summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLars Wirzenius <liw@liw.fi>2021-01-23 10:48:21 +0200
committerLars Wirzenius <liw@liw.fi>2021-01-23 11:48:06 +0200
commit705b909c6cb75916404efe756eee8f7c65794d55 (patch)
tree2318968ea1e168268c8a43192db6f1bf58efbbc1
parent093a15c354a71382212bfc2e4a564f81781755a8 (diff)
downloadobnam2-705b909c6cb75916404efe756eee8f7c65794d55.tar.gz
install: change Ansible playbook for server to support Let's Encrypt
The playbook now optionally gets a TLS certificate from Let's Encrypt, or it can use a pre-generated certificate as before.
-rw-r--r--ansible/files/server.yaml2
-rw-r--r--ansible/obnam-server.retry1
-rw-r--r--ansible/obnam-server.yml105
-rw-r--r--ansible/templates/server.yaml.j24
4 files changed, 86 insertions, 26 deletions
diff --git a/ansible/files/server.yaml b/ansible/files/server.yaml
index 0277b52..bbba77c 100644
--- a/ansible/files/server.yaml
+++ b/ansible/files/server.yaml
@@ -1,4 +1,4 @@
-address: 0.0.0.0:8888
+address: 0.0.0.0:443
chunks: /srv/obnam/chunks
tls_key: /etc/obnam/server.key
tls_cert: /etc/obnam/server.pem
diff --git a/ansible/obnam-server.retry b/ansible/obnam-server.retry
deleted file mode 100644
index ef785e6..0000000
--- a/ansible/obnam-server.retry
+++ /dev/null
@@ -1 +0,0 @@
-obnam0
diff --git a/ansible/obnam-server.yml b/ansible/obnam-server.yml
index 110dcce..426ca74 100644
--- a/ansible/obnam-server.yml
+++ b/ansible/obnam-server.yml
@@ -1,39 +1,96 @@
-- hosts: obnam-server
+- hosts: server
remote_user: root
tasks:
- - file:
+ - name: add Obnam package repository to APT
+ apt_repository:
+ repo: "deb [trusted=yes] http://ci-prod-controller.vm.liw.fi/debian unstable-ci main"
+
+ - name: refresh APT package lists and upgrade all installed packages
+ apt:
+ update_cache: true
+ upgrade: true
+
+ - name: install packages for an Obnam server
+ apt:
+ name:
+ - obnam
+ - psmisc
+
+ - name: "install packages for Let's Encrypt TLS certificates"
+ apt:
+ name:
+ - apache2
+ - dehydrated
+ - dehydrated-apache2
+ when: domain is defined
+
+ - name: create Obnam configuration directory
+ file:
path: /etc/obnam
state: directory
- - file:
+
+ - name: create Obnam directory for chunk storage
+ file:
path: /srv/obnam/chunks
state: directory
- - filesystem:
- dev: "{{ chunkdev }}"
- fstype: ext4
- opts: -Lchunks
- - mount:
- src: LABEL=chunks
- path: /srv/obnam/chunks
- fstype: auto
- state: mounted
- - apt_repository:
- repo: "deb [trusted=yes] http://ci-prod-controller.vm.liw.fi/debian unstable-ci main"
- - apt:
- name: obnam
- - copy:
- src: obnam.service
- dest: /etc/systemd/system/obnam.service
- - copy:
+
+ - name: "install Obnam server configuration for provided TLS certifiactes"
+ copy:
src: "{{ item }}"
dest: "/etc/obnam/{{ item }}"
with_items:
- server.yaml
- server.key
- server.pem
- - systemd:
+ when: domain is not defined
+
+ - name: "install Obnam server configuration for Let's Encrypt TLS certifiactes"
+ template:
+ src: server.yaml.j2
+ dest: /etc/obnam/server.yaml
+ when: domain is defined
+
+ - name: install Obnam service file for systemd
+ copy:
+ src: obnam.service
+ dest: /etc/systemd/system/obnam.service
+
+ - name: configure domains for TLS certificates
+ copy:
+ content: |
+ {{ domain }}
+ dest: /etc/dehydrated/domains.txt
+ when: domain is defined
+
+ - name: stop Obnam service for getting TLS certificates
+ systemd:
+ daemon_reload: true
+ name: obnam
+ state: stopped
+ when: domain is defined
+
+ - name: start Apache server for getting TLS certificates
+ systemd:
+ name: apache2
+ state: started
+ when: domain is defined
+
+ - name: get TLS certificates
+ shell: |
+ dehydrated --register --accept-terms
+ dehydrated -c
+ when: domain is defined
+
+ - name: stop Apache server so Obnam server can be started again
+ systemd:
+ name: apache2
+ state: stopped
+ when: domain is defined
+
+ - name: start Obnam server
+ systemd:
name: obnam
- enabled: true
state: restarted
- daemon_reload: true
vars:
- chunkdev: /dev/vdb
+ tls_key_path: "/var/lib/dehydrated/certs/{{ domain }}/privkey.pem"
+ tls_cert_path: "/var/lib/dehydrated/certs/{{ domain }}/cert.pem"
diff --git a/ansible/templates/server.yaml.j2 b/ansible/templates/server.yaml.j2
new file mode 100644
index 0000000..dc8b965
--- /dev/null
+++ b/ansible/templates/server.yaml.j2
@@ -0,0 +1,4 @@
+address: 0.0.0.0:443
+chunks: /srv/obnam/chunks
+tls_key: "{{ tls_key_path }}"
+tls_cert: "{{ tls_cert_path }}"