aboutsummaryrefslogtreecommitdiffstats
path: root/roles
diff options
context:
space:
mode:
authorAaron LI <aly@aaronly.me>2019-09-22 10:56:27 +0800
committerAaron LI <aly@aaronly.me>2019-09-22 11:36:12 +0800
commit551a067e37b4aaf9dce260460ce50dc69360da9d (patch)
treea6de4aac24ed1cbe5d6ff1b1dd6cb8c2bd56830e /roles
parentad92886aa888b0e2c646dfe5b26ea0891b7d914f (diff)
downloadansible-dfly-vps-551a067e37b4aaf9dce260460ce50dc69360da9d.tar.bz2
znc: Update certificate deployment w.r.t. acme.sh
Diffstat (limited to 'roles')
-rw-r--r--roles/znc/tasks/main.yml21
-rw-r--r--roles/znc/templates/acme/znc.j234
-rw-r--r--roles/znc/templates/deploy_ssl.sh.j222
-rw-r--r--roles/znc/templates/znc.conf.j216
4 files changed, 43 insertions, 50 deletions
diff --git a/roles/znc/tasks/main.yml b/roles/znc/tasks/main.yml
index 93754ff..bf6ecb4 100644
--- a/roles/znc/tasks/main.yml
+++ b/roles/znc/tasks/main.yml
@@ -22,6 +22,15 @@
mode: 0600
notify: reload-znc
+- name: znc - generate SSL cert deploy script
+ template:
+ src: deploy_ssl.sh.j2
+ dest: "{{ znc.data_dir }}/deploy_ssl.sh"
+ mode: 0755
+
+- name: znc - deploy SSL cert
+ command: sh {{ znc.data_dir }}/deploy_ssl.sh
+
- name: znc - enable service
blockinfile:
path: /etc/rc.conf
@@ -31,10 +40,12 @@
znc_enable="YES"
- name: znc - start service
- command: rcstart znc
+ service:
+ name: znc
+ state: started
-- name: acme - generate deployment script
- template:
- src: acme/znc.j2
- dest: /usr/local/etc/acme/deploy.d/znc
+- name: acme - add znc to deploy
+ lineinfile:
+ path: "{{ web.acme_home }}/deploy.local.sh"
+ line: sh {{ znc.data_dir }}/deploy_ssl.sh
tags: acme
diff --git a/roles/znc/templates/acme/znc.j2 b/roles/znc/templates/acme/znc.j2
deleted file mode 100644
index 0be5dc0..0000000
--- a/roles/znc/templates/acme/znc.j2
+++ /dev/null
@@ -1,34 +0,0 @@
-#!/bin/sh
-#
-# ACME deployment script
-#
-
-# NOTE:
-# ZNC supports SSLKeyFile and SSLDHParamFile since v1.7
-#
-#cp -v /usr/local/etc/ssl/acme/private/{{ network.domain }}.pem \
-# {{ znc.data_dir }}/znc.ssl.key
-#cp -v /usr/local/etc/ssl/acme/{{ network.domain }}/fullchain.pem \
-# {{ znc.data_dir }}/znc.ssl.crt
-#chown znc:znc {{ znc.data_dir }}/znc.ssl.key {{ znc.data_dir }}/znc.ssl.crt
-#chmod 0400 {{ znc.data_dir }}/znc.ssl.key {{ znc.data_dir }}/znc.ssl.crt
-
-# SSL: https://wiki.znc.in/Signed_SSL_certificate
-# Everything in a single file, in the order from the most *private* to
-# the most *public* entries, except for the root certificate.
-# i.e., cat ssl.key ssl.cert dhparam.pem > znc.allinone.pem
-#
-cat /usr/local/etc/ssl/acme/private/{{ network.domain }}.pem \
- /usr/local/etc/ssl/acme/{{ network.domain }}/fullchain.pem \
- /usr/local/etc/ssl/dhparam4096.pem \
- > {{ znc.data_dir }}/znc.allinone.pem
-chown znc:znc {{ znc.data_dir }}/znc.allinone.pem
-chmod 0400 {{ znc.data_dir }}/znc.allinone.pem
-
-if pgrep -x znc >/dev/null; then
- echo "Reloading service znc: ..."
- killall -SIGHUP znc
- echo "ok"
-else
- echo "WARNING: service znc is not running" >&2
-fi
diff --git a/roles/znc/templates/deploy_ssl.sh.j2 b/roles/znc/templates/deploy_ssl.sh.j2
new file mode 100644
index 0000000..679ea4d
--- /dev/null
+++ b/roles/znc/templates/deploy_ssl.sh.j2
@@ -0,0 +1,22 @@
+#!/bin/sh
+#
+# Copy the issued SSL key and certificate to deploy them for ZNC.
+#
+# Reference: https://wiki.znc.in/Signed_SSL_certificate
+#
+
+cp -v {{ web.ssl_root }}/{{ network.domain }}/key \
+ {{ znc.data_dir }}/ssl.key
+cp -v {{ web.ssl_root }}/{{ network.domain }}/fullchain \
+ {{ znc.data_dir }}/ssl.crt
+chown znc:znc {{ znc.data_dir }}/ssl.key {{ znc.data_dir }}/ssl.crt
+chmod 0400 {{ znc.data_dir }}/ssl.key {{ znc.data_dir }}/ssl.crt
+
+if pgrep -x znc >/dev/null; then
+ echo -n "Reloading service znc ... "
+ # ZNC's service file doesn't support 'reload' command
+ killall -SIGHUP znc
+ echo "done"
+else
+ echo "WARNING: service znc is not running" >&2
+fi
diff --git a/roles/znc/templates/znc.conf.j2 b/roles/znc/templates/znc.conf.j2
index 17034d4..6b96611 100644
--- a/roles/znc/templates/znc.conf.j2
+++ b/roles/znc/templates/znc.conf.j2
@@ -12,21 +12,15 @@
// Also check http://wiki.znc.in/Configuration
//
-Version = 1.6.5
+Version = 1.7.4
HideVersion = true
MaxBufferSize = {{ znc.buffer_size }}
SSLProtocols = +TLSv1.2 -TLSv1.1 -TLSv1 -SSLv3 -SSLv2
-// SSL: https://wiki.znc.in/Signed_SSL_certificate
-// Everything in a single file, in the order from the most *private* to
-// the most *public* entries, except for the root certificate.
-// i.e., cat ssl.key ssl.cert dhparam.pem > znc.allinone.pem
-SSLCertFile = {{ znc.data_dir }}/znc.allinone.pem
-
-// NOTE: SSLKeyFile & SSLDHParamFile requires version >=1.7
-//SSLCertFile = {{ znc.data_dir }}/znc.ssl.crt
-//SSLKeyFile = {{ znc.data_dir }}/znc.ssl.key
-//SSLDHParamFile = /usr/local/etc/ssl/dhparam4096.pem
+// NOTE: SSLKeyFile & SSLDHParamFile require version >=1.7
+SSLCertFile = {{ znc.data_dir }}/ssl.crt
+SSLKeyFile = {{ znc.data_dir }}/ssl.key
+SSLDHParamFile = /usr/local/etc/ssl/dhparam4096.pem
// NOTE: DragonFly BSD doesn't allow using "IPV6_V6ONLY=0" to bind on
// both IPv4 & IPv6, therefore bind them separately.