diff options
author | Christian Pointner <equinox@spreadspace.org> | 2023-08-22 19:53:49 +0200 |
---|---|---|
committer | Christian Pointner <equinox@spreadspace.org> | 2023-08-22 19:53:49 +0200 |
commit | fc5d0657bfcba53ace230ff2ada64b7fcf9b97a3 (patch) | |
tree | 350a8d401e0113bff7d78aee4d8547cddf06b8f7 /roles/apps/mumble | |
parent | fix docker for debian bookworm+ (diff) | |
parent | some more cleanup for acme specific variables (diff) |
Merge branch 'topic/uacme'
Diffstat (limited to 'roles/apps/mumble')
-rw-r--r-- | roles/apps/mumble/defaults/main.yml | 3 | ||||
-rw-r--r-- | roles/apps/mumble/tasks/main.yml | 49 | ||||
-rw-r--r-- | roles/apps/mumble/templates/acmetool-reload.sh.j2 | 28 |
3 files changed, 28 insertions, 52 deletions
diff --git a/roles/apps/mumble/defaults/main.yml b/roles/apps/mumble/defaults/main.yml index 627af125..c9cd9db3 100644 --- a/roles/apps/mumble/defaults/main.yml +++ b/roles/apps/mumble/defaults/main.yml @@ -14,6 +14,9 @@ mumble_dhparam_size: 2048 mumble_timezone: "Europe/Vienna" +# mumble_tls: +# certificate_provider: ... + mumble_config_options: bonjour: false sslCiphers: "ECDHE+AESGCM:DHE+AESGCM:ECDHE+AES256:DHE+AES256:ECDHE+AES128:DHE+AES128:!RSA:!ADH:!AECDH:!MD5" diff --git a/roles/apps/mumble/tasks/main.yml b/roles/apps/mumble/tasks/main.yml index 33331dca..5b380725 100644 --- a/roles/apps/mumble/tasks/main.yml +++ b/roles/apps/mumble/tasks/main.yml @@ -27,31 +27,32 @@ group: mumble mode: 0644 -- name: install acmetool hook script - template: - src: acmetool-reload.sh.j2 - dest: "/etc/acme/hooks/mumble-{{ mumble_instance }}" - mode: 0755 - -- name: install acmetool systemd unit snippet - copy: - dest: "/etc/systemd/system/acmetool.service.d/mumble-{{ mumble_instance }}.conf" - content: | - [Service] - ReadWritePaths={{ mumble_base_path }}/{{ mumble_instance }}/ssl - register: mumble_acmetool_snippet - -- name: reload systemd - when: mumble_acmetool_snippet is changed - systemd: - daemon_reload: yes - -- name: get certificate using acmetool - import_role: - name: x509/acmetool/cert +- name: generate/install/fetch TLS certificate vars: - acmetool_cert_name: "mumble-{{ mumble_instance }}" - acmetool_cert_hostnames: "{{ mumble_hostnames }}" + x509_certificate_name: "mumble-{{ mumble_instance }}" + x509_certificate_hostnames: "{{ mumble_hostnames }}" + x509_certificate_renewal: + install: + - dest: "{{ mumble_base_path }}/{{ mumble_instance }}/ssl/cert.pem" + src: + - fullchain + owner: root + group: mumble + mode: "0644" + - dest: "{{ mumble_base_path }}/{{ mumble_instance }}/ssl/privkey.pem" + src: + - key + owner: root + group: mumble + mode: "0640" + reload: | + pod_id=$(crictl pods -q --state ready --name "^mumble-{{ mumble_instance }}-{{ ansible_nodename }}$") + [ -n "$pod_id" ] || exit 42 + container_id=$(crictl ps -q --name '^mumble$' -p "$pod_id") + [ -n "$container_id" ] || exit 42 + crictl exec "$container_id" kill -USR1 1 + include_role: + name: "x509/{{ mumble_tls.certificate_provider }}/cert" - name: create mumble data directory file: diff --git a/roles/apps/mumble/templates/acmetool-reload.sh.j2 b/roles/apps/mumble/templates/acmetool-reload.sh.j2 deleted file mode 100644 index fd9f01ba..00000000 --- a/roles/apps/mumble/templates/acmetool-reload.sh.j2 +++ /dev/null @@ -1,28 +0,0 @@ -#!/bin/sh -set -e -EVENT_NAME="$1" -[ "$EVENT_NAME" = "live-updated" ] || exit 42 - -MAIN_HOSTNAME="{{ mumble_hostnames[0] }}" -SSL_D="{{ mumble_base_path }}/{{ mumble_instance }}/ssl" - -while read name; do - certdir="$ACME_STATE_DIR/live/$name" - if [ -z "$name" -o ! -e "$certdir" ]; then - continue - fi - if [ "$name" != "$MAIN_HOSTNAME" ]; then - continue - fi - - install -m 0644 -o root -g mumble "$certdir/fullchain" "$SSL_D/cert.pem" - install -m 0640 -o root -g mumble "$certdir/privkey" "$SSL_D/privkey.pem" - - pod_id=$(crictl pods -q --state ready --name "^mumble-{{ mumble_instance }}-{{ ansible_nodename }}$") - [ -n "$pod_id" ] || exit 42 - container_id=$(crictl ps -q --name '^mumble$' -p "$pod_id") - [ -n "$container_id" ] || exit 42 - crictl exec "$container_id" kill -USR1 1 - - break -done |