diff options
Diffstat (limited to 'roles/apps')
20 files changed, 215 insertions, 304 deletions
diff --git a/roles/apps/bluespice/tasks/main.yml b/roles/apps/bluespice/tasks/main.yml index 899d1e1d..49ef2418 100644 --- a/roles/apps/bluespice/tasks/main.yml +++ b/roles/apps/bluespice/tasks/main.yml @@ -49,7 +49,8 @@ nginx_vhost: name: "bluespice-{{ item.key }}" template: generic - acme: true + tls: + certificate_provider: "{{ acme_client }}" hostnames: - "{{ item.value.hostname }}" locations: diff --git a/roles/apps/collabora/code/tasks/main.yml b/roles/apps/collabora/code/tasks/main.yml index db28bb65..84efec5c 100644 --- a/roles/apps/collabora/code/tasks/main.yml +++ b/roles/apps/collabora/code/tasks/main.yml @@ -45,16 +45,8 @@ include_role: name: kubernetes/standalone/pod -- name: configure nginx vhost +- name: install nginx vhost config loop: "{{ collabora_code_instances | dict2items }}" loop_control: label: "{{ item.key }}" - vars: - nginx_vhost: - name: "collabora-code-{{ item.key }}" - content: "{{ lookup('template', 'nginx-vhost.conf.j2') }}" - acme: true - hostnames: - - "{{ item.value.hostname }}" - include_role: - name: nginx/vhost + include_tasks: nginx-vhost.yml diff --git a/roles/apps/collabora/code/tasks/nginx-vhost.yml b/roles/apps/collabora/code/tasks/nginx-vhost.yml new file mode 100644 index 00000000..afd8f1e0 --- /dev/null +++ b/roles/apps/collabora/code/tasks/nginx-vhost.yml @@ -0,0 +1,17 @@ +--- +- name: render nginx-vhost custom config + set_fact: + collabora_code_nginx_vhost_custom: "{{ lookup('template', 'nginx-vhost.conf.j2') }}" + +- name: configure nginx vhost + vars: + nginx_vhost: + name: "collabora-code-{{ item.key }}" + template: generic + tls: + certificate_provider: "{{ acme_client }}" + hostnames: + - "{{ item.value.hostname }}" + custom: "{{ collabora_code_nginx_vhost_custom }}" + include_role: + name: nginx/vhost diff --git a/roles/apps/collabora/code/templates/nginx-vhost.conf.j2 b/roles/apps/collabora/code/templates/nginx-vhost.conf.j2 index d56d77a0..67502e20 100644 --- a/roles/apps/collabora/code/templates/nginx-vhost.conf.j2 +++ b/roles/apps/collabora/code/templates/nginx-vhost.conf.j2 @@ -1,124 +1,99 @@ -server { - listen 80; - listen [::]:80; - server_name {{ item.value.hostname }}; +client_max_body_size 128M; - include snippets/acmetool.conf; - - location / { - return 301 https://$host$request_uri; - } -} - -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name {{ item.value.hostname }}; - - include snippets/acmetool.conf; - include snippets/tls.conf; - ssl_certificate /var/lib/acme/live/{{ item.value.hostname }}/fullchain; - ssl_certificate_key /var/lib/acme/live/{{ item.value.hostname }}/privkey; - include snippets/hsts.conf; - - - client_max_body_size 128M; - - # static files +# static files {% if item.value.version | collabora_code_loolvcool %} - location ^~ /loleaflet { +location ^~ /loleaflet { {% else %} - location ^~ /browser { +location ^~ /browser { {% endif %} - include snippets/proxy-nobuff.conf; - include snippets/proxy-forward-headers.conf; + include snippets/proxy-nobuff.conf; + include snippets/proxy-forward-headers.conf; - proxy_set_header Host $http_host; - proxy_pass http://127.0.0.1:{{ item.value.port }}; + proxy_set_header Host $http_host; + proxy_pass http://127.0.0.1:{{ item.value.port }}; - proxy_redirect http://$host/ https://$host/; - proxy_redirect http://$host:9980/ https://$host/; - } + proxy_redirect http://$host/ https://$host/; + proxy_redirect http://$host:9980/ https://$host/; +} - # WOPI discovery URL - location ^~ /hosting/discovery { - include snippets/proxy-nobuff.conf; - include snippets/proxy-forward-headers.conf; +# WOPI discovery URL +location ^~ /hosting/discovery { + include snippets/proxy-nobuff.conf; + include snippets/proxy-forward-headers.conf; - proxy_set_header Host $http_host; - proxy_pass http://127.0.0.1:{{ item.value.port }}; + proxy_set_header Host $http_host; + proxy_pass http://127.0.0.1:{{ item.value.port }}; - proxy_redirect http://$host/ https://$host/; - proxy_redirect http://$host:9980/ https://$host/; - } + proxy_redirect http://$host/ https://$host/; + proxy_redirect http://$host:9980/ https://$host/; +} - # Capabilities - location ^~ /hosting/capabilities { - include snippets/proxy-nobuff.conf; - include snippets/proxy-forward-headers.conf; +# Capabilities +location ^~ /hosting/capabilities { + include snippets/proxy-nobuff.conf; + include snippets/proxy-forward-headers.conf; - proxy_set_header Host $http_host; - proxy_pass http://127.0.0.1:{{ item.value.port }}; + proxy_set_header Host $http_host; + proxy_pass http://127.0.0.1:{{ item.value.port }}; - proxy_redirect http://$host/ https://$host/; - proxy_redirect http://$host:9980/ https://$host/; - } + proxy_redirect http://$host/ https://$host/; + proxy_redirect http://$host:9980/ https://$host/; +} - # main websocket +# main websocket {% if item.value.version | collabora_code_loolvcool %} - location ~ ^/lool/(.*)/ws$ { +location ~ ^/lool/(.*)/ws$ { {% else %} - location ~ ^/cool/(.*)/ws$ { +location ~ ^/cool/(.*)/ws$ { {% endif %} - include snippets/proxy-nobuff.conf; - include snippets/proxy-forward-headers.conf; + include snippets/proxy-nobuff.conf; + include snippets/proxy-forward-headers.conf; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; - proxy_read_timeout 36000s; + proxy_read_timeout 36000s; - proxy_set_header Host $http_host; - proxy_pass http://127.0.0.1:{{ item.value.port }}; + proxy_set_header Host $http_host; + proxy_pass http://127.0.0.1:{{ item.value.port }}; - proxy_redirect http://$host/ https://$host/; - proxy_redirect http://$host:9980/ https://$host/; - } + proxy_redirect http://$host/ https://$host/; + proxy_redirect http://$host:9980/ https://$host/; +} - # download, presentation and image upload +# download, presentation and image upload {% if item.value.version | collabora_code_loolvcool %} - location ~ ^/lool { +location ~ ^/lool { {% else %} - location ~ ^/(c|l)ool { +location ~ ^/(c|l)ool { {% endif %} - include snippets/proxy-nobuff.conf; - include snippets/proxy-forward-headers.conf; + include snippets/proxy-nobuff.conf; + include snippets/proxy-forward-headers.conf; - proxy_set_header Host $http_host; - proxy_pass http://127.0.0.1:{{ item.value.port }}; + proxy_set_header Host $http_host; + proxy_pass http://127.0.0.1:{{ item.value.port }}; - proxy_redirect http://$host/ https://$host/; - proxy_redirect