diff options
| -rw-r--r-- | roles/apps/coturn/tasks/main.yml | 20 | ||||
| -rw-r--r-- | roles/apps/coturn/templates/acmetool-reload.sh.j2 | 19 | ||||
| -rwxr-xr-x | roles/apps/nextcloud/templates/nextcloud-occ.j2 | 2 |
3 files changed, 30 insertions, 11 deletions
diff --git a/roles/apps/coturn/tasks/main.yml b/roles/apps/coturn/tasks/main.yml index 29a87d6f..132e4847 100644 --- a/roles/apps/coturn/tasks/main.yml +++ b/roles/apps/coturn/tasks/main.yml @@ -27,16 +27,17 @@ file: path: "{{ coturn_base_path }}/{{ coturn_realm }}/config/ssl" state: directory - owner: coturn + owner: root group: coturn - mode: 0700 + mode: 0750 - name: generate Diffie-Hellman parameters openssl_dhparam: path: "{{ coturn_base_path }}/{{ coturn_realm }}/config/ssl/dhparams.pem" size: "{{ coturn_dhparam_size }}" - owner: coturn + owner: root group: coturn + mode: 0644 - name: install acmetool hook script template: @@ -44,6 +45,19 @@ dest: "/etc/acme/hooks/coturn-{{ coturn_realm }}" mode: 0755 +- name: install acmetool systemd unit snippet + copy: + dest: "/etc/systemd/system/acmetool.service.d/coturn-{{ coturn_realm }}.conf" + content: | + [Service] + ReadWritePaths={{ coturn_base_path }}/{{ coturn_realm }}/config/ssl + register: coturn_acmetool_snippet + +- name: reload systemd + when: coturn_acmetool_snippet is changed + systemd: + daemon_reload: yes + - name: configure nginx vhost vars: nginx_vhost: diff --git a/roles/apps/coturn/templates/acmetool-reload.sh.j2 b/roles/apps/coturn/templates/acmetool-reload.sh.j2 index 70e0b686..1eff1ad3 100644 --- a/roles/apps/coturn/templates/acmetool-reload.sh.j2 +++ b/roles/apps/coturn/templates/acmetool-reload.sh.j2 @@ -5,8 +5,6 @@ EVENT_NAME="$1" MAIN_HOSTNAME="{{ coturn_hostnames[0] }}" SSL_D="{{ coturn_base_path }}/{{ coturn_realm }}/config/ssl" -USER="coturn" -GROUP="coturn" while read name; do certdir="$ACME_STATE_DIR/live/$name" @@ -17,10 +15,17 @@ while read name; do continue fi - cp "$certdir/fullchain" "$SSL_D/cert.pem" - cp "$certdir/privkey" "$SSL_D/privkey.pem" - chown "$USER:$GROUP" "$SSL_D/cert.pem" "$SSL_D/privkey.pem" - break + install -m 0644 -o root -g coturn "$certdir/fullchain" "$SSL_D/cert.pem" + install -m 0640 -o root -g coturn "$certdir/privkey" "$SSL_D/privkey.pem" + +{% if kubernetes_cri_socket is defined %} + export CONTAINER_RUNTIME_ENDPOINT="{{ kubernetes_cri_socket }}" +{% endif %} + pod_id=$(crictl pods -q --state ready --name "^coturn-{{ coturn_realm }}-{{ ansible_nodename }}$") + [ -n "$pod_id" ] || exit 42 + container_id=$(crictl ps -q --name '^coturn$' -p "$pod_id") + [ -n "$container_id" ] || exit 42 + crictl stop "$container_id" - ## TODO: trigger restart of coturn!!! + break done diff --git a/roles/apps/nextcloud/templates/nextcloud-occ.j2 b/roles/apps/nextcloud/templates/nextcloud-occ.j2 index a79c5335..571aecc4 100755 --- a/roles/apps/nextcloud/templates/nextcloud-occ.j2 +++ b/roles/apps/nextcloud/templates/nextcloud-occ.j2 @@ -13,7 +13,7 @@ set -eu export CONTAINER_RUNTIME_ENDPOINT="{{ kubernetes_cri_socket }}" {% endif %} -pod_id=$(crictl pods -q --state ready --name "$INST_NAME-{{ ansible_nodename }}") +pod_id=$(crictl pods -q --state ready --name "^nextcloud-$INST_NAME-{{ ansible_nodename }}$") if [ -z "$pod_id" ]; then echo "Pod not found"; exit 1; fi container_id=$(crictl ps -q --name '^nextcloud$' -p "$pod_id") |