diff options
-rw-r--r-- | roles/space_server/files/nftables.conf | 6 | ||||
-rw-r--r-- | roles/space_server/tasks/certbot.yml | 43 | ||||
-rw-r--r-- | roles/space_server/tasks/main.yml | 17 | ||||
-rw-r--r-- | roles/space_server/vars/main.yml | 1 |
4 files changed, 67 insertions, 0 deletions
diff --git a/roles/space_server/files/nftables.conf b/roles/space_server/files/nftables.conf index 066c03e..3375826 100644 --- a/roles/space_server/files/nftables.conf +++ b/roles/space_server/files/nftables.conf @@ -103,6 +103,9 @@ table ip filter { ip daddr 224.0.0.251 udp dport 5353 iif $avahi_ifs accept ip protocol igmp iif $avahi_ifs accept + # http cert validation + tcp dport 80 ip daddr $ext_ip4 accept + ## debugging #iif $ext_if counter drop #udp dport { 137, 138, 5353, 27036 } drop # NetBIOS, Avahi, Steam in-home stream @@ -182,6 +185,9 @@ table ip6 filter { # avahi ip6 daddr ff02::fb udp dport 5353 iif $avahi_ifs accept + # http cert validation + tcp dport 80 ip6 daddr $ext_ip6 accept + ## debugging #counter log prefix "in6: " drop drop diff --git a/roles/space_server/tasks/certbot.yml b/roles/space_server/tasks/certbot.yml new file mode 100644 index 0000000..5e222ae --- /dev/null +++ b/roles/space_server/tasks/certbot.yml @@ -0,0 +1,43 @@ +--- +- name: Create space.labitat.dk certificate + command: + argv: + - '/usr/bin/certbot' + - 'certonly' + - '--non-interactive' + - '--agree-tos' + - '--no-eff-email' + - '--max-log-backups' + - '99' + - '--standalone' + - '--preferred-challenges' + - 'http' + - '--key-type' + - 'rsa' + - '-m' + - 'noc@labitat.dk' + - '-d' + - 'space.labitat.dk' + creates: '/etc/letsencrypt/renewal/space.labitat.dk.conf' + +- name: Configure certbot renewal + lineinfile: + path: '/etc/sysconfig/certbot' + regexp: '{{ item.regexp }}' + line: '{{ item.line }}' + with_items: + - regexp: '^CERTBOT_ARGS=' + line: 'CERTBOT_ARGS="--max-log-backups 99"' + +- name: Enable certbot renewal timer + systemd: + name: certbot-renew.timer + enabled: yes + masked: no + state: started + when: not chroot +- name: '- when in chroot' + command: systemctl enable certbot-renew.timer + when: chroot + +# vim: set ts=2 sw=2 et ft=yaml: diff --git a/roles/space_server/tasks/main.yml b/roles/space_server/tasks/main.yml index 3768d5e..b19e8a3 100644 --- a/roles/space_server/tasks/main.yml +++ b/roles/space_server/tasks/main.yml @@ -9,6 +9,21 @@ tags: - fstab +- name: Disable selinux-autorelabel-mark service + systemd: + name: selinux-autorelabel-mark.service + enabled: no + masked: no + state: stopped + when: not chroot + tags: + - selinux +- name: '- when in chroot' + command: systemctl disable selinux-autorelabel-mark.service + when: chroot + tags: + - selinux + - name: Extra ssh hosts copy: dest: '/etc/ssh/ssh_config.d/60-switches.conf' @@ -27,6 +42,8 @@ tags: networkd - import_tasks: nftables.yml tags: nftables +- import_tasks: certbot.yml + tags: certbot - import_tasks: chrony.yml tags: chrony - import_tasks: bird.yml diff --git a/roles/space_server/vars/main.yml b/roles/space_server/vars/main.yml index 76eff66..272d0ed 100644 --- a/roles/space_server/vars/main.yml +++ b/roles/space_server/vars/main.yml @@ -27,6 +27,7 @@ dnf_packages_role: 'systemd-networkd': present 'systemd-container': present 'sudo': present + 'certbot': present 'chrony': present 'nftables': present 'openssh-server': present |