feat(lego): allow setting capabilites on lego binary for net_bind_service

2024-08-01 19:42:36 +02:00
parent 8941b9357a
commit 2aaa529585
3 changed files with 12 additions and 0 deletions
--- a/roles/lego/README.md
+++ b/roles/lego/README.md
@ -40,3 +40,7 @@ By default, the lego distribution for `linux` on `amd64` is downloaded. If your
 ### User management

 The role will attempt to create user+group for each seperate lego instance for data isolation (i.e. to avoid leaking a TSIG key from one lego instance to other services). The user and group are of the form `acme-{{ lego_instance }}`. Beware that changing this in `lego_cert_{user,group}` also requires `lego_systemd_{user,group}` to be adjusted!
+
+### Binding to ports < 1024 (HTTP-01 challenge)
+
+Set `lego_binary_allow_net_bind_service: true` to allow the lego binary to bind to ports in the 'privileged' (< 1024) port range.