From f7203ee4e32eafb2abb40d1b23f010b4d5b828c0 Mon Sep 17 00:00:00 2001 From: David Galloway Date: Tue, 20 Jun 2017 09:44:41 -0400 Subject: [PATCH] public_facing: Create separate task yml for letsencrypt/nginx/ipv6 hosts Signed-off-by: David Galloway --- .../public_facing/tasks/download.ceph.com.yml | 28 +------------------ .../public_facing/tasks/letsencrypt_nginx.yml | 28 +++++++++++++++++++ roles/public_facing/tasks/www.ceph.com.yml | 18 ++---------- 3 files changed, 31 insertions(+), 43 deletions(-) create mode 100644 roles/public_facing/tasks/letsencrypt_nginx.yml diff --git a/roles/public_facing/tasks/download.ceph.com.yml b/roles/public_facing/tasks/download.ceph.com.yml index 632b31cc..e9b6b862 100644 --- a/roles/public_facing/tasks/download.ceph.com.yml +++ b/roles/public_facing/tasks/download.ceph.com.yml @@ -68,30 +68,4 @@ minute: "0" job: "/usr/libexec/make_timestamp" -- name: Cron entry for letsencrypt cert renewal - cron: - name: "Renew letsencrypt certificate" - minute: "0" - hour: "0" - day: "1,15" - job: "/usr/bin/letsencrypt renew >> /var/log/letsencrypt.log && service nginx reload" - -# Get letsencrypt authority server IPv4 address -- local_action: shell dig -4 +short acme-v01.api.letsencrypt.org | tail -n 1 - register: letsencrypt_ipv4_address - -# This task really only needs to be run the first time download.ceph.com is set up. -# An entry matching *letsencrypt* in /etc/hosts is required for the cronjob in the next task however. -- name: Create entry for letsencrypt authority server in /etc/hosts - lineinfile: - path: /etc/hosts - regexp: '(.*)letsencrypt(.*)' - line: '{{ letsencrypt_ipv4_address.stdout }} acme-v01.api.letsencrypt.org' - state: present - -# 'letsencrypt renew' fails because it can't reach the letsencrypt authority server using IPv6 -- name: Create cron entry to force IPv4 connectivity to letsencrypt authority server - cron: - name: "Forces letsencrypt to use IPv4 when accessing acme-v01.api.letsencrypt.org" - hour: "0" - job: "IP=$(dig -4 +short acme-v01.api.letsencrypt.org | tail -n 1) && sed -i \"s/.*letsencrypt.*/$IP\tacme-v01.api.letsencrypt.org/g\" /etc/hosts" +- include: letsencrypt_nginx.yml diff --git a/roles/public_facing/tasks/letsencrypt_nginx.yml b/roles/public_facing/tasks/letsencrypt_nginx.yml new file mode 100644 index 00000000..992ff303 --- /dev/null +++ b/roles/public_facing/tasks/letsencrypt_nginx.yml @@ -0,0 +1,28 @@ +--- +- name: Cron entry for letsencrypt cert renewal + cron: + name: "Renew letsencrypt certificate" + minute: "0" + hour: "0" + day: "1,15" + job: "/usr/bin/letsencrypt renew >> /var/log/letsencrypt.log && service nginx reload" + +# Get letsencrypt authority server IPv4 address +- local_action: shell dig -4 +short acme-v01.api.letsencrypt.org | tail -n 1 + register: letsencrypt_ipv4_address + +# This task really only needs to be run the first time download.ceph.com is set up. +# An entry matching *letsencrypt* in /etc/hosts is required for the cronjob in the next task however. +- name: Create entry for letsencrypt authority server in /etc/hosts + lineinfile: + path: /etc/hosts + regexp: '(.*)letsencrypt(.*)' + line: '{{ letsencrypt_ipv4_address.stdout }} acme-v01.api.letsencrypt.org' + state: present + +# 'letsencrypt renew' fails because it can't reach the letsencrypt authority server using IPv6 +- name: Create cron entry to force IPv4 connectivity to letsencrypt authority server + cron: + name: "Forces letsencrypt to use IPv4 when accessing acme-v01.api.letsencrypt.org" + hour: "0" + job: "IP=$(dig -4 +short acme-v01.api.letsencrypt.org | tail -n 1) && sed -i \"s/.*letsencrypt.*/$IP\tacme-v01.api.letsencrypt.org/g\" /etc/hosts" diff --git a/roles/public_facing/tasks/www.ceph.com.yml b/roles/public_facing/tasks/www.ceph.com.yml index 26dfbe6a..f28e4200 100644 --- a/roles/public_facing/tasks/www.ceph.com.yml +++ b/roles/public_facing/tasks/www.ceph.com.yml @@ -1,20 +1,4 @@ --- -- name: Cron entry for letsencrypt cert renewal - cron: - name: "Renew letsencrypt certificate" - minute: "0" - hour: "0" - day: "1,15" - job: "/usr/bin/letsencrypt renew >> /var/log/letsencrypt.log" - -- name: Cron entry for reloading nginx - cron: - name: "Reload nginx to keep SSL cert updated" - minute: "5" - hour: "0" - day: "1,15" - job: "/bin/systemctl reload nginx" - # Wordpress has its own cron system that only runs queued jobs when the site # is visited. We want certain jobs to run regardless of page visits. # 5 minutes was used because that's the most frequent any job is queued. @@ -24,3 +8,5 @@ name: "Call wp-cron.php to run Wordpress cronjobs" minute: "*/5" job: "/usr/bin/wget -q -O - http://ceph.com/wp-cron.php?doing_wp_cron" + +- include: letsencrypt_nginx.yml -- 2.47.3