
|
||||||
|
ProtectControlGroups=yes
|
||||||
|
RestrictRealtime=yes
|
||||||
|
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
|
@ -33,5 +33,5 @@ acmetool__restart_hook:
|
||||||
- 'files'
|
- 'files'
|
||||||
|
|
||||||
# versionscheck
|
# versionscheck
|
||||||
playbook_version_number: 27 # should be a integer
|
playbook_version_number: 28 # should be a integer
|
||||||
playbook_version_path: 'do1jlr.role-acmetool.version'
|
playbook_version_path: 'do1jlr.role-acmetool.version'
|
||||||
|
|
Loading…
Reference in a new issue