114 lines
2.7 KiB
YAML
114 lines
2.7 KiB
YAML
- name: ensure required packages are installed
|
|
package:
|
|
name:
|
|
- certbot
|
|
state: present
|
|
tags:
|
|
- install
|
|
|
|
- name: ensure http port is allowed in firewall (for acme challenge)
|
|
firewalld:
|
|
service: http
|
|
state: enabled
|
|
permanent: true
|
|
immediate: true
|
|
when: host_uses_firewalld|d(true)
|
|
tags:
|
|
- firewalld
|
|
|
|
- name: ensure postgresql server certificate exists
|
|
command:
|
|
certbot certonly -n
|
|
--standalone
|
|
-d {{ postgresql_cert_domain }}
|
|
--server {{ postgresql_cert_acme_server }}
|
|
--agree-tos
|
|
--email {{ postgresql_cert_acme_email }}
|
|
args:
|
|
creates: /etc/letsencrypt/live/{{ postgresql_cert_domain }}/fullchain.pem
|
|
tags:
|
|
- cert
|
|
|
|
- name: ensure certbot deploy renewal hook script is installed
|
|
template:
|
|
src: deploy-hook.sh.j2
|
|
dest: /etc/letsencrypt/renewal-hooks/deploy/postgresql.sh
|
|
owner: root
|
|
group: root
|
|
mode: u=rwx,go=rx
|
|
tags:
|
|
- deploy-hook
|
|
|
|
- name: ensure certbot renewal period is configured for postgresql cert
|
|
lineinfile:
|
|
line: renew_before_expiry = 8 hours
|
|
regexp: '^#?\s*renew_before_expiry\s*='
|
|
path: /etc/letsencrypt/renewal/{{ postgresql_cert_domain }}.conf
|
|
state: present
|
|
tags:
|
|
- config
|
|
|
|
- name: ensure certbot-renew timer unit drop-in directory exists
|
|
file:
|
|
path: /etc/systemd/system/certbot-renew.timer.d
|
|
owner: root
|
|
group: root
|
|
mode: u=rwx,go=rx
|
|
state: directory
|
|
tags:
|
|
- systemd
|
|
- name: ensure certbot-renew timer schedule is configured
|
|
template:
|
|
src: certbot-renew.timer.j2
|
|
dest: /etc/systemd/system/certbot-renew.timer.d/schedule.conf
|
|
owner: root
|
|
group: root
|
|
mode: u=rw,go=r
|
|
notify:
|
|
- reload systemd
|
|
- restart certbot-renew timer
|
|
tags:
|
|
- systemd
|
|
|
|
- name: ensure certbot-renew timer is enabled
|
|
systemd:
|
|
name: certbot-renew.timer
|
|
enabled: true
|
|
tags:
|
|
- service
|
|
- name: flush handlers
|
|
meta: flush_handlers
|
|
- name: ensure certbot-renew timer is running
|
|
systemd:
|
|
name: certbot-renew.timer
|
|
state: started
|
|
tags:
|
|
- service
|
|
|
|
- name: ensure postgresql config directory exists
|
|
file:
|
|
path: /etc/postgresql
|
|
state: directory
|
|
- name: ensure initial copy of postgresql certificate is in place
|
|
copy:
|
|
src: /etc/letsencrypt/live/{{ postgresql_cert_domain }}/fullchain.pem
|
|
dest: /etc/postgresql/server.cer
|
|
remote_src: true
|
|
owner: root
|
|
group: root
|
|
mode: u=rw,go=r
|
|
force: false
|
|
tags:
|
|
- cert
|
|
- name: ensure initial copy of postgresql private key is in place
|
|
copy:
|
|
src: /etc/letsencrypt/live/{{ postgresql_cert_domain }}/privkey.pem
|
|
dest: /etc/postgresql/server.key
|
|
remote_src: true
|
|
owner: root
|
|
group: postgres
|
|
mode: u=rw,g=r,o=
|
|
force: false
|
|
tags:
|
|
- cert
|