diff options
| -rw-r--r-- | roles/space_server/files/nftables.conf | 6 | ||||
| -rw-r--r-- | roles/space_server/tasks/certbot.yml | 43 | ||||
| -rw-r--r-- | roles/space_server/tasks/main.yml | 17 | ||||
| -rw-r--r-- | roles/space_server/vars/main.yml | 1 | 
4 files changed, 67 insertions, 0 deletions
| diff --git a/roles/space_server/files/nftables.conf b/roles/space_server/files/nftables.conf index 066c03e..3375826 100644 --- a/roles/space_server/files/nftables.conf +++ b/roles/space_server/files/nftables.conf @@ -103,6 +103,9 @@ table ip filter {  		ip daddr 224.0.0.251 udp dport 5353 iif $avahi_ifs accept  		ip protocol igmp iif $avahi_ifs accept +		# http cert validation +		tcp dport 80 ip daddr $ext_ip4 accept +  		## debugging  		#iif $ext_if counter drop  		#udp dport { 137, 138, 5353, 27036 } drop # NetBIOS, Avahi, Steam in-home stream @@ -182,6 +185,9 @@ table ip6 filter {  		# avahi  		ip6 daddr ff02::fb udp dport 5353 iif $avahi_ifs accept +		# http cert validation +		tcp dport 80 ip6 daddr $ext_ip6 accept +  		## debugging  		#counter log prefix "in6: " drop  		drop diff --git a/roles/space_server/tasks/certbot.yml b/roles/space_server/tasks/certbot.yml new file mode 100644 index 0000000..5e222ae --- /dev/null +++ b/roles/space_server/tasks/certbot.yml @@ -0,0 +1,43 @@ +--- +- name: Create space.labitat.dk certificate +  command: +    argv: +    - '/usr/bin/certbot' +    - 'certonly' +    - '--non-interactive' +    - '--agree-tos' +    - '--no-eff-email' +    - '--max-log-backups' +    - '99' +    - '--standalone' +    - '--preferred-challenges' +    - 'http' +    - '--key-type' +    - 'rsa' +    - '-m' +    - 'noc@labitat.dk' +    - '-d' +    - 'space.labitat.dk' +    creates: '/etc/letsencrypt/renewal/space.labitat.dk.conf' + +- name: Configure certbot renewal +  lineinfile: +    path: '/etc/sysconfig/certbot' +    regexp: '{{ item.regexp }}' +    line: '{{ item.line }}' +  with_items: +  - regexp: '^CERTBOT_ARGS=' +    line: 'CERTBOT_ARGS="--max-log-backups 99"' + +- name: Enable certbot renewal timer +  systemd: +    name: certbot-renew.timer +    enabled: yes +    masked: no +    state: started +  when: not chroot +- name: '- when in chroot' +  command: systemctl enable certbot-renew.timer +  when: chroot + +# vim: set ts=2 sw=2 et ft=yaml: diff --git a/roles/space_server/tasks/main.yml b/roles/space_server/tasks/main.yml index 3768d5e..b19e8a3 100644 --- a/roles/space_server/tasks/main.yml +++ b/roles/space_server/tasks/main.yml @@ -9,6 +9,21 @@    tags:    - fstab +- name: Disable selinux-autorelabel-mark service +  systemd: +    name: selinux-autorelabel-mark.service +    enabled: no +    masked: no +    state: stopped +  when: not chroot +  tags: +  - selinux +- name: '- when in chroot' +  command: systemctl disable selinux-autorelabel-mark.service +  when: chroot +  tags: +  - selinux +  - name: Extra ssh hosts    copy:      dest: '/etc/ssh/ssh_config.d/60-switches.conf' @@ -27,6 +42,8 @@    tags: networkd  - import_tasks: nftables.yml    tags: nftables +- import_tasks: certbot.yml +  tags: certbot  - import_tasks: chrony.yml    tags: chrony  - import_tasks: bird.yml diff --git a/roles/space_server/vars/main.yml b/roles/space_server/vars/main.yml index 76eff66..272d0ed 100644 --- a/roles/space_server/vars/main.yml +++ b/roles/space_server/vars/main.yml @@ -27,6 +27,7 @@ dnf_packages_role:    'systemd-networkd': present    'systemd-container': present    'sudo': present +  'certbot': present    'chrony': present    'nftables': present    'openssh-server': present | 
