9 years ago · 8f1b6a9ed8
--- a/roles/common/DESIGN.md
+++ b/roles/common/DESIGN.md
@@ -14,7 +14,7 @@ Several packages need access to the private key. Not all are run as root. Exampl
 
				
				 
			
 
				
				 Certificates and private keys are backed up using tarsnap.
			
 
				
				 
			
 
				
				-Certificate renewal is done automatically using cron. The cron script must be aware of private key copies and update them as well. Services that depend on new keys must also be bounced. It is up to roles that rely on keys to modify the cron script (preferably using `linein` or similar games) to accomplish this.
			
 
				
				+Certificate renewal is done automatically using cron. The cron script must be aware of private key copies and update them as well. Services that depend on new keys must also be bounced. It is up to roles that rely on keys to modify the cron script (preferably using `lineinfile` or something similar) to accomplish this.
			
 
				
				 
			
 
				
				 ### Alternative approaches
			
 
				
				 
			
--- a/roles/common/files/etc_cron-monthly_letsencrypt-renew
+++ b/roles/common/files/etc_cron-monthly_letsencrypt-renew
@@ -16,3 +16,8 @@ for c in `ls /etc/letsencrypt/live`; do
 
				
				   /root/letsencrypt/letsencrypt-auto --renew certonly -c /etc/letsencrypt/cli.conf --domains=$domains
			
 
				
				 done
			
 
				
				 service apache2 start
			
 
				
				+
			
 
				
				+# Services that rely on LE certificates will need restarted.  In some cases
			
 
				
				+# their certificates are based on copies of the LE certs and will need
			
 
				
				+# regenerated as well.
			
 
				
				+
			
--- a/roles/ircbouncer/tasks/znc.yml
+++ b/roles/ircbouncer/tasks/znc.yml
@@ -24,6 +24,11 @@
 
				
				     creates=/usr/lib/znc/znc.pem
			
 
				
				   notify: restart znc
			
 
				
				 
			
 
				
				+- name: Update certificate renwal cron job
			
 
				
				+  lineinfile: dest=/etc/cron.monthly/letsencrypt-renew state=present
			
 
				
				+    line="cat /etc/letsencrypt/live/{{ domain }}/{privkey,fullchain}.pem > /var/lib/znc/znc.pem; chown znc.znc /var/lib/znc/znc.pem; chmod 640 /var/lib/znc/znc.pem; service znc restart"
			
 
				
				+    insertafter="EOF"
			
 
				
				+
			
 
				
				 - name: Ensure znc user and group can read cert
			
 
				
				   file: path=/usr/lib/znc/znc.pem group=znc owner=znc mode=640
			
 
				
				   notify: restart znc
			
--- a/roles/mailserver/tasks/dovecot.yml
+++ b/roles/mailserver/tasks/dovecot.yml
@@ -64,3 +64,8 @@
 
				
				     - imaps
			
 
				
				     - pop3s
			
 
				
				   tags: ufw
			
 
				
				+
			
 
				
				+- name: Update certificate renwal cron job
			
 
				
				+  lineinfile: dest=/etc/cron.monthly/letsencrypt-renew state=present
			
 
				
				+    line="service dovecot restart"
			
 
				
				+    insertafter="EOF"
			
--- a/roles/xmpp/tasks/prosody.yml
+++ b/roles/xmpp/tasks/prosody.yml
@@ -35,6 +35,11 @@
 
				
				     - privkey.pem
			
 
				
				     - cert.pem
			
 
				
				 
			
 
				
				+- name: Update certificate renewal cron job
			
 
				
				+  lineinfile: dest=/etc/cron.monthly/letsencrypt-renew state=present
			
 
				
				+    line="cp /etc/letsencrypt/live/{{ domain }}/{privkey,cert}.pem /etc/prosody/certs; chown root.prosody /etc/prosody/certs/{privkey,cert}.pem; chmod 640 /etc/prosody/certs/{privkey,cert}.pem; service prosody restart"
			
 
				
				+    insertafter="EOF"
			
 
				
				+
			
 
				
				 - name: Create Prosody accounts
			
 
				
				   command: prosodyctl register {{ item.name }} {{ prosody_virtual_domain }} "{{ item.password }}"
			
 
				
				   with_items: prosody_accounts