feat(lego): allow setting capabilites on lego binary for net_bind_service

2024-08-01 19:42:36 +02:00 · 2024-08-01 19:42:36 +02:00 · 2aaa529585
commit 2aaa529585
parent 8941b9357a
3 changed files with 12 additions and 0 deletions
--- a/roles/lego/README.md
+++ b/roles/lego/README.md
@ -40,3 +40,7 @@ By default, the lego distribution for `linux` on `amd64` is downloaded. If your
 ### User management

 The role will attempt to create user+group for each seperate lego instance for data isolation (i.e. to avoid leaking a TSIG key from one lego instance to other services). The user and group are of the form `acme-{{ lego_instance }}`. Beware that changing this in `lego_cert_{user,group}` also requires `lego_systemd_{user,group}` to be adjusted!
+
+### Binding to ports < 1024 (HTTP-01 challenge)
+
+Set `lego_binary_allow_net_bind_service: true` to allow the lego binary to bind to ports in the 'privileged' (< 1024) port range.
--- a/roles/lego/defaults/main.yml
+++ b/roles/lego/defaults/main.yml
@ -58,6 +58,7 @@ lego_systemd_timer_calendar: "*-*-* *:00/15:00"

 lego_architecture: "amd64"
 lego_os: "linux"
+lego_binary_allow_net_bind_service: false

 lego_release_archive_server: "https://github.com"
 lego_release_archive_filename: >-
--- a/roles/lego/tasks/main.yml
+++ b/roles/lego/tasks/main.yml
@ -63,6 +63,13 @@
        remote_src: true
      when: lego_binary_info.rc != 0

+    - name: Ensure lego is allowed to bind to ports < 1024
+      community.general.capabilities:
+        path: "/usr/local/bin/lego"
+        capability: "cap_net_bind_service+ep"
+        state: present
+      when: lego_binary_allow_net_bind_service
+
    - name: Ensure intermediate data is gone
      ansible.builtin.file:
        path: "{{ item }}"