diff options
| author | Dmitry Ilvokhin <d@ilvokhin.com> | 2023-12-21 18:08:22 +0000 |
|---|---|---|
| committer | Dmitry Ilvokhin <d@ilvokhin.com> | 2023-12-21 18:08:22 +0000 |
| commit | 98deb6b468c52d09c69c699b02ab16791f557beb (patch) | |
| tree | 3dd114dfd79a81f577c0ffa93e8bf3bd06d70759 /roles | |
| parent | 1fe154b136bce2fb063e39050d9bc0deb2279bb0 (diff) | |
| download | infra-98deb6b468c52d09c69c699b02ab16791f557beb.tar.gz infra-98deb6b468c52d09c69c699b02ab16791f557beb.tar.bz2 infra-98deb6b468c52d09c69c699b02ab16791f557beb.zip | |
Enable certbot for certificates renewal
Diffstat (limited to 'roles')
| -rw-r--r-- | roles/essential/tasks/atop.yml | 2 | ||||
| -rw-r--r-- | roles/web/files/certbot/certbot.service | 6 | ||||
| -rw-r--r-- | roles/web/files/certbot/certbot.timer | 10 | ||||
| -rw-r--r-- | roles/web/files/nginx/nginx.conf (renamed from roles/web/files/nginx.conf) | 0 | ||||
| -rw-r--r-- | roles/web/files/nginx/nginx.logrotate (renamed from roles/web/files/nginx) | 0 | ||||
| -rw-r--r-- | roles/web/tasks/certbot.yml | 27 | ||||
| -rw-r--r-- | roles/web/tasks/main.yml | 1 | ||||
| -rw-r--r-- | roles/web/tasks/nginx.yml | 6 |
8 files changed, 48 insertions, 4 deletions
diff --git a/roles/essential/tasks/atop.yml b/roles/essential/tasks/atop.yml index ccc699c..7617f68 100644 --- a/roles/essential/tasks/atop.yml +++ b/roles/essential/tasks/atop.yml @@ -28,7 +28,7 @@ notify: - Restart atop -- name: Enable atop systemd unit and logrotate timer +- name: Enable atop systemd service and logrotate timer ansible.builtin.service: name: '{{ item }}' enabled: yes diff --git a/roles/web/files/certbot/certbot.service b/roles/web/files/certbot/certbot.service new file mode 100644 index 0000000..bea307c --- /dev/null +++ b/roles/web/files/certbot/certbot.service @@ -0,0 +1,6 @@ +[Unit] +Description=Let's Encrypt renewal + +[Service] +Type=oneshot +ExecStart=/usr/bin/certbot renew --agree-tos --deploy-hook "systemctl reload nginx" diff --git a/roles/web/files/certbot/certbot.timer b/roles/web/files/certbot/certbot.timer new file mode 100644 index 0000000..565b4ee --- /dev/null +++ b/roles/web/files/certbot/certbot.timer @@ -0,0 +1,10 @@ +[Unit] +Description=Renewal of Let's Encrypt's certificates + +[Timer] +OnCalendar=daily +OnCalendar=0/12:12:00 +Persistent=true + +[Install] +WantedBy=timers.target diff --git a/roles/web/files/nginx.conf b/roles/web/files/nginx/nginx.conf index ce8302d..ce8302d 100644 --- a/roles/web/files/nginx.conf +++ b/roles/web/files/nginx/nginx.conf diff --git a/roles/web/files/nginx b/roles/web/files/nginx/nginx.logrotate index da8ba47..da8ba47 100644 --- a/roles/web/files/nginx +++ b/roles/web/files/nginx/nginx.logrotate diff --git a/roles/web/tasks/certbot.yml b/roles/web/tasks/certbot.yml new file mode 100644 index 0000000..bc0e50e --- /dev/null +++ b/roles/web/tasks/certbot.yml @@ -0,0 +1,27 @@ +- name: Install certbot + ansible.builtin.package: + name: + - certbot + state: present + +- name: Configure certbot systemd service + ansible.builtin.copy: + src: roles/web/files/certbot/certbot.service + dest: /usr/lib/systemd/system + owner: root + group: root + mode: u+rw,g+r,o+r + +- name: Configure certbot systemd timer + ansible.builtin.copy: + src: roles/web/files/certbot/certbot.timer + dest: /usr/lib/systemd/system + owner: root + group: root + mode: u+rw,g+r,o+r + +- name: Enable certbot systemd timer + ansible.builtin.service: + name: certbot.timer + enabled: yes + state: started diff --git a/roles/web/tasks/main.yml b/roles/web/tasks/main.yml index 5b94d1b..831d6d6 100644 --- a/roles/web/tasks/main.yml +++ b/roles/web/tasks/main.yml @@ -1,2 +1,3 @@ - ansible.builtin.import_tasks: roles/web/tasks/logrotate.yml - ansible.builtin.import_tasks: roles/web/tasks/nginx.yml +- ansible.builtin.import_tasks: roles/web/tasks/certbot.yml diff --git a/roles/web/tasks/nginx.yml b/roles/web/tasks/nginx.yml index 108bb61..43f7058 100644 --- a/roles/web/tasks/nginx.yml +++ b/roles/web/tasks/nginx.yml @@ -4,7 +4,7 @@ - nginx state: present -- name: Enable nginx systemd unit +- name: Enable nginx systemd service ansible.builtin.service: name: nginx enabled: yes @@ -23,7 +23,7 @@ - name: Configure nginx ansible.builtin.copy: - src: roles/web/files/nginx.conf + src: roles/web/files/nginx/nginx.conf dest: /etc/nginx/nginx.conf owner: root group: root @@ -33,7 +33,7 @@ - name: Configure nginx logrotate ansible.builtin.copy: - src: roles/web/files/nginx + src: roles/web/files/nginx/nginx.logrotate dest: /etc/logrotate.d/nginx owner: root group: root |