feat(lego): allow setting capabilites on lego binary for net_bind_service

This commit is contained in:
transcaffeine 2024-08-01 19:42:36 +02:00
parent 8941b9357a
commit 2aaa529585
Signed by: transcaffeine
GPG Key ID: 03624C433676E465
3 changed files with 12 additions and 0 deletions

View File

@ -40,3 +40,7 @@ By default, the lego distribution for `linux` on `amd64` is downloaded. If your
### User management ### User management
The role will attempt to create user+group for each seperate lego instance for data isolation (i.e. to avoid leaking a TSIG key from one lego instance to other services). The user and group are of the form `acme-{{ lego_instance }}`. Beware that changing this in `lego_cert_{user,group}` also requires `lego_systemd_{user,group}` to be adjusted! The role will attempt to create user+group for each seperate lego instance for data isolation (i.e. to avoid leaking a TSIG key from one lego instance to other services). The user and group are of the form `acme-{{ lego_instance }}`. Beware that changing this in `lego_cert_{user,group}` also requires `lego_systemd_{user,group}` to be adjusted!
### Binding to ports < 1024 (HTTP-01 challenge)
Set `lego_binary_allow_net_bind_service: true` to allow the lego binary to bind to ports in the 'privileged' (< 1024) port range.

View File

@ -58,6 +58,7 @@ lego_systemd_timer_calendar: "*-*-* *:00/15:00"
lego_architecture: "amd64" lego_architecture: "amd64"
lego_os: "linux" lego_os: "linux"
lego_binary_allow_net_bind_service: false
lego_release_archive_server: "https://github.com" lego_release_archive_server: "https://github.com"
lego_release_archive_filename: >- lego_release_archive_filename: >-

View File

@ -63,6 +63,13 @@
remote_src: true remote_src: true
when: lego_binary_info.rc != 0 when: lego_binary_info.rc != 0
- name: Ensure lego is allowed to bind to ports < 1024
community.general.capabilities:
path: "/usr/local/bin/lego"
capability: "cap_net_bind_service+ep"
state: present
when: lego_binary_allow_net_bind_service
- name: Ensure intermediate data is gone - name: Ensure intermediate data is gone
ansible.builtin.file: ansible.builtin.file:
path: "{{ item }}" path: "{{ item }}"