chore(lego): bash improvements in lego_run.sh

feat(lego): Ensure certificates have correct mode and owner
feat(lego): Add cap_net_bind capabilities to systemd unit
2024-09-12 08:22:30 +02:00 · 2024-09-11 17:47:49 +02:00 · 2024-09-09 13:14:35 +02:00
3 changed files with 14 additions and 2 deletions
--- a/roles/lego/defaults/main.yml
+++ b/roles/lego/defaults/main.yml
@ -5,6 +5,7 @@ lego_instance: default
 lego_base_path: "/opt/lego"
 lego_cert_user: "acme-{{ lego_instance }}"
 lego_cert_group: "{{ lego_cert_user }}"
 lego_cert_mode: "0640" # rw-r-----
 lego_systemd_user: "acme-%i"
 lego_systemd_group: "{{ lego_systemd_user }}"
 lego_instance_base_path: "{{ lego_base_path }}/instances"
@ -24,6 +25,7 @@ lego_acme_server_url: "{{ lego_letsencrypt_server_urls.qa }}"
 lego_base_environment:
  LEGO_CERT_USER: "{{ lego_cert_user }}"
  LEGO_CERT_GROUP: "{{ lego_cert_group }}"
  LEGO_CERT_MODE: "{{ lego_cert_mode }}"
  LEGO_CERT_STORE_PATH: "{{ lego_instance_path }}"
  LEGO_CERT_DAYS_TO_RENEW: "{{ lego_cert_days_to_renew }}"
  LEGO_KEY_TYPE: "{{ lego_cert_key_type }}"
--- a/roles/lego/files/lego_run.sh
+++ b/roles/lego/files/lego_run.sh
@ -1,8 +1,14 @@
 #!/usr/bin/env bash
 set -euo pipefail
 LEGO_BINARY=$(/usr/bin/env which lego)
 if [[ -n "$LEGO_HTTP_FALLBACK_PORT" ]]; then
  if ! nc_binary="$(type -p \"nc\")" || [[ -z $nc_binary ]]; then
    echo "nc not found (in PATH), exiting"
    exit 1
  fi
  nc -z 127.0.0.1 $LEGO_HTTP_PORT;
  if [[ $? -eq 0 ]]; then
      LEGO_HTTP_PORT=$LEGO_HTTP_FALLBACK_PORT
@ -11,9 +17,12 @@ fi
 LEGO_COMMAND_ARGS_EXPANDED=$(bash -c "echo $LEGO_COMMAND_ARGS") # This is a bit icky
-FILES_IN_DIR=$(find "$LEGO_CERT_STORE_PATH/certificates" | wc -l)
+FILES_IN_DIR=$(find "$LEGO_CERT_STORE_PATH/certificates" -type f | wc -l)
 if [[ $FILES_IN_DIR -gt 2 ]]; then
        $LEGO_BINARY $LEGO_COMMAND_ARGS_EXPANDED renew --days=$LEGO_CERT_DAYS_TO_RENEW
 else
        $LEGO_BINARY $LEGO_COMMAND_ARGS_EXPANDED run
-fi
+fi
 find "$LEGO_CERT_STORE_PATH/certificates/" -type f | xargs -I{} -n 1 chmod "$LEGO_CERT_MODE" "{}"
 find "$LEGO_CERT_STORE_PATH/certificates/" -type f | xargs -I{} -n 1 chown "${LEGO_CERT_USER}:${LEGO_CERT_GROUP}" "{}"
--- a/roles/lego/templates/lego@.service.j2
+++ b/roles/lego/templates/lego@.service.j2
@ -7,6 +7,7 @@ EnvironmentFile={{ lego_base_path }}/%i.conf
 User={{ lego_systemd_user }}
 Group={{ lego_systemd_group }}
 ExecStart={{ lego_base_path }}/run.sh
 AmbientCapabilities=CAP_NET_BIND_SERVICE
 [Install]
 WantedBy=basic.target
Author	SHA1	Message	Date
Johanna Dorothea Reichmann	6b513531a3	chore(lego): bash improvements in lego_run.sh	2024-09-12 08:22:30 +02:00
Jadyn Emma Jäger	967ebab4c1	feat(lego): Ensure certificates have correct mode and owner	2024-09-11 17:47:49 +02:00
Jadyn Emma Jäger	5f4fbd492c	feat(lego): Add cap_net_bind capabilities to systemd unit	2024-09-09 13:14:35 +02:00