From 3da205a190c0b6f36a726d90afa4dc303ee84ffe Mon Sep 17 00:00:00 2001
From: Emil Renner Berthing <esmil@labitat.dk>
Date: Tue, 19 Jan 2021 19:20:48 +0100
Subject: space_server: certbot: get space.labitat.dk certificate

---
 roles/space_server/tasks/certbot.yml | 43 ++++++++++++++++++++++++++++++++++++
 roles/space_server/tasks/main.yml    | 17 ++++++++++++++
 2 files changed, 60 insertions(+)
 create mode 100644 roles/space_server/tasks/certbot.yml

(limited to 'roles/space_server/tasks')

diff --git a/roles/space_server/tasks/certbot.yml b/roles/space_server/tasks/certbot.yml
new file mode 100644
index 0000000..5e222ae
--- /dev/null
+++ b/roles/space_server/tasks/certbot.yml
@@ -0,0 +1,43 @@
+---
+- name: Create space.labitat.dk certificate
+  command:
+    argv:
+    - '/usr/bin/certbot'
+    - 'certonly'
+    - '--non-interactive'
+    - '--agree-tos'
+    - '--no-eff-email'
+    - '--max-log-backups'
+    - '99'
+    - '--standalone'
+    - '--preferred-challenges'
+    - 'http'
+    - '--key-type'
+    - 'rsa'
+    - '-m'
+    - 'noc@labitat.dk'
+    - '-d'
+    - 'space.labitat.dk'
+    creates: '/etc/letsencrypt/renewal/space.labitat.dk.conf'
+
+- name: Configure certbot renewal
+  lineinfile:
+    path: '/etc/sysconfig/certbot'
+    regexp: '{{ item.regexp }}'
+    line: '{{ item.line }}'
+  with_items:
+  - regexp: '^CERTBOT_ARGS='
+    line: 'CERTBOT_ARGS="--max-log-backups 99"'
+
+- name: Enable certbot renewal timer
+  systemd:
+    name: certbot-renew.timer
+    enabled: yes
+    masked: no
+    state: started
+  when: not chroot
+- name: '- when in chroot'
+  command: systemctl enable certbot-renew.timer
+  when: chroot
+
+# vim: set ts=2 sw=2 et ft=yaml:
diff --git a/roles/space_server/tasks/main.yml b/roles/space_server/tasks/main.yml
index 3768d5e..b19e8a3 100644
--- a/roles/space_server/tasks/main.yml
+++ b/roles/space_server/tasks/main.yml
@@ -9,6 +9,21 @@
   tags:
   - fstab
 
+- name: Disable selinux-autorelabel-mark service
+  systemd:
+    name: selinux-autorelabel-mark.service
+    enabled: no
+    masked: no
+    state: stopped
+  when: not chroot
+  tags:
+  - selinux
+- name: '- when in chroot'
+  command: systemctl disable selinux-autorelabel-mark.service
+  when: chroot
+  tags:
+  - selinux
+
 - name: Extra ssh hosts
   copy:
     dest: '/etc/ssh/ssh_config.d/60-switches.conf'
@@ -27,6 +42,8 @@
   tags: networkd
 - import_tasks: nftables.yml
   tags: nftables
+- import_tasks: certbot.yml
+  tags: certbot
 - import_tasks: chrony.yml
   tags: chrony
 - import_tasks: bird.yml
-- 
cgit v1.2.1