diff options
Diffstat (limited to 'roles')
-rw-r--r-- | roles/apps/coturn/defaults/main.yml | 3 | ||||
-rw-r--r-- | roles/apps/coturn/tasks/main.yml | 61 | ||||
-rw-r--r-- | roles/apps/coturn/templates/acmetool-reload.sh.j2 | 28 | ||||
-rw-r--r-- | roles/apps/mumble/tasks/main.yml | 2 |
4 files changed, 34 insertions, 60 deletions
diff --git a/roles/apps/coturn/defaults/main.yml b/roles/apps/coturn/defaults/main.yml index 842e7f05..709d3d07 100644 --- a/roles/apps/coturn/defaults/main.yml +++ b/roles/apps/coturn/defaults/main.yml @@ -17,6 +17,9 @@ coturn_threads: 0 coturn_dhparam_size: 2048 +# coturn_tls: +# certificate_provider: ... + coturn_listening_port: 3478 coturn_tls_listening_port: 5349 diff --git a/roles/apps/coturn/tasks/main.yml b/roles/apps/coturn/tasks/main.yml index ed0c06ab..4e5adbd5 100644 --- a/roles/apps/coturn/tasks/main.yml +++ b/roles/apps/coturn/tasks/main.yml @@ -1,10 +1,4 @@ --- -- name: check if acme_client is set to acmetool - assert: - msg: "this role currently only works with acmetool" - that: - - acme_client == "acmetool" - - name: add group for coturn group: name: coturn @@ -45,24 +39,28 @@ group: coturn mode: 0644 -- name: install acmetool hook script - template: - src: acmetool-reload.sh.j2 - dest: "/etc/acme/hooks/coturn-{{ coturn_realm }}" - mode: 0755 - -- name: install acmetool systemd unit snippet - copy: - dest: "/etc/systemd/system/acmetool.service.d/coturn-{{ coturn_realm }}.conf" - content: | - [Service] - ReadWritePaths={{ coturn_base_path }}/{{ coturn_realm }}/config/ssl - register: coturn_acmetool_snippet - -- name: reload systemd - when: coturn_acmetool_snippet is changed - systemd: - daemon_reload: yes +- name: compute certificate renewal config + set_fact: + coturn_certificate_renewal: + install: + - dest: "{{ coturn_base_path }}/{{ coturn_realm }}/config/ssl/cert.pem" + src: + - fullchain + owner: root + group: coturn + mode: "0644" + - dest: "{{ coturn_base_path }}/{{ coturn_realm }}/config/ssl/privkey.pem" + src: + - key + owner: root + group: coturn + mode: "0640" + reload: | + pod_id=$(crictl pods -q --state ready --name "^coturn-{{ coturn_realm }}-{{ ansible_nodename }}$") + [ -n "$pod_id" ] || exit 42 + container_id=$(crictl ps -q --name '^coturn$' -p "$pod_id") + [ -n "$container_id" ] || exit 42 + crictl stop "$container_id" - name: configure nginx vhost when: coturn_install_nginx_vhost @@ -70,22 +68,23 @@ nginx_vhost: name: "coturn-{{ coturn_realm }}" template: generic - tls: - certificate_provider: acmetool + tls: "{{ coturn_tls }}" hostnames: "{{ coturn_hostnames }}" locations: '/': return: "404" + x509_certificate_renewal: "{{ coturn_certificate_renewal }}" include_role: name: nginx/vhost -- name: get certificate using acmetool +- name: generate/install/fetch TLS certificate when: not coturn_install_nginx_vhost - import_role: - name: x509/acmetool/cert vars: - acmetool_cert_name: "coturn-{{ coturn_realm }}" - acmetool_cert_hostnames: "{{ coturn_hostnames }}" + x509_certificate_name: "coturn-{{ coturn_realm }}" + x509_certificate_hostnames: "{{ coturn_hostnames }}" + x509_certificate_renewal: "{{ coturn_certificate_renewal }}" + include_role: + name: "x509/{{ coturn_tls.certificate_provider }}/cert" - name: install pod manifest vars: diff --git a/roles/apps/coturn/templates/acmetool-reload.sh.j2 b/roles/apps/coturn/templates/acmetool-reload.sh.j2 deleted file mode 100644 index 08530583..00000000 --- a/roles/apps/coturn/templates/acmetool-reload.sh.j2 +++ /dev/null @@ -1,28 +0,0 @@ -#!/bin/sh -set -e -EVENT_NAME="$1" -[ "$EVENT_NAME" = "live-updated" ] || exit 42 - -MAIN_HOSTNAME="{{ coturn_hostnames[0] }}" -SSL_D="{{ coturn_base_path }}/{{ coturn_realm }}/config/ssl" - -while read name; do - certdir="$ACME_STATE_DIR/live/$name" - if [ -z "$name" -o ! -e "$certdir" ]; then - continue - fi - if [ "$name" != "$MAIN_HOSTNAME" ]; then - continue - fi - - install -m 0644 -o root -g coturn "$certdir/fullchain" "$SSL_D/cert.pem" - install -m 0640 -o root -g coturn "$certdir/privkey" "$SSL_D/privkey.pem" - - pod_id=$(crictl pods -q --state ready --name "^coturn-{{ coturn_realm }}-{{ ansible_nodename }}$") - [ -n "$pod_id" ] || exit 42 - container_id=$(crictl ps -q --name '^coturn$' -p "$pod_id") - [ -n "$container_id" ] || exit 42 - crictl stop "$container_id" - - break -done diff --git a/roles/apps/mumble/tasks/main.yml b/roles/apps/mumble/tasks/main.yml index b59fb5fc..5b380725 100644 --- a/roles/apps/mumble/tasks/main.yml +++ b/roles/apps/mumble/tasks/main.yml @@ -27,7 +27,7 @@ group: mumble mode: 0644 -- name: generate/install/fetc TLS certificate +- name: generate/install/fetch TLS certificate vars: x509_certificate_name: "mumble-{{ mumble_instance }}" x509_certificate_hostnames: "{{ mumble_hostnames }}" |