http://$host:9980/ https://$host/; - } + proxy_redirect http://$host/ https://$host/; + proxy_redirect http://$host:9980/ https://$host/; +} - # Admin Console websocket +# Admin Console websocket {% if item.value.version | collabora_code_loolvcool %} - location ^~ /lool/adminws { +location ^~ /lool/adminws { {% else %} - location ^~ /cool/adminws { +location ^~ /cool/adminws { {% endif %} - include snippets/proxy-nobuff.conf; - include snippets/proxy-forward-headers.conf; + include snippets/proxy-nobuff.conf; + include snippets/proxy-forward-headers.conf; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; - proxy_read_timeout 36000s; + proxy_read_timeout 36000s; - proxy_set_header Host $http_host; - proxy_pass http://127.0.0.1:{{ item.value.port }}; + proxy_set_header Host $http_host; + proxy_pass http://127.0.0.1:{{ item.value.port }}; - proxy_redirect http://$host/ https://$host/; - proxy_redirect http://$host:9980/ https://$host/; - } + proxy_redirect http://$host/ https://$host/; + proxy_redirect http://$host:9980/ https://$host/; } diff --git a/roles/apps/coturn/defaults/main.yml b/roles/apps/coturn/defaults/main.yml index 842e7f05..760a6499 100644 --- a/roles/apps/coturn/defaults/main.yml +++ b/roles/apps/coturn/defaults/main.yml @@ -3,7 +3,7 @@ coturn_uid: 930 coturn_gid: 930 coturn_base_path: /srv/coturn -# coturn_version: 4.5.2-r2 +# coturn_version: 4.6.2-r4 # coturn_realm: example.com # coturn_hostnames: # - stun.example.com @@ -17,6 +17,9 @@ coturn_threads: 0 coturn_dhparam_size: 2048 +# coturn_tls: +# certificate_provider: ... + coturn_listening_port: 3478 coturn_tls_listening_port: 5349 diff --git a/roles/apps/coturn/tasks/main.yml b/roles/apps/coturn/tasks/main.yml index 42ccd2b3..4e5adbd5 100644 --- a/roles/apps/coturn/tasks/main.yml +++ b/roles/apps/coturn/tasks/main.yml @@ -39,43 +39,52 @@ group: coturn mode: 0644 -- name: install acmetool hook script - template: - src: acmetool-reload.sh.j2 - dest: "/etc/acme/hooks/coturn-{{ coturn_realm }}" - mode: 0755 - -- name: install acmetool systemd unit snippet - copy: - dest: "/etc/systemd/system/acmetool.service.d/coturn-{{ coturn_realm }}.conf" - content: | - [Service] - ReadWritePaths={{ coturn_base_path }}/{{ coturn_realm }}/config/ssl - register: coturn_acmetool_snippet - -- name: reload systemd - when: coturn_acmetool_snippet is changed - systemd: - daemon_reload: yes +- name: compute certificate renewal config + set_fact: + coturn_certificate_renewal: + install: + - dest: "{{ coturn_base_path }}/{{ coturn_realm }}/config/ssl/cert.pem" + src: + - fullchain + owner: root + group: coturn + mode: "0644" + - dest: "{{ coturn_base_path }}/{{ coturn_realm }}/config/ssl/privkey.pem" + src: + - key + owner: root + group: coturn + mode: "0640" + reload: | + pod_id=$(crictl pods -q --state ready --name "^coturn-{{ coturn_realm }}-{{ ansible_nodename }}$") + [ -n "$pod_id" ] || exit 42 + container_id=$(crictl ps -q --name '^coturn$' -p "$pod_id") + [ -n "$container_id" ] || exit 42 + crictl stop "$container_id" - name: configure nginx vhost when: coturn_install_nginx_vhost vars: nginx_vhost: name: "coturn-{{ coturn_realm }}" - content: "{{ lookup('template', 'nginx-vhost.conf.j2') }}" - acme: