chore(lego): bash improvements in lego_run.sh

roles/lego/README.md

@@ -40,3 +40,7 @@ By default, the lego distribution for `linux` on `amd64` is downloaded. If your
 ### User management
 
 The role will attempt to create user+group for each seperate lego instance for data isolation (i.e. to avoid leaking a TSIG key from one lego instance to other services). The user and group are of the form `acme-{{ lego_instance }}`. Beware that changing this in `lego_cert_{user,group}` also requires `lego_systemd_{user,group}` to be adjusted!
+
+### Binding to ports < 1024 (HTTP-01 challenge)
+
+Set `lego_binary_allow_net_bind_service: true` to allow the lego binary to bind to ports in the 'privileged' (< 1024) port range.

roles/lego/defaults/main.yml

@@ -5,6 +5,7 @@ lego_instance: default
 lego_base_path: "/opt/lego"
 lego_cert_user: "acme-{{ lego_instance }}"
 lego_cert_group: "{{ lego_cert_user }}"
+lego_cert_mode: "0640" # rw-r-----
 lego_systemd_user: "acme-%i"
 lego_systemd_group: "{{ lego_systemd_user }}"
 lego_instance_base_path: "{{ lego_base_path }}/instances"
@@ -24,6 +25,7 @@ lego_acme_server_url: "{{ lego_letsencrypt_server_urls.qa }}"
 lego_base_environment:
   LEGO_CERT_USER: "{{ lego_cert_user }}"
   LEGO_CERT_GROUP: "{{ lego_cert_group }}"
+  LEGO_CERT_MODE: "{{ lego_cert_mode }}"
   LEGO_CERT_STORE_PATH: "{{ lego_instance_path }}"
   LEGO_CERT_DAYS_TO_RENEW: "{{ lego_cert_days_to_renew }}"
   LEGO_KEY_TYPE: "{{ lego_cert_key_type }}"
@@ -58,6 +60,7 @@ lego_systemd_timer_calendar: "*-*-* *:00/15:00"
 
 lego_architecture: "amd64"
 lego_os: "linux"
+lego_binary_allow_net_bind_service: false
 
 lego_release_archive_server: "https://github.com"
 lego_release_archive_filename: >-

roles/lego/files/lego_run.sh

@@ -1,10 +1,28 @@
 #!/usr/bin/env bash
 
+set -euo pipefail
+
 LEGO_BINARY=$(/usr/bin/env which lego)
 
-FILES_IN_DIR=$(find "$LEGO_CERT_STORE_PATH/certificates" | wc -l)
-if [[ $FILES_IN_DIR -gt 2 ]]; then
-	$LEGO_BINARY $LEGO_COMMAND_ARGS renew --days=$LEGO_CERT_DAYS_TO_RENEW
-else
-	$LEGO_BINARY $LEGO_COMMAND_ARGS run
+if [[ -n "$LEGO_HTTP_FALLBACK_PORT" ]]; then
+  if ! nc_binary="$(type -p \"nc\")" || [[ -z $nc_binary ]]; then
+    echo "nc not found (in PATH), exiting"
+    exit 1
+  fi
+  nc -z 127.0.0.1 $LEGO_HTTP_PORT;
+  if [[ $? -eq 0 ]]; then
+      LEGO_HTTP_PORT=$LEGO_HTTP_FALLBACK_PORT
+  fi
 fi
+
+LEGO_COMMAND_ARGS_EXPANDED=$(bash -c "echo $LEGO_COMMAND_ARGS") # This is a bit icky
+
+FILES_IN_DIR=$(find "$LEGO_CERT_STORE_PATH/certificates" -type f | wc -l)
+if [[ $FILES_IN_DIR -gt 2 ]]; then
+        $LEGO_BINARY $LEGO_COMMAND_ARGS_EXPANDED renew --days=$LEGO_CERT_DAYS_TO_RENEW
+else
+        $LEGO_BINARY $LEGO_COMMAND_ARGS_EXPANDED run
+fi
+
+find "$LEGO_CERT_STORE_PATH/certificates/" -type f | xargs -I{} -n 1 chmod "$LEGO_CERT_MODE" "{}"
+find "$LEGO_CERT_STORE_PATH/certificates/" -type f | xargs -I{} -n 1 chown "${LEGO_CERT_USER}:${LEGO_CERT_GROUP}" "{}"

roles/lego/tasks/main.yml

@@ -63,6 +63,13 @@
         remote_src: true
       when: lego_binary_info.rc != 0
 
+    - name: Ensure lego is allowed to bind to ports < 1024
+      community.general.capabilities:
+        path: "/usr/local/bin/lego"
+        capability: "cap_net_bind_service+ep"
+        state: present
+      when: lego_binary_allow_net_bind_service
+
     - name: Ensure intermediate data is gone
       ansible.builtin.file:
         path: "{{ item }}"

roles/lego/templates/lego@.service.j2

@@ -7,6 +7,7 @@ EnvironmentFile={{ lego_base_path }}/%i.conf
 User={{ lego_systemd_user }}
 Group={{ lego_systemd_group }}
 ExecStart={{ lego_base_path }}/run.sh
+AmbientCapabilities=CAP_NET_BIND_SERVICE
 
 [Install]
 WantedBy=basic.target