ssl: saner common setup

* give a home to ssl-keys users * set the home in a variable (default /etc/ssl) * use the ssl-cert group (already existing in all debians) * get rid of that cron.sh script * put the certs in {{ ssl_home }}/localcerts Signed-off-by: Mattia Rizzolo <mattia@debian.org>

ssl: saner common setup
* give a home to ssl-keys users * set the home in a variable (default /etc/ssl) * use the ssl-cert group (already existing in all debians) * get rid of that cron.sh script * put the certs in {{ ssl_home }}/localcerts Signed-off-by: Mattia Rizzolo <mattia@debian.org>
d10b7d30 · Mattia Rizzolo · d3a36a00 · d10b7d30 · d10b7d30
Commit d10b7d30 authored Mar 14, 2018 by Mattia Rizzolo
Hide whitespace changes
Inline Side-by-side

Showing with 22 additions and 45 deletions

roles/ssl-keys/defaults/main.yml roles/ssl-keys/defaults/main.yml +1 -0

roles/ssl-keys/tasks/common.yml roles/ssl-keys/tasks/common.yml +21 -45

No files found.
--- a/roles/ssl-keys/defaults/main.yml
+++ b/roles/ssl-keys/defaults/main.yml
 ---

 letsencrypt_email: false
+ssl_home: /etc/ssl
--- a/roles/ssl-keys/tasks/common.yml
+++ b/roles/ssl-keys/tasks/common.yml
@@ -3,65 +3,41 @@
 - name: Create the ssl-keys user
  user:
    name: ssl-keys
-    state: present
-
-    createhome: no
-    groups: ssl-keys-read
+    comment: User handling this server SSL keys
+    createhome: yes
+    home: "{{ ssl_home }}"
+    shell: /bin/false
+    generate_ssh_key: no
+    group: ssl-cert
    system: yes

-
- name: Create the /etc/ssl-keys directory
+- name: Make sure of ssl_home permissions
  file:
-    path: /etc/ssl-keys
+    path: "{{ ssl_home }}"
    state: directory
-
-    mode: 0550
+    mode: 0755
    owner: root
-    group: ssl-keys-read
+    group: ssl-cert

-
- name: Create the /etc/ssl-keys/hooks directory
+- name: Create the ssl_home/hooks directory
  file:
-    path: /etc/ssl-keys/hooks
+    path: "{{ ssl_home }}/hooks"
    state: directory
-
-    mode: 0550
+    mode: 0755
    owner: root
    group: ssl-keys

-
- name: Create the /etc/ssl-keys/certs directory
+- name: Create the ssl_home/localcerts directory
  file:
-    path: /etc/ssl-keys/certs
+    path: "{{ ssl_home }}/localcerts"
    state: directory
-
-    # This directory has the setgid bit to assign the ssl-read-keys group to
-    # newly-created files
-    mode: 02750
+    mode: 0740
    owner: ssl-keys
-    group: ssl-keys-read
-
-
- name: Ensure the /etc/ssl-keys/domains file exists
-  command: touch /etc/ssl-keys/domains
-  args:
-    creates: /etc/ssl-keys/domains
+    group: ssl-cert

-
- name: Set permissions on the /etc/ssl-keys/domains file
+- name: Ensure the ssl_home/domains file exists
  file:
-    path: /etc/ssl-keys/domains
-
-    mode: 0440
-    owner: root
-    group: ssl-keys
-
-
- name: Upload the cron.sh script
-  template:
-    src: cron.sh
-    dest: /etc/ssl-keys/cron.sh
-
-    mode: 0750
+    dest: "{{ ssl_home }}/domains"
+    force: no
    owner: root
-    group: ssl-keys
+    group: ssl-cert