true + template: generic + tls: "{{ coturn_tls }}" hostnames: "{{ coturn_hostnames }}" + locations: + '/': + return: "404" + x509_certificate_renewal: "{{ coturn_certificate_renewal }}" include_role: name: nginx/vhost -- name: get certificate using acmetool +- name: generate/install/fetch TLS certificate when: not coturn_install_nginx_vhost - import_role: - name: x509/acmetool/cert vars: - acmetool_cert_name: "coturn-{{ coturn_realm }}" - acmetool_cert_hostnames: "{{ coturn_hostnames }}" + x509_certificate_name: "coturn-{{ coturn_realm }}" + x509_certificate_hostnames: "{{ coturn_hostnames }}" + x509_certificate_renewal: "{{ coturn_certificate_renewal }}" + include_role: + name: "x509/{{ coturn_tls.certificate_provider }}/cert" - name: install pod manifest vars: diff --git a/roles/apps/coturn/templates/acmetool-reload.sh.j2 b/roles/apps/coturn/templates/acmetool-reload.sh.j2 deleted file mode 100644 index 08530583..00000000 --- a/roles/apps/coturn/templates/acmetool-reload.sh.j2 +++ /dev/null @@ -1,28 +0,0 @@ -#!/bin/sh -set -e -EVENT_NAME="$1" -[ "$EVENT_NAME" = "live-updated" ] || exit 42 - -MAIN_HOSTNAME="{{ coturn_hostnames[0] }}" -SSL_D="{{ coturn_base_path }}/{{ coturn_realm }}/config/ssl" - -while read name; do - certdir="$ACME_STATE_DIR/live/$name" - if [ -z "$name" -o ! -e "$certdir" ]; then - continue - fi - if [ "$name" != "$MAIN_HOSTNAME" ]; then - continue - fi - - install -m 0644 -o root -g coturn "$certdir/fullchain" "$SSL_D/cert.pem" - install -m 0640 -o root -g coturn "$certdir/privkey" "$SSL_D/privkey.pem" - - pod_id=$(crictl pods -q --state ready --name "^coturn-{{ coturn_realm }}-{{ ansible_nodename }}$") - [ -n "$pod_id" ] || exit 42 - container_id=$(crictl ps -q --name '^coturn$' -p "$pod_id") - [ -n "$container_id" ] || exit 42 - crictl stop "$container_id" - - break -done diff --git a/roles/apps/coturn/templates/nginx-vhost.conf.j2 b/roles/apps/coturn/templates/nginx-vhost.conf.j2 deleted file mode 100644 index 0639fbe1..00000000 --- a/roles/apps/coturn/templates/nginx-vhost.conf.j2 +++ /dev/null @@ -1,27 +0,0 @@ -server { - listen 80; - listen [::]:80; - server_name {{ coturn_hostnames | join(' ') }}; - - include snippets/acmetool.conf; - - location / { - return 301 https://$host$request_uri; - } -} - -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name {{ coturn_hostnames | join(' ') }}; - - include snippets/acmetool.conf; - include snippets/tls.conf; - ssl_certificate /var/lib/acme/live/{{ coturn_hostnames[0] }}/fullchain; - ssl_certificate_key /var/lib/acme/live/{{ coturn_hostnames[0] }}/privkey; - include snippets/hsts.conf; - - location / { - return 404; - } -} diff --git a/roles/apps/etherpad-lite/tasks/main.yml b/roles/apps/etherpad-lite/tasks/main.yml index 072a6c09..a3b167a8 100644 --- a/roles/apps/etherpad-lite/tasks/main.yml +++ b/roles/apps/etherpad-lite/tasks/main.yml @@ -108,13 +108,8 @@ include_role: name: kubernetes/standalone/pod -- name: configure nginx vhost +- name: install nginx vhost config loop: "{{ etherpad_lite_instances | dict2items }}" - vars: - nginx_vhost: - name: "etherpad-lite-{{ item.key }}" - content: "{{ lookup('template', 'nginx-vhost.conf.j2') }}" - acme: true - hostnames: "{{ item.value.hostnames }}" - include_role: - name: nginx/vhost + loop_control: + label: "{{ item.key }}" + include_tasks: nginx-vhost.yml diff --git a/roles/apps/etherpad-lite/tasks/nginx-vhost.yml b/roles/apps/etherpad-lite/tasks/nginx-vhost.yml new file mode 100644 index 00000000..91c8b54d --- /dev/null +++ b/roles/apps/etherpad-lite/tasks/nginx-vhost.yml @@ -0,0 +1,16 @@ +--- +- name: render nginx-vhost custom config + set_fact: + etherpad_lite_nginx_vhost_custom: "{{ lookup('template', 'nginx-vhost.conf.j2') }}" + +- name: configure nginx vhost + vars: + nginx_vhost: + name: "etherpad-lite-{{ item.key }}" + template: generic + tls: + certificate_provider: "{{ acme_client }}" + hostnames: "{{ item.value.hostnames }}" + custom: "{{ etherpad_lite_nginx_vhost_custom }}" + include_role: + name: nginx/vhost diff --git a/roles/apps/etherpad-lite/templates/nginx-vhost.conf.j2 b/roles/apps/etherpad-lite/templates/nginx-vhost.conf.j2 index b59701fc..209a81c0 100644 --- a/roles/apps/etherpad-lite/templates/nginx-vhost.conf.j2 +++ b/roles/apps/etherpad-lite/templates/nginx-vhost.conf.j2 @@ -1,57 +1,33 @@ -server { - listen 80; - listen [::]:80; - server_name {{ item.value.hostnames | join(' ') }}; - - include snippets/acmetool.conf; - - location / { - return 301 https://$host$request_uri; - } -} - -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name {{ item.value.hostnames | join(' ') }}; - - include snippets/acmetool.conf; - include snippets/tls.conf; - ssl_certificate /var/lib/acme/live/{{ item.value.hostnames[0] }}/fullchain; - ssl_certificate_key /var/lib/acme/live/{{ item.value.hostnames[0] }}/privkey; - include snippets/hsts.conf; - - location / { - rewrite ^/$ / break; - rewrite ^/locales/(.*) /locales/$1 break; - rewrite ^/locales.json /locales.json break; - rewrite ^/admin(.*) /admin$1 break; - rewrite ^/p/(.*) /p/$1 break; - rewrite ^/static/(.*) /static/$1 break; - rewrite ^/pluginfw/(.*) /pluginfw/$1 break; - rewrite ^/javascripts/(.*) /javascripts/$1 break; - rewrite ^/socket.io/(.*) /socket.io/$1 break; - rewrite ^/ep/(.*) /ep/$1 break; - rewrite ^/minified/(.*) /minified/$1 break; - rewrite ^/api/(.*) /api/$1 break; - rewrite ^/ro/(.*) /ro/$1 break; - rewrite ^/error/(.*) /error/$1 break; - rewrite ^/jserror(.*) /jserror$1 break; - rewrite ^/redirect(.*) /redirect$1 break; - rewrite /favicon.ico /favicon.ico break; - rewrite /robots.txt /robots.txt break; - rewrite /(.*) /p/$1; - - include snippets/proxy-nobuff.conf; - - proxy_set_header Host $host; - include snippets/proxy-forward-headers.conf; - proxy_pass_header Server; - - # for websockets - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_pass http://127.0.0.1:{{ item.value.port }}; - } +location / { + rewrite ^/$ / break; + rewrite ^/locales/(.*) /locales/$1 break; + rewrite ^/locales.json /locales.json break; + rewrite ^/admin(.*) /admin$1 break; + rewrite ^/p/(.*) /p/$1 break; + rewrite ^/static/(.*) /static/$1 break; + rewrite ^/pluginfw/(.*) /pluginfw/$1 break; + rewrite ^/javascripts/(.*) /javascripts/$1 break; + rewrite ^/socket.io/(.*) /socket.io/$1 break; + rewrite ^/ep/(.*) /ep/$1 break; + rewrite ^/minified/(.*) /minified/$1 break; + rewrite ^/api/(.