1
0
Fork 0
mirror of https://github.com/roles-ansible/ansible_role_acmetool.git synced 2024-08-16 12:29:49 +02:00

Merge branch 'main' into DO1JLR-patch-1

This commit is contained in:
L3D 2021-09-30 20:58:42 +02:00 committed by GitHub
commit defec1fbb8
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 55 additions and 2 deletions

View file

@ -53,7 +53,9 @@ This file is configuring the acmetool behaviour like certificate type, challange
Good to know
--------------
If you are using debian buster, you are probably interested in a more up to date version of acmetool. Have a look at the [do1jlr.acmetool_fix](https://galaxy.ansible.com/do1jlr/acmetool_fix) role, that will install a specific version of acmetool on debian based systems.
+ If you are using debian buster, you are probably interested in a more up to date version of acmetool. Have a look at the [do1jlr.acmetool_fix](https://galaxy.ansible.com/do1jlr/acmetool_fix) role, that will install a specific version of acmetool on debian based systems.
+ To add a domain manually to acmetool run ``acmetool want example.com``
+ To remove a domain manually from acmetool, ``acmetool unwant example.com``
Testing
---------

View file

@ -5,5 +5,8 @@ acme_notification_email: 'root@example.org'
acme_reload_services: []
acme_restart_services: []
# configure acmetool systemd service
acme_systemd_start_after: 'apache2.service nginx.service'
# should we do a version check? (recomended)
submodules_versioncheck: false

7
handlers/main.yml Normal file
View file

@ -0,0 +1,7 @@
---
- name: systemctl restart acmetool
become: true
ansible.builtin.systemd:
name: 'acmetool.service'
state: 'restarted'
enabled: true

View file

@ -6,6 +6,9 @@
- name: install acmetool
ansible.builtin.include_tasks: install.yml
- name: configure systemd
ansible.builtin.include_tasks: systemd.yml
- name: configure acmetool
ansible.builtin.include_tasks: configure.yml

17
tasks/systemd.yml Normal file
View file

@ -0,0 +1,17 @@
---
- name: deploy systemd service file
become: true
ansible.builtin.template:
src: 'templates/acmetool.service.j2'
dest: '/lib/systemd/system/acmetool.service'
owner: 'root'
group: 'root'
mode: '0644'
notify: systemctl restart acmetool
- name: force systemd to reread configs and start acmetool
ansible.builtin.systemd:
daemon_reload: true
name: 'acmetool.service'
state: 'started'
enabled: true

View file

@ -0,0 +1,21 @@
[Unit]
Description=Reconcile Let's Encrypt certificates
Documentation=man:acmetool(8)
After=nss-lookup.target
After={{ acme_systemd_start_after }}
[Service]
Type=oneshot
ExecStart=/usr/bin/acmetool --batch reconcile
TimeoutStartSec=5min
CapabilityBoundingSet=CAP_CHOWN CAP_NET_BIND_SERVICE
NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
ProtectSystem=strict
ReadWritePaths=/var/lib/acme /run/acme /etc/nginx
ProtectHome=yes
ProtectKernelTunables=yes
ProtectControlGroups=yes
RestrictRealtime=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6

View file

@ -33,5 +33,5 @@ acmetool__restart_hook:
- 'files'
# versionscheck
playbook_version_number: 27 # should be a integer
playbook_version_number: 28 # should be a integer
playbook_version_path: 'do1jlr.role-acmetool.version'