125 lines
2.7 KiB
YAML
125 lines
2.7 KiB
YAML
- name: ensure lego is installed
|
|
package:
|
|
name: golang-github-acme-lego
|
|
state: present
|
|
tags:
|
|
- install
|
|
|
|
- name: ensure haproxy is configured for domain controllers
|
|
template:
|
|
src: samba-dc.haproxy.cfg
|
|
dest: /etc/haproxy/conf.d/40-samba-dc.cfg
|
|
owner: root
|
|
group: root
|
|
mode: u=rw,go=r
|
|
notify:
|
|
- reload haproxy
|
|
tags:
|
|
- haproxy
|
|
|
|
- name: flush handlers
|
|
meta: flush_handlers
|
|
|
|
- name: ensure acme/http port is allowed in firewall
|
|
firewalld:
|
|
port: '{{ item }}'
|
|
state: enabled
|
|
loop:
|
|
- 80/tcp
|
|
- 5000/tcp
|
|
when: host_uses_firewalld|d(true)
|
|
notify:
|
|
- save firewalld configuration
|
|
tags:
|
|
- firewalld
|
|
|
|
- name: wait for dns records to propagate
|
|
delegate_to: localhost
|
|
become: false
|
|
command: 'true'
|
|
until: >-
|
|
ansible_default_ipv4.address in lookup("dig", krb5_realm | lower) and
|
|
ansible_default_ipv4.address in lookup("dig", ansible_fqdn)
|
|
delay: 60
|
|
retries: 15
|
|
changed_when: false
|
|
tags:
|
|
- wait-for-dns
|
|
|
|
- name: ensure samba server certificate exists
|
|
command:
|
|
lego
|
|
--path /var/lib/samba/.lego
|
|
--accept-tos
|
|
--server {{ samba_cert_acme_server }}
|
|
--http --http.port :5000
|
|
--domains {{ ansible_fqdn }}
|
|
--domains {{ krb5_realm | lower }}
|
|
--email {{ samba_cert_acme_email }}
|
|
run
|
|
args:
|
|
creates: /var/lib/samba/.lego/certificates/{{ ansible_fqdn }}.json
|
|
notify:
|
|
- restart samba
|
|
tags:
|
|
- cert
|
|
|
|
- name: ensure samba server certificate renewal service is installed
|
|
template:
|
|
src: samba-cert-renew.service.j2
|
|
dest: /etc/systemd/system/samba-cert-renew.service
|
|
owner: root
|
|
group: root
|
|
mode: u=rw,go=r
|
|
notify:
|
|
- reload systemd
|
|
tags:
|
|
- systemd
|
|
|
|
- name: ensure samba server certificate renewal timer is installed
|
|
template:
|
|
src: samba-cert-renew.timer.j2
|
|
dest: /etc/systemd/system/samba-cert-renew.timer
|
|
owner: root
|
|
group: root
|
|
mode: u=rw,go=r
|
|
notify:
|
|
- reload systemd
|
|
- restart samba-cert-renew.timer
|
|
tags:
|
|
- systemd
|
|
|
|
- name: flush handlers
|
|
meta: flush_handlers
|
|
|
|
- name: ensure samba-cert-renew timer is running
|
|
systemd:
|
|
name: samba-cert-renew.timer
|
|
state: started
|
|
tags:
|
|
- service
|
|
- name: ensure samba-cert-renew timer starts at boot
|
|
systemd:
|
|
name: samba-cert-renew.timer
|
|
enabled: true
|
|
tags:
|
|
- service
|
|
|
|
- name: ensure samba certificate files are linked
|
|
file:
|
|
path: /etc/samba/{{ item.path }}
|
|
src: '{{ item.dest }}'
|
|
force: true
|
|
state: link
|
|
loop:
|
|
- path: server.cer
|
|
dest: /var/lib/samba/.lego/certificates/{{ ansible_fqdn }}.crt
|
|
- path: server.key
|
|
dest: /var/lib/samba/.lego/certificates/{{ ansible_fqdn }}.key
|
|
- path: ca.crt
|
|
dest: /dev/null
|
|
notify:
|
|
- restart samba
|
|
tags:
|
|
- cert
|