mirror of
https://github.com/roles-ansible/ansible_role_acmetool.git
synced 2024-08-16 12:29:49 +02:00
Merge branch 'main' into DO1JLR-patch-1
This commit is contained in:
commit
defec1fbb8
7 changed files with 55 additions and 2 deletions
|
@ -53,7 +53,9 @@ This file is configuring the acmetool behaviour like certificate type, challange
|
|||
|
||||
Good to know
|
||||
--------------
|
||||
If you are using debian buster, you are probably interested in a more up to date version of acmetool. Have a look at the [do1jlr.acmetool_fix](https://galaxy.ansible.com/do1jlr/acmetool_fix) role, that will install a specific version of acmetool on debian based systems.
|
||||
+ If you are using debian buster, you are probably interested in a more up to date version of acmetool. Have a look at the [do1jlr.acmetool_fix](https://galaxy.ansible.com/do1jlr/acmetool_fix) role, that will install a specific version of acmetool on debian based systems.
|
||||
+ To add a domain manually to acmetool run ``acmetool want example.com``
|
||||
+ To remove a domain manually from acmetool, ``acmetool unwant example.com``
|
||||
|
||||
Testing
|
||||
---------
|
||||
|
|
|
@ -5,5 +5,8 @@ acme_notification_email: 'root@example.org'
|
|||
acme_reload_services: []
|
||||
acme_restart_services: []
|
||||
|
||||
# configure acmetool systemd service
|
||||
acme_systemd_start_after: 'apache2.service nginx.service'
|
||||
|
||||
# should we do a version check? (recomended)
|
||||
submodules_versioncheck: false
|
||||
|
|
7
handlers/main.yml
Normal file
7
handlers/main.yml
Normal file
|
@ -0,0 +1,7 @@
|
|||
---
|
||||
- name: systemctl restart acmetool
|
||||
become: true
|
||||
ansible.builtin.systemd:
|
||||
name: 'acmetool.service'
|
||||
state: 'restarted'
|
||||
enabled: true
|
|
@ -6,6 +6,9 @@
|
|||
- name: install acmetool
|
||||
ansible.builtin.include_tasks: install.yml
|
||||
|
||||
- name: configure systemd
|
||||
ansible.builtin.include_tasks: systemd.yml
|
||||
|
||||
- name: configure acmetool
|
||||
ansible.builtin.include_tasks: configure.yml
|
||||
|
||||
|
|
17
tasks/systemd.yml
Normal file
17
tasks/systemd.yml
Normal file
|
@ -0,0 +1,17 @@
|
|||
---
|
||||
- name: deploy systemd service file
|
||||
become: true
|
||||
ansible.builtin.template:
|
||||
src: 'templates/acmetool.service.j2'
|
||||
dest: '/lib/systemd/system/acmetool.service'
|
||||
owner: 'root'
|
||||
group: 'root'
|
||||
mode: '0644'
|
||||
notify: systemctl restart acmetool
|
||||
|
||||
- name: force systemd to reread configs and start acmetool
|
||||
ansible.builtin.systemd:
|
||||
daemon_reload: true
|
||||
name: 'acmetool.service'
|
||||
state: 'started'
|
||||
enabled: true
|
21
templates/acmetool.service.j2
Normal file
21
templates/acmetool.service.j2
Normal file
|
@ -0,0 +1,21 @@
|
|||
[Unit]
|
||||
Description=Reconcile Let's Encrypt certificates
|
||||
Documentation=man:acmetool(8)
|
||||
After=nss-lookup.target
|
||||
After={{ acme_systemd_start_after }}
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
ExecStart=/usr/bin/acmetool --batch reconcile
|
||||
TimeoutStartSec=5min
|
||||
CapabilityBoundingSet=CAP_CHOWN CAP_NET_BIND_SERVICE
|
||||
NoNewPrivileges=yes
|
||||
PrivateTmp=yes
|
||||
PrivateDevices=yes
|
||||
ProtectSystem=strict
|
||||
ReadWritePaths=/var/lib/acme /run/acme /etc/nginx
|
||||
ProtectHome=yes
|
||||
ProtectKernelTunables=yes
|
||||
ProtectControlGroups=yes
|
||||
RestrictRealtime=yes
|
||||
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
|
@ -33,5 +33,5 @@ acmetool__restart_hook:
|
|||
- 'files'
|
||||
|
||||
# versionscheck
|
||||
playbook_version_number: 27 # should be a integer
|
||||
playbook_version_number: 28 # should be a integer
|
||||
playbook_version_path: 'do1jlr.role-acmetool.version'
|
||||
|
|
Loading…
Reference in a new issue