9 lat temu · 8f1b6a9ed8
--- a/roles/common/DESIGN.md
+++ b/roles/common/DESIGN.md
 
															
															 Certificates and private keys are backed up using tarsnap.
														
 
															
															-Certificate renewal is done automatically using cron. The cron script must be aware of private key copies and update them as well. Services that depend on new keys must also be bounced. It is up to roles that rely on keys to modify the cron script (preferably using `linein` or similar games) to accomplish this.
														
 
															
															+Certificate renewal is done automatically using cron. The cron script must be aware of private key copies and update them as well. Services that depend on new keys must also be bounced. It is up to roles that rely on keys to modify the cron script (preferably using `lineinfile` or something similar) to accomplish this.
														
 
															
															 ### Alternative approaches
														
--- a/roles/common/files/etc_cron-monthly_letsencrypt-renew
+++ b/roles/common/files/etc_cron-monthly_letsencrypt-renew
 
															
															   /root/letsencrypt/letsencrypt-auto --renew certonly -c /etc/letsencrypt/cli.conf --domains=$domains
														
 
															
															 done
														
 
															
															 service apache2 start
														
 
															
															+
														
 
															
															+# Services that rely on LE certificates will need restarted.  In some cases
														
 
															
															+# their certificates are based on copies of the LE certs and will need
														
 
															
															+# regenerated as well.
														
 
															
															+
														
--- a/roles/ircbouncer/tasks/znc.yml
+++ b/roles/ircbouncer/tasks/znc.yml
 
															
															     creates=/usr/lib/znc/znc.pem
														
 
															
															   notify: restart znc
														
 
															
															+- name: Update certificate renwal cron job
														
 
															
															+  lineinfile: dest=/etc/cron.monthly/letsencrypt-renew state=present
														
 
															
															+    line="cat /etc/letsencrypt/live/{{ domain }}/{privkey,fullchain}.pem > /var/lib/znc/znc.pem; chown znc.znc /var/lib/znc/znc.pem; chmod 640 /var/lib/znc/znc.pem; service znc restart"
														
 
															
															+    insertafter="EOF"
														
 
															
															+
														
 
															
															 - name: Ensure znc user and group can read cert
														
 
															
															   file: path=/usr/lib/znc/znc.pem group=znc owner=znc mode=640
														
 
															
															   notify: restart znc
														
--- a/roles/mailserver/tasks/dovecot.yml
+++ b/roles/mailserver/tasks/dovecot.yml
 
															
															     - imaps
														
 
															
															     - pop3s
														
 
															
															   tags: ufw
														
 
															
															+
														
 
															
															+- name: Update certificate renwal cron job
														
 
															
															+  lineinfile: dest=/etc/cron.monthly/letsencrypt-renew state=present
														
 
															
															+    line="service dovecot restart"
														
 
															
															+    insertafter="EOF"
														
--- a/roles/xmpp/tasks/prosody.yml
+++ b/roles/xmpp/tasks/prosody.yml
 
															
															     - privkey.pem
														
 
															
															     - cert.pem
														
 
															
															+- name: Update certificate renewal cron job
														
 
															
															+  lineinfile: dest=/etc/cron.monthly/letsencrypt-renew state=present
														
 
															
															+    line="cp /etc/letsencrypt/live/{{ domain }}/{privkey,cert}.pem /etc/prosody/certs; chown root.prosody /etc/prosody/certs/{privkey,cert}.pem; chmod 640 /etc/prosody/certs/{privkey,cert}.pem; service prosody restart"
														
 
															
															+    insertafter="EOF"
														
 
															
															+
														
 
															
															 - name: Create Prosody accounts
														
 
															
															   command: prosodyctl register {{ item.name }} {{ prosody_virtual_domain }} "{{ item.password }}"
														
 
															
															   with_items: prosody_accounts