1
0
Fork 0

Set ssl-cert as group of certificates

This commit is contained in:
Daniele Tricoli 2020-09-21 00:56:29 +02:00
parent 404451907e
commit 3ea0ebff7d
2 changed files with 24 additions and 6 deletions

View File

@ -1,14 +1,18 @@
---
- name: install ssl-cert
apt:
name: ssl-cert
state: present
update_cache: true
cache_valid_time: 3600
- name: ensure /var/lib/dehydrated/certs esists for each domain
file:
path: "/var/lib/dehydrated/certs/{{ item.cname }}"
state: directory
owner: root
group: root
mode: "0700"
recurse: true
become: true
group: ssl-cert
mode: 0750
loop: "{{ domains }}"
# It's fine to use rsa:2048 since this role is used only for testing.
@ -20,5 +24,19 @@
-subj "/CN={{ item.cname }}"
cp /var/lib/dehydrated/certs/{{ item.cname }}/fullchain.pem \
/var/lib/dehydrated/certs/{{ item.cname }}/chain.pem
become: true
loop: "{{ domains }}"
- name: find all *.pem files
find:
path: /var/lib/dehydrated/certs/
file_type: file
recurse: true
register: find_result
- name: fix certificates permissions
file:
path: "{{ item.path }}"
owner: root
group: ssl-cert
mode: 0640
with_items: "{{ find_result.files }}"

View File

@ -15,7 +15,7 @@
- {role: ../roles/nftables}
- {role: ../roles/ssh}
- {role: ../roles/fail2ban}
- {role: ../roles/snake_oil_dehydrated}
- {role: ../roles/snake_oil_dehydrated, become: true}
- {role: ../roles/mailserver}
- {role: ../roles/weechat}
# Uncomment to test wikijs role: it's commented since the tarball that we