Run components as different users

ed-asriyan · Apr 28, 2024 · 9cb840e · 9cb840e
1 parent 9673161
commit 9cb840e
Show file tree

Hide file tree

Showing 11 changed files with 77 additions and 14 deletions.
diff --git a/roles/certbot/templates/certbot.service.j2 b/roles/certbot/templates/certbot.service.j2
@@ -1,10 +1,10 @@
 [Unit]
-Description=frontman-certbot
+Description=certbot for {{ certbot_domain }}
 After=network.service
 
 [Service]
 User=root
-ExecStart=/snap/bin/certbot certonly --standalone --non-interactive --agree-tos -d {{ certbot_domain }} --post-hook "{{ certbot_post_hook }}"
+ExecStart=/snap/bin/certbot certonly --standalone --non-interactive --agree-tos --email {{ certbot_email }} -d {{ certbot_domain }} --post-hook "{{ certbot_post_hook }}"
 
 [Install]
 WantedBy=multi-user.target
diff --git a/roles/certbot/vars/main.yml b/roles/certbot/vars/main.yml
@@ -1,6 +1,16 @@
 # how ofter to check the ssl cert/key
 certbot_repeat_interval: 720min
 
+# email for certbot verification
+certbot_email: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  64313930623662636432323633636137363330346463363765643730326165613561633361656237
+  3434303365396537363165646434623363326563666534650a613535626561386334383939313630
+  39393136356434623535663133666261316232303337366262623066366361623464643663666530
+  3431366534323536310a646634666233386339633964396539656233663464616630643863643063
+  35633961613362353735393064343938636663313734353130306662393831326539666136626236
+  3361363866383838663138396539623237626530636136663434
+
 # domain for issuing a cert
 certbot_domain:
 

diff --git a/roles/frontman/meta/main.yml b/roles/frontman/meta/main.yml
@@ -3,4 +3,4 @@ dependencies:
     vars:
       certbot_domain: "{{ frontman_domain }}"
       certbot_service_name: "frontman-certbot"
-      certbot_post_hook: "systemctl restart frontman"
+      certbot_post_hook: "cp {{ ssl_cert_path }} {{ frontman_ssl_cert_path }} && cp {{ ssl_key_path }} {{ frontman_ssl_key_path }} && systemctl restart frontman"
diff --git a/roles/frontman/tasks/main.yml b/roles/frontman/tasks/main.yml
@@ -112,13 +112,35 @@
     owner: "{{ user }}"
     mode: "700"
 
+- name: Copy SSL key
+  copy:
+    src: "{{ ssl_key_path }}"
+    dest: "{{ frontman_ssl_key_path }}"
+    group: "{{ user }}"
+    owner: "{{ user }}"
+    mode: "600"
+    remote_src: yes
+  register: ssl_private
+
+- name: Copy SSL certificate
+  copy:
+    src: "{{ ssl_cert_path }}"
+    dest: "{{ frontman_ssl_cert_path }}"
+    group: "{{ user }}"
+    owner: "{{ user }}"
+    mode: "600"
+    remote_src: yes
+  register: ssl_cert
+
 - name: Remove unexpected files in home
   include_tasks: tasks/remove-unexpected-files.yml
   vars:
     directory: "/home/{{ user }}"
     files:
       - "{{ static_folder }}"
       - "{{ executable_name }}"
+      - "{{ frontman_ssl_cert_filename }}"
+      - "{{ frontman_ssl_key_filename }}"
 
 - name: Remove local source repository
   delegate_to: localhost
@@ -143,4 +165,4 @@
     name: frontman.service
     state: restarted
     enabled: yes
-  when: systemd.changed or download.changed
+  when: systemd.changed or download.changed or ssl_private.changed or ssl_cert.changed
diff --git a/roles/frontman/templates/frontman.service.j2 b/roles/frontman/templates/frontman.service.j2
@@ -3,8 +3,9 @@ Description=frontman
 After=network.service
 
