Dustin C. Hatch
7579429a0d
Without making the firewall changes permanent, when a server tries to renew its certificate after rebooting, it will fail as the ACME server cannot connect to the HTTP port.
125 lines
2.7 KiB
YAML
125 lines
2.7 KiB
YAML
- name: ensure lego is installed
|
|
package:
|
|
name: golang-github-acme-lego
|
|
state: present
|
|
tags:
|
|
- install
|
|
|
|
- name: ensure haproxy is configured for domain controllers
|
|
template:
|
|
src: samba-dc.haproxy.cfg
|
|
dest: /etc/haproxy/conf.d/40-samba-dc.cfg
|
|
owner: root
|
|
group: root
|
|
mode: u=rw,go=r
|
|
notify:
|
|
- reload haproxy
|
|
tags:
|
|
- haproxy
|
|
|
|
- name: flush handlers
|
|
meta: flush_handlers
|
|
|
|
- name: ensure acme/http port is allowed in firewall
|
|
firewalld:
|
|
port: '{{ item }}'
|
|
state: enabled
|
|
loop:
|
|
- 80/tcp
|
|
- 5000/tcp
|
|
when: host_uses_firewalld|d(true)
|
|
notify:
|
|
- save firewalld configuration
|
|
tags:
|
|
- firewalld
|
|
|
|
- name: wait for dns records to propagate
|
|
delegate_to: localhost
|
|
become: false
|
|
command: 'true'
|
|
until: >-
|
|
ansible_default_ipv4.address in lookup("dig", krb5_realm | lower) and
|
|
ansible_default_ipv4.address in lookup("dig", ansible_fqdn)
|
|
delay: 60
|
|
retries: 15
|
|
changed_when: false
|
|
tags:
|
|
- wait-for-dns
|
|
|
|
- name: ensure samba server certificate exists
|
|
command:
|
|
lego
|
|
--path /var/lib/samba/.lego
|
|
--accept-tos
|
|
--server {{ samba_cert_acme_server }}
|
|
--http --http.port :5000
|
|
--domains {{ ansible_fqdn }}
|
|
--domains {{ krb5_realm | lower }}
|
|
--email {{ samba_cert_acme_email }}
|
|
run
|
|
args:
|
|
creates: /var/lib/samba/.lego/certificates/{{ ansible_fqdn }}.json
|
|
notify:
|
|
- restart samba
|
|
tags:
|
|
- cert
|
|
|
|
- name: ensure samba server certificate renewal service is installed
|
|
template:
|
|
src: samba-cert-renew.service.j2
|
|
dest: /etc/systemd/system/samba-cert-renew.service
|
|
owner: root
|
|
group: root
|
|
mode: u=rw,go=r
|
|
notify:
|
|
- reload systemd
|
|
tags:
|
|
- systemd
|
|
|
|
- name: ensure samba server certificate renewal timer is installed
|
|
template:
|
|
src: samba-cert-renew.timer.j2
|
|
dest: /etc/systemd/system/samba-cert-renew.timer
|
|
owner: root
|
|
group: root
|
|
mode: u=rw,go=r
|
|
notify:
|
|
- reload systemd
|
|
- restart samba-cert-renew.timer
|
|
tags:
|
|
- systemd
|
|
|
|
- name: flush handlers
|
|
meta: flush_handlers
|
|
|
|
- name: ensure samba-cert-renew timer is running
|
|
systemd:
|
|
name: samba-cert-renew.timer
|
|
state: started
|
|
tags:
|
|
- service
|
|
- name: ensure samba-cert-renew timer starts at boot
|
|
systemd:
|
|
name: samba-cert-renew.timer
|
|
enabled: true
|
|
tags:
|
|
- service
|
|
|
|
- name: ensure samba certificate files are linked
|
|
file:
|
|
path: /etc/samba/{{ item.path }}
|
|
src: '{{ item.dest }}'
|
|
force: true
|
|
state: link
|
|
loop:
|
|
- path: server.cer
|
|
dest: /var/lib/samba/.lego/certificates/{{ ansible_fqdn }}.crt
|
|
- path: server.key
|
|
dest: /var/lib/samba/.lego/certificates/{{ ansible_fqdn }}.key
|
|
- path: ca.crt
|
|
dest: /dev/null
|
|
notify:
|
|
- restart samba
|
|
tags:
|
|
- cert
|