jpp/ansible-roles
1
0
Fork 0
mirror of https://git.lapiole.org/dani/ansible-roles.git synced 2025-04-04 12:23:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

Update to 2022-03-18 15:00

Browse Source
This commit is contained in:
Daniel Berteaud 2022-03-18 15:00:07 +01:00
parent 74ba55223d
commit 897e3c74b4
8 changed files with 50 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
roles/coturn/tasks/main.yml
View File

@ -43,7 +43,7 @@
vars:
- cert_path: /etc/coturn/ssl/cert.pem
- cert_key_path: /etc/coturn/ssl/key.pem
- cert_user: coturn
- cert_key_user: coturn
tags: turn
- name: Deploy dehydrated hook

2
roles/includes/create_selfsigned_cert.yml
View File

@ -21,4 +21,4 @@
creates: "{{ cert_path }}"
- name: Restrict permissions of the private key
file: path={{ cert_key_path }} owner={{ cert_user | default(omit) }} group={{ cert_group | default(omit) }} mode={{ cert_mode | default('600') }}
file: path={{ cert_key_path }} owner={{ cert_key_user | default(omit) }} group={{ cert_key_group | default(omit) }} mode={{ cert_key_mode | default('600') }}

3
roles/letsencrypt/templates/domains.txt.j2
View File

@ -49,3 +49,6 @@
{% endif %}
{% endfor %}
{% endif %}
{% if pg_letsencrypt_cert is defined and pg_letsencrypt_cert is string and pg_letsencrypt_cert not in letsencrypt_certs | default([]) | map(attribute='common_name') %}
{{ pg_letsencrypt_cert }}
{% endif %}

2
roles/nginx/tasks/ssl.yml
View File

@ -3,7 +3,7 @@
vars:
- cert_path: /etc/nginx/ssl/cert.pem
- cert_key_path: /etc/nginx/ssl/key.pem
- cert_user: nginx
- cert_key_user: nginx
tags: web
- name: Create DH param

7
roles/postgresql_server/defaults/main.yml
View File

@ -35,6 +35,9 @@ pg_base_conf:
lc_monetary: fr_FR.UTF-8
lc_numeric: fr_FR.UTF-8
lc_time: fr_FR.UTF-8
ssl_cert_file: /var/lib/pgsql/ssl/server.crt
ssl_key_file: /var/lib/pgsql/ssl/server.key
ssl: "{{ pg_letsencrypt_cert is defined | ternary('on', 'off') }}"
pg_extra_conf: {}
pg_conf: "{{ pg_base_conf | combine(pg_extra_conf, recursive=True) }}"
@ -74,4 +77,6 @@ pg_privs: []
# Databases and roles to remove
pg_databases_to_remove: []
pg_roles_to_remove: []
...
# If defined, a Let's Encrypt cert will be obtained and used
# pg_letsencrypt_cert: postgres.example.org

17
roles/postgresql_server/tasks/main.yml
View File

@ -14,6 +14,23 @@
name: "{{ pg_packages }}"
tags: pg
- name: Create ssl directory
file: path=/var/lib/pgsql/ssl state=directory owner=postgres group=postgres mode=700
tags: pg
- name: Create default self-signed cert
import_tasks: ../includes/create_selfsigned_cert.yml
vars:
- cert_path: /var/lib/pgsql/ssl/server.crt
- cert_key_path: /var/lib/pgsql/ssl/server.key
- cert_key_group: postgres
- cert_key_mode: 0640
tags: pg
- name: Install dehydrated hook
template: src=dehydrated_hook.j2 dest=/etc/dehydrated/hooks_deploy_cert.d/postgresql mode=755
tags: pg
- name: Check if PG_VERSION exists
stat: path=/var/lib/pgsql/{{ (pg_version != 'default') | ternary(pg_version | string + '/','') }}data/PG_VERSION
register: pg_version_file

20
roles/postgresql_server/templates/dehydrated_hook.j2 Normal file
View File

@ -0,0 +1,20 @@
#!/bin/sh
{% if pg_letsencrypt_cert is defined %}
if [ $1 == "{{ pg_letsencrypt_cert }}" ]; then
cp /var/lib/dehydrated/certificates/certs/{{ pg_letsencrypt_cert }}/fullchain.pem /var/lib/pgsql/ssl/server.crt
cp /var/lib/dehydrated/certificates/certs/{{ pg_letsencrypt_cert }}/privkey.pem /var/lib/pgsql/ssl/server.key
chown root:postgres /var/lib/pgsql/ssl/server.key
chown root:root /var/lib/pgsql/ssl/server.crt
chmod 640 /var/lib/pgsql/ssl/server.key
chmod 644 /var/lib/pgsql/ssl/server.crt
systemctl reload postgresql{{ (pg_version != 'default') | ternary('-' + pg_version | string,'') }}
fi
{% else %}
# No Let's Encrypt cert configured, nothing to do
exit 0
{% endif %}

2
roles/rabbitmq_server/tasks/conf.yml
View File

@ -12,7 +12,7 @@
vars:
- cert_path: /etc/rabbitmq/ssl/cert.pem
- cert_key_path: /etc/rabbitmq/ssl/key.pem
- cert_user: rabbitmq
- cert_key_user: rabbitmq
tags: rabbitmq
- name: Check if the cert chain exists