 [Service]
-User=root
-ExecStart=/home/{{ user }}/{{ executable_name }} --dir /home/{{ user }}/{{ static_folder }} --host 0.0.0.0 --port {{ frontman_port }} --ssl --cert {{ ssl_cert_path }} --key {{ ssl_key_path }}
+User={{ user }}
+WorkingDirectory=/home/{{ user }}
+ExecStart=/home/{{ user }}/{{ executable_name }} --dir /home/{{ user }}/{{ static_folder }} --host 0.0.0.0 --port {{ frontman_port }} --ssl --cert {{ frontman_ssl_cert_filename }} --key {{ frontman_ssl_key_filename }}
 Restart=always
 
 [Install]

diff --git a/roles/frontman/vars/main.yml b/roles/frontman/vars/main.yml
@@ -25,3 +25,9 @@ default_redirect: !vault |
   30383033313766313633666239306333633133306237633837346336313130663230306364393938
   3464613861643339330a663163373932396162316636376463623630643837323038316130663763
   32373533336131306232313534323866303561346663613237623639303761353265
+
+frontman_ssl_cert_filename: cert.pem
+frontman_ssl_key_filename: key.pem
+
+frontman_ssl_cert_path: /home/{{ user }}/{{ frontman_ssl_cert_filename }}
+frontman_ssl_key_path: /home/{{ user }}/{{ frontman_ssl_key_filename }}
diff --git a/roles/prometheus/meta/main.yml b/roles/prometheus/meta/main.yml
@@ -5,4 +5,4 @@ dependencies:
     vars:
       certbot_domain: "{{ server.domain }}"
       certbot_service_name: "proxy-certbot"
-      certbot_post_hook: "systemctl restart prometheus"
+      certbot_post_hook: "cp {{ ssl_cert_path }} {{ prometheus_ssl_cert_path }} && cp {{ ssl_key_path }} {{ prometheus_ssl_key_path }} && systemctl restart prometheus"
diff --git a/roles/prometheus/tasks/main.yml b/roles/prometheus/tasks/main.yml
@@ -26,6 +26,26 @@
     owner: "{{ user }}"
     mode: "700"
 
+- name: Copy SSL key
+  copy:
+    src: "{{ ssl_key_path }}"
+    dest: "{{ prometheus_ssl_key_path }}"
+    group: "{{ user }}"
+    owner: "{{ user }}"
+    mode: "600"
+    remote_src: yes
+  register: ssl_private
+
+- name: Copy SSL certificate
+  copy:
+    src: "{{ ssl_cert_path }}"
+    dest: "{{ prometheus_ssl_cert_path }}"
+    group: "{{ user }}"
+    owner: "{{ user }}"
+    mode: "600"
+    remote_src: yes
+  register: ssl_cert
+
 - name: Render prometheus config
   template:
     src: config.yml.j2
@@ -51,7 +71,8 @@
     files:
       - web-config.yml
       - config.yml
-      - "{{ certificate_filename }}"
+      - "{{ prometheus_ssl_cert_filename }}"
+      - "{{ prometheus_ssl_key_filename }}"
       - "{{ key_filename }}"
       - "{{ downloads[arch.stdout].directory }}"
       - data
@@ -72,4 +93,4 @@
     name: prometheus.service
     state: restarted
     enabled: yes
-  when: systemd.changed or download.changed or config.changed or web.changed
+  when: systemd.changed or download.changed or config.changed or web.changed or ssl_private.changed or ssl_cert.changed
diff --git a/roles/prometheus/templates/prometheus.service.j2 b/roles/prometheus/templates/prometheus.service.j2
@@ -3,7 +3,7 @@ Description=prometheus
 After=outline.service
 
 [Service]
-User=root
+User={{ user }}
 WorkingDirectory=/home/{{ user }}
 ExecStart=/home/{{ user }}/{{ downloads[arch.stdout].directory }}/{{ executable_name }} --config.file /home/{{ user }}/config.yml --web.listen-address 0.0.0.0:{{ prometheus_port }} --web.external-url https://{{ server.domain }}:{{ prometheus_port }} --web.config.file /home/{{ user }}/web-config.yml --storage.tsