ssl: saner common setup

* give a home to ssl-keys users * set the home in a variable (default /etc/ssl) * use the ssl-cert group (already existing in all debians) * get rid of that cron.sh script * put the certs in {{ ssl_home }}/localcerts Signed-off-by: Mattia Rizzolo <mattia@debian.org>

ssl: saner common setup
* give a home to ssl-keys users * set the home in a variable (default /etc/ssl) * use the ssl-cert group (already existing in all debians) * get rid of that cron.sh script * put the certs in {{ ssl_home }}/localcerts Signed-off-by: Mattia Rizzolo <mattia@debian.org>
d10b7d30 · Mattia Rizzolo · d3a36a00 · d10b7d30 · d10b7d30
Commit d10b7d30 authored Mar 14, 2018 by Mattia Rizzolo
Show whitespace changes
Inline Side-by-side

Showing with 22 additions and 45 deletions

roles/ssl-keys/defaults/main.yml roles/ssl-keys/defaults/main.yml +1 -0

roles/ssl-keys/tasks/common.yml roles/ssl-keys/tasks/common.yml +21 -45

No files found.
--- a/roles/ssl-keys/defaults/main.yml
+++ b/roles/ssl-keys/defaults/main.yml
 ---
 letsencrypt_email: false
+ssl_home: /etc/ssl
--- a/roles/ssl-keys/tasks/common.yml
+++ b/roles/ssl-keys/tasks/common.yml
@@ -3,65 +3,41 @@
 - name: Create the ssl-keys user
  user:
    name: ssl-keys
-    state: present
+    comment: User handling this server SSL keys
+    createhome: yes
-    createhome: no
+    home: "{{ ssl_home }}"
-    groups: ssl-keys-read
+    shell: /bin/false
+    generate_ssh_key: no
+    group: ssl-cert
    system: yes
+- name: Make sure of ssl_home permissions
- name: Create the /etc/ssl-keys directory
  file:
-    path: /etc/ssl-keys
+    path: "{{ ssl_home }}"
    state: directory
+    mode: 0755
-    mode: 0550
    owner: root
-    group: ssl-keys-read
+    group: ssl-cert
+- name: Create the ssl_home/hooks directory
- name: Create the /etc/ssl-keys/hooks directory
  file:
-    path: /etc/ssl-keys/hooks
+    path: "{{ ssl_home }}/hooks"
    state: directory
+    mode: 0755
-    mode: 0550
    owner: root
    group: ssl-keys
+- name: Create the ssl_home/localcerts directory
- name: Create the /etc/ssl-keys/certs directory
  file:
-    path: /etc/ssl-keys/certs
+    path: "{{ ssl_home }}/localcerts"
    state: directory
+    mode: 0740
-    # This directory has the setgid bit to assign the ssl-read-keys group to
-    # newly-created files
-    mode: 02750
    owner: ssl-keys
-    group: ssl-keys-read
+    group: ssl-cert
- name: Ensure the /etc/ssl-keys/domains file exists
-  command: touch /etc/ssl-keys/domains
-  args:
-    creates: /etc/ssl-keys/domains
+- name: Ensure the ssl_home/domains file exists
- name: Set permissions on the /etc/ssl-keys/domains file
  file:
-    path: /etc/ssl-keys/domains
+    dest: "{{ ssl_home }}/domains"
+    force: no
-    mode: 0440
-    owner: root
-    group: ssl-keys
- name: Upload the cron.sh script
-  template:
-    src: cron.sh
-    dest: /etc/ssl-keys/cron.sh
-    mode: 0750
    owner: root
-    group: ssl-keys
+    group: ssl-cert