From 5f4fbd492ced71e1315f95c86452ca29d0d7178c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jadyn=20Emma=20J=C3=A4ger?= Date: Mon, 9 Sep 2024 13:14:35 +0200 Subject: [PATCH 1/2] feat(lego): Add cap_net_bind capabilities to systemd unit --- roles/lego/templates/lego@.service.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/lego/templates/lego@.service.j2 b/roles/lego/templates/lego@.service.j2 index de941cd..5b2a44c 100644 --- a/roles/lego/templates/lego@.service.j2 +++ b/roles/lego/templates/lego@.service.j2 @@ -7,6 +7,7 @@ EnvironmentFile={{ lego_base_path }}/%i.conf User={{ lego_systemd_user }} Group={{ lego_systemd_group }} ExecStart={{ lego_base_path }}/run.sh +AmbientCapabilities=CAP_NET_BIND_SERVICE [Install] WantedBy=basic.target -- 2.45.2 From 967ebab4c1eff97777ab22712dd47d0b157681c9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jadyn=20Emma=20J=C3=A4ger?= Date: Wed, 11 Sep 2024 17:47:49 +0200 Subject: [PATCH 2/2] feat(lego): Ensure certificates have correct mode and owner --- roles/lego/defaults/main.yml | 2 ++ roles/lego/files/lego_run.sh | 5 ++++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/roles/lego/defaults/main.yml b/roles/lego/defaults/main.yml index 1363714..6127e6f 100644 --- a/roles/lego/defaults/main.yml +++ b/roles/lego/defaults/main.yml @@ -5,6 +5,7 @@ lego_instance: default lego_base_path: "/opt/lego" lego_cert_user: "acme-{{ lego_instance }}" lego_cert_group: "{{ lego_cert_user }}" +lego_cert_mode: "0640" # rw-r----- lego_systemd_user: "acme-%i" lego_systemd_group: "{{ lego_systemd_user }}" lego_instance_base_path: "{{ lego_base_path }}/instances" @@ -24,6 +25,7 @@ lego_acme_server_url: "{{ lego_letsencrypt_server_urls.qa }}" lego_base_environment: LEGO_CERT_USER: "{{ lego_cert_user }}" LEGO_CERT_GROUP: "{{ lego_cert_group }}" + LEGO_CERT_MODE: "{{ lego_cert_mode }}" LEGO_CERT_STORE_PATH: "{{ lego_instance_path }}" LEGO_CERT_DAYS_TO_RENEW: "{{ lego_cert_days_to_renew }}" LEGO_KEY_TYPE: "{{ lego_cert_key_type }}" diff --git a/roles/lego/files/lego_run.sh b/roles/lego/files/lego_run.sh index e7228aa..b0e21a1 100644 --- a/roles/lego/files/lego_run.sh +++ b/roles/lego/files/lego_run.sh @@ -16,4 +16,7 @@ if [[ $FILES_IN_DIR -gt 2 ]]; then $LEGO_BINARY $LEGO_COMMAND_ARGS_EXPANDED renew --days=$LEGO_CERT_DAYS_TO_RENEW else $LEGO_BINARY $LEGO_COMMAND_ARGS_EXPANDED run -fi \ No newline at end of file +fi + +ls "$LEGO_CERT_STORE_PATH/certificates" | xargs -I{} -n 1 chmod "$LEGO_CERT_MODE" "$LEGO_CERT_STORE_PATH/certificates/{}" +ls "$LEGO_CERT_STORE_PATH/certificates" | xargs -I{} -n 1 chown "$LEGO_CERT_USER":"$LEGO_CERT_GROUP" "$LEGO_CERT_STORE_PATH/certificates/{}" -- 2.45.2