From b53d6b41c3c1f2fb45e17385337e16cc24df2b5b Mon Sep 17 00:00:00 2001 From: Morgan McMillian Date: Thu, 8 Dec 2022 22:42:39 -0800 Subject: [PATCH] added inventory and setup playbook --- Makefile | 8 ++++++- ansible.cfg | 4 ++++ hosts.yml | 6 ++++++ install.yml | 2 +- setup.yml | 62 +++++++++++++++++++++++++++++++++++++++++++++++++++++ uacme.nginx | 4 ++++ 6 files changed, 84 insertions(+), 2 deletions(-) create mode 100644 ansible.cfg create mode 100644 hosts.yml create mode 100644 setup.yml create mode 100644 uacme.nginx diff --git a/Makefile b/Makefile index e9e7aab..506d997 100644 --- a/Makefile +++ b/Makefile @@ -23,4 +23,10 @@ $(source): clean: rm $(RPM) $(source) -.PHONY: clean +install: + ansible-playbook install.yml + +setup: + ansible-playbook setup.yml + +.PHONY: clean install setup diff --git a/ansible.cfg b/ansible.cfg new file mode 100644 index 0000000..7cdf4e7 --- /dev/null +++ b/ansible.cfg @@ -0,0 +1,4 @@ +[defaults] +nocows = 1 +inventory = hosts.yml +vault_password_file = ~/.vault-password diff --git a/hosts.yml b/hosts.yml new file mode 100644 index 0000000..aa2da35 --- /dev/null +++ b/hosts.yml @@ -0,0 +1,6 @@ +all: + hosts: + vetinari.dreamfall.space: + ansible_become_password: "{{ lookup('community.general.keyring', 'ansible_vetinari thrrgilag') }}" + detritus.dreamfall.space: + ansible_become_password: "{{ lookup('community.general.keyring', 'ansible_detritus thrrgilag') }}" diff --git a/install.yml b/install.yml index c5d130d..cb513c7 100644 --- a/install.yml +++ b/install.yml @@ -1,6 +1,6 @@ --- - name: Install uacme rpm package - hosts: linodes + hosts: all vars: rpm_location: /home/thrrgilag/rpmbuild/RPMS/x86_64 rpm_file: uacme-1.7.3-1.x86_64.rpm diff --git a/setup.yml b/setup.yml new file mode 100644 index 0000000..16610ca --- /dev/null +++ b/setup.yml @@ -0,0 +1,62 @@ +--- +- name: Install uacme rpm package + hosts: all + + tasks: + - name: ping host + ansible.builtin.ping: + + - name: Install nginx uacme config + ansible.builtin.copy: + src: uacme.nginx + dest: /etc/nginx/default.d/uacme.conf + owner: root + group: root + become: yes + + - name: Check uacme account + ansible.builtin.stat: + path: "/etc/uacme.d/private/key.pem" + register: uacme_account + become: yes + + - name: Create uacme account + ansible.builtin.command: uacme -v -y -c /etc/uacme.d new + when: not uacme_account.stat.exists + become: yes + + - name: Create acme-challenge directory + ansible.builtin.file: + path: /var/www/html/.well-known/acme-challenge + state: directory + mode: '0755' + owner: root + group: root + become: yes + + - name: Touch ssl-hosts file + ansible.builtin.file: + path: /root/ssl-hosts.txt + state: touch + mode: '0644' + owner: root + group: root + become: yes + + - name: Add uacme job to crontab + ansible.builtin.cron: + name: "uacme" + minute: "0" + hour: "3" + job: /root/bin/uacme-certs.sh + become: yes + + - name: Allow nginx access to acme-challenge + community.general.sefcontext: + target: /var/www/html/.well-known/acme-challenge + setype: httpd_sys_content_t + become: yes + + - name: Apply new SELinux file context to filesystem + ansible.builtin.command: restorecon -irv /var/www/html/.well-known/acme-challenge + become: yes diff --git a/uacme.nginx b/uacme.nginx new file mode 100644 index 0000000..002ba7f --- /dev/null +++ b/uacme.nginx @@ -0,0 +1,4 @@ +location /.well-known/acme-challenge { + alias /var/www/html/.well-known/acme-challenge; + try_files $uri $uri/ =404; +}