From eccbef372e016aa2324f9eceed6e8ef7bd756d2a Mon Sep 17 00:00:00 2001 From: Joe Banks Date: Mon, 27 May 2024 22:20:10 +0100 Subject: Change certificate directory ownership to cert-users group This allows for non-root services that are in the cert-users group to still access and read certificate data that they need in order to operate. Doing things this way means that services still refer to a single-source-of-truth for the certificate store whilst retaining their non-root and non-privileged nature. --- ansible/roles/certbot/tasks/main.yml | 29 ++++++++++++++++++++++++++--- 1 file changed, 26 insertions(+), 3 deletions(-) (limited to 'ansible') diff --git a/ansible/roles/certbot/tasks/main.yml b/ansible/roles/certbot/tasks/main.yml index c060db7..fb03baa 100644 --- a/ansible/roles/certbot/tasks/main.yml +++ b/ansible/roles/certbot/tasks/main.yml @@ -22,14 +22,25 @@ - role::certbot +- name: Create cert-users group + group: + name: cert-users + state: present + tags: + - role::certbot + + - name: Create certificate directories on hosts file: - path: /etc/letsencrypt/live + path: '{{ item }}' recurse: true state: directory owner: root - group: root - mode: "0700" + group: cert-users + mode: "0750" # User rwx, Group rx + with_items: + - /etc/letsencrypt/live + - /etc/letsencrypt/archive tags: - role::certbot @@ -49,3 +60,15 @@ - "{{ certbot_domains[inventory_hostname] }}" tags: - role::certbot + + +- name: Add authorized users to cert-users group + user: + name: '{{ item }}' + groups: cert-users + append: true + with_items: + - "{{ certbot_cert_users[inventory_hostname] }}" + when: "inventory_hostname in certbot_cert_users" + tags: + - role::certbot -- cgit v1.2.3