*) /api/$1 break; + rewrite ^/ro/(.*) /ro/$1 break; + rewrite ^/error/(.*) /error/$1 break; + rewrite ^/jserror(.*) /jserror$1 break; + rewrite ^/redirect(.*) /redirect$1 break; + rewrite /favicon.ico /favicon.ico break; + rewrite /robots.txt /robots.txt break; + rewrite /(.*) /p/$1; + + include snippets/proxy-nobuff.conf; + + proxy_set_header Host $host; + include snippets/proxy-forward-headers.conf; + proxy_pass_header Server; + + # for websockets + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + proxy_pass http://127.0.0.1:{{ item.value.port }}; } diff --git a/roles/apps/jitsi/meet/tasks/main.yml b/roles/apps/jitsi/meet/tasks/main.yml index eff8232b..1d55fc78 100644 --- a/roles/apps/jitsi/meet/tasks/main.yml +++ b/roles/apps/jitsi/meet/tasks/main.yml @@ -151,7 +151,8 @@ nginx_vhost: name: "jitsi-meet-{{ jitsi_meet_inst_name }}" template: generic - acme: true + tls: + certificate_provider: "{{ acme_client }}" hostnames: - "{{ jitsi_meet_hostname }}" locations: "{{ nginx_vhost_locations_base | combine(nginx_vhost_locations_streamui) }}" diff --git a/roles/apps/keycloak/tasks/main.yml b/roles/apps/keycloak/tasks/main.yml index 68806458..c3e93666 100644 --- a/roles/apps/keycloak/tasks/main.yml +++ b/roles/apps/keycloak/tasks/main.yml @@ -96,7 +96,8 @@ nginx_vhost: name: "keycloak-{{ item.key }}" template: generic - acme: true + tls: + certificate_provider: "{{ acme_client }}" hostnames: - "{{ item.value.hostname }}" locations: diff --git a/roles/apps/mumble/defaults/main.yml b/roles/apps/mumble/defaults/main.yml index 627af125..c9cd9db3 100644 --- a/roles/apps/mumble/defaults/main.yml +++ b/roles/apps/mumble/defaults/main.yml @@ -14,6 +14,9 @@ mumble_dhparam_size: 2048 mumble_timezone: "Europe/Vienna" +# mumble_tls: +# certificate_provider: ... + mumble_config_options: bonjour: false sslCiphers: "ECDHE+AESGCM:DHE+AESGCM:ECDHE+AES256:DHE+AES256:ECDHE+AES128:DHE+AES128:!RSA:!ADH:!AECDH:!MD5" diff --git a/roles/apps/mumble/tasks/main.yml b/roles/apps/mumble/tasks/main.yml index 33331dca..5b380725 100644 --- a/roles/apps/mumble/tasks/main.yml +++ b/roles/apps/mumble/tasks/main.yml @@ -27,31 +27,32 @@ group: mumble mode: 0644 -- name: install acmetool hook script - template: - src: acmetool-reload.sh.j2 - dest: "/etc/acme/hooks/mumble-{{ mumble_instance }}" - mode: 0755 - -- name: install acmetool systemd unit snippet - copy: - dest: "/etc/systemd/system/acmetool.service.d/mumble-{{ mumble_instance }}.conf" - content: | - [Service] - ReadWritePaths={{ mumble_base_path }}/{{ mumble_instance }}/ssl - register: mumble_acmetool_snippet - -- name: reload systemd - when: mumble_acmetool_snippet is changed - systemd: - daemon_reload: yes - -- name: get certificate using acmetool - import_role: - name: x509/acmetool/cert +- name: generate/install/fetch TLS certificate vars: - acmetool_cert_name: "mumble-{{ mumble_instance }}" - acmetool_cert_hostnames: "{{ mumble_hostnames }}" + x509_certificate_name: "mumble-{{ mumble_instance }}" + x509_certificate_hostnames: "{{ mumble_hostnames }}" + x509_certificate_renewal: + install: + - dest: "{{ mumble_base_path }}/{{ mumble_instance }}/ssl/cert.pem" + src: + - fullchain + owner: root + group: mumble + mode: "0644" + - dest: "{{ mumble_base_path }}/{{ mumble_instance }}/ssl/privkey.pem" + src: + - key + owner: root + group: mumble + mode: "0640" + reload: | + pod_id=$(crictl pods -q --state ready --name "^mumble-{{ mumble_instance }}-{{ ansible_nodename }}$") + [ -n "$pod_id" ] || exit 42 + container_id=$(crictl ps -q --name '^mumble$' -p "$pod_id") + [ -n "$container_id" ] || exit 42 + crictl exec "$container_id" kill -USR1 1 + include_role: + name: "x509/{{ mumble_tls.certificate_provider }}/cert" - name: create mumble data directory file: diff --git a/roles/apps/mumble/templates/acmetool-reload.sh.j2 b/roles/apps/mumble/templates/acmetool-reload.sh.j2 deleted file mode 100644 index fd9f01ba..00000000 --- a/roles/apps/mumble/templates/acmetool-reload.sh.j2 +++ /dev/null @@ -1,28 +0,0 @@ -#!/bin/sh -set -e -EVENT_NAME="$1" -[ "$EVENT_NAME" = "live-updated" ] || exit 42 - -MAIN_HOSTNAME="{{ mumble_hostnames[0] }}" -SSL_D="{{ mumble_base_path }}/{{ mumble_instance }}/ssl" - -while read name; do - certdir="$ACME_STATE_DIR/live/$name" - if [ -z "$name" -o ! -e "$certdir" ]; then - continue - fi - if [ "$name" != "$MAIN_HOSTNAME" ]; then - continue - fi - - install -m 0644 -o root -g mumble "$certdir/fullchain" "$SSL_D/cert.pem" - install -m 0640 -o root -g mumble "$certdir/privkey" "$SSL_D/privkey.pem" - - pod_id=$(crictl pods -q --state ready --name "^mumble-{{ mumble_instance }}-{{ ansible_nodename }}$") - [ -n "$pod_id" ] || exit 42 - container_id=$(crictl ps -q --name '^mumble$' -p "$pod_id") - [ -n "$container_id" ] || exit 42 - crictl exec "$container_id" kill -USR1 1 - - break -done diff --git a/roles/apps/nextcloud/tasks/main.yml b/roles/apps/nextcloud/tasks/main.yml index 29ab9c39..c9a9061c 100644 --- a/roles/apps/nextcloud/tasks/main.yml +++ b/roles/apps/nextcloud/tasks/main.yml @@ -160,7 +160,8 @@ nginx_vhost: name: "nextcloud-{{ item.key }}" template: generic - acme: true + tls: + certificate_provider: "{{ acme_client }}" hostnames: "{{ item.value.hostnames }}" locations: '/': diff --git a/roles/apps/onlyoffice/tasks/main.yml b/roles/apps/onlyoffice/tasks/main.yml index 957d8afe..960e811b 100644 --- a/roles/apps/onlyoffice/tasks/main.yml +++ b/roles/apps/onlyoffice/tasks/main.yml @@ -140,7 +140,8 @@ nginx_vhost: name: "onlyoffice-{{ item.key }}" template: generic - acme: true + tls: + certificate_provider: "{{ acme_client }}" hostnames: - "{{ item.value.hostname }}" locations: diff --git a/roles/apps/pigallery2/tasks/main.yml b/roles/apps/pigallery2/tasks/main.yml index b8b0166d..2a758da1 100644 --- a/roles/apps/pigallery2/tasks/main.yml +++ b/roles/apps/pigallery2/tasks/main.yml @@ -67,7 +67,8 @@ nginx_vhost: name: "pigallery2-{{ item.key }}" template: generic - acme: true + tls: + certificate_provider: "{{ acme_client }}" hostnames: - "{{ item.value.hostname }}" locations: diff --git a/roles/apps/wikijs/tasks/main.yml b/roles/apps/wikijs/tasks/main.yml index e2b03d24..10b0aa54 100644 --- a/roles/apps/wikijs/tasks/main.yml +++ b/roles/apps/wikijs/tasks/main.yml @@ -73,7 +73,8 @@ nginx_vhost: name: "wikijs-{{ item.key }}" template: generic - acme: true + tls: + certificate_provider: "{{ acme_client }}" hostnames: - "{{ item.value.hostname }}" locations: |