forked from finallycoffee/base
feat(lego): allow setting capabilites on lego binary for net_bind_service
This commit is contained in:
parent
8941b9357a
commit
2aaa529585
@ -40,3 +40,7 @@ By default, the lego distribution for `linux` on `amd64` is downloaded. If your
|
|||||||
### User management
|
### User management
|
||||||
|
|
||||||
The role will attempt to create user+group for each seperate lego instance for data isolation (i.e. to avoid leaking a TSIG key from one lego instance to other services). The user and group are of the form `acme-{{ lego_instance }}`. Beware that changing this in `lego_cert_{user,group}` also requires `lego_systemd_{user,group}` to be adjusted!
|
The role will attempt to create user+group for each seperate lego instance for data isolation (i.e. to avoid leaking a TSIG key from one lego instance to other services). The user and group are of the form `acme-{{ lego_instance }}`. Beware that changing this in `lego_cert_{user,group}` also requires `lego_systemd_{user,group}` to be adjusted!
|
||||||
|
|
||||||
|
### Binding to ports < 1024 (HTTP-01 challenge)
|
||||||
|
|
||||||
|
Set `lego_binary_allow_net_bind_service: true` to allow the lego binary to bind to ports in the 'privileged' (< 1024) port range.
|
||||||
|
@ -58,6 +58,7 @@ lego_systemd_timer_calendar: "*-*-* *:00/15:00"
|
|||||||
|
|
||||||
lego_architecture: "amd64"
|
lego_architecture: "amd64"
|
||||||
lego_os: "linux"
|
lego_os: "linux"
|
||||||
|
lego_binary_allow_net_bind_service: false
|
||||||
|
|
||||||
lego_release_archive_server: "https://github.com"
|
lego_release_archive_server: "https://github.com"
|
||||||
lego_release_archive_filename: >-
|
lego_release_archive_filename: >-
|
||||||
|
@ -63,6 +63,13 @@
|
|||||||
remote_src: true
|
remote_src: true
|
||||||
when: lego_binary_info.rc != 0
|
when: lego_binary_info.rc != 0
|
||||||
|
|
||||||
|
- name: Ensure lego is allowed to bind to ports < 1024
|
||||||
|
community.general.capabilities:
|
||||||
|
path: "/usr/local/bin/lego"
|
||||||
|
capability: "cap_net_bind_service+ep"
|
||||||
|
state: present
|
||||||
|
when: lego_binary_allow_net_bind_service
|
||||||
|
|
||||||
- name: Ensure intermediate data is gone
|
- name: Ensure intermediate data is gone
|
||||||
ansible.builtin.file:
|
ansible.builtin.file:
|
||||||
path: "{{ item }}"
|
path: "{{ item }}"
|
||||||
|
Loading…
Reference in New Issue
Block a user