diff options
author | Christian Pointner <equinox@spreadspace.org> | 2023-08-21 00:38:34 +0200 |
---|---|---|
committer | Christian Pointner <equinox@spreadspace.org> | 2023-08-21 00:38:41 +0200 |
commit | 70e61b9184dfa81a39926e66722ed3c1743a91c3 (patch) | |
tree | 90741e004e19bf8cc9bc3137f7e7764cc64e8a77 /roles/apps/mumble/tasks | |
parent | sk-testvm: prepare mumble for new tls cert roles (diff) |
apps/mumble: add new generic certificate renewal support
Diffstat (limited to 'roles/apps/mumble/tasks')
-rw-r--r-- | roles/apps/mumble/tasks/main.yml | 55 |
1 files changed, 25 insertions, 30 deletions
diff --git a/roles/apps/mumble/tasks/main.yml b/roles/apps/mumble/tasks/main.yml index 5cd1f7a9..b59fb5fc 100644 --- a/roles/apps/mumble/tasks/main.yml +++ b/roles/apps/mumble/tasks/main.yml @@ -1,10 +1,4 @@ --- -- name: check if acme_client is set to acmetool - assert: - msg: "this role currently only works with acmetool" - that: - - mumble_tls.certificate_provider == "acmetool" - - name: add group for mumble group: name: mumble @@ -33,31 +27,32 @@ group: mumble mode: 0644 -- name: install acmetool hook script - template: - src: acmetool-reload.sh.j2 - dest: "/etc/acme/hooks/mumble-{{ mumble_instance }}" - mode: 0755 - -- name: install acmetool systemd unit snippet - copy: - dest: "/etc/systemd/system/acmetool.service.d/mumble-{{ mumble_instance }}.conf" - content: | - [Service] - ReadWritePaths={{ mumble_base_path }}/{{ mumble_instance }}/ssl - register: mumble_acmetool_snippet - -- name: reload systemd - when: mumble_acmetool_snippet is changed - systemd: - daemon_reload: yes - -- name: get certificate using acmetool - import_role: - name: x509/acmetool/cert +- name: generate/install/fetc TLS certificate vars: - acmetool_cert_name: "mumble-{{ mumble_instance }}" - acmetool_cert_hostnames: "{{ mumble_hostnames }}" + x509_certificate_name: "mumble-{{ mumble_instance }}" + x509_certificate_hostnames: "{{ mumble_hostnames }}" + x509_certificate_renewal: + install: + - dest: "{{ mumble_base_path }}/{{ mumble_instance }}/ssl/cert.pem" + src: + - fullchain + owner: root + group: mumble + mode: "0644" + - dest: "{{ mumble_base_path }}/{{ mumble_instance }}/ssl/privkey.pem" + src: + - key + owner: root + group: mumble + mode: "0640" + reload: | + pod_id=$(crictl pods -q --state ready --name "^mumble-{{ mumble_instance }}-{{ ansible_nodename }}$") + [ -n "$pod_id" ] || exit 42 + container_id=$(crictl ps -q --name '^mumble$' -p "$pod_id") + [ -n "$container_id" ] || exit 42 + crictl exec "$container_id" kill -USR1 1 + include_role: + name: "x509/{{ mumble_tls.certificate_provider }}/cert" - name: create mumble data directory file: |