diff options
| author |  Joe Banks <[email protected]> | 2024-05-27 22:20:10 +0100 |
|---|---|---|
| committer | Joe Banks <[email protected]> | 2024-05-27 22:28:20 +0100 |
| commit | eccbef372e016aa2324f9eceed6e8ef7bd756d2a (patch) | |
| tree | 8e73212776ad850c7134c17f1f630f0dcdd4e18f | |
| parent | Add new cert_users variable to certbot role (diff) | |
Change certificate directory ownership to cert-users group
This allows for non-root services that are in the cert-users group to
still access and read certificate data that they need in order to
operate.
Doing things this way means that services still refer to a
single-source-of-truth for the certificate store whilst retaining their
non-root and non-privileged nature.
| -rw-r--r-- | ansible/roles/certbot/tasks/main.yml | 29 |
1 files changed, 26 insertions, 3 deletions
diff --git a/ansible/roles/certbot/tasks/main.yml b/ansible/roles/certbot/tasks/main.yml index c060db7..fb03baa 100644 --- a/ansible/roles/certbot/tasks/main.yml +++ b/ansible/roles/certbot/tasks/main.yml @@ -22,14 +22,25 @@ - role::certbot +- name: Create cert-users group + group: + name: cert-users + state: present + tags: + - role::certbot + + - name: Create certificate directories on hosts file: - path: /etc/letsencrypt/live + path: '{{ item }}' recurse: true state: directory owner: root - group: root - mode: "0700" + group: cert-users + mode: "0750" # User rwx, Group rx + with_items: + - /etc/letsencrypt/live + - /etc/letsencrypt/archive tags: - role::certbot @@ -49,3 +60,15 @@ - "{{ certbot_domains[inventory_hostname] }}" tags: - role::certbot + + +- name: Add authorized users to cert-users group + user: + name: '{{ item }}' + groups: cert-users + append: true + with_items: + - "{{ certbot_cert_users[inventory_hostname] }}" + when: "inventory_hostname in certbot_cert_users" + tags: + - role::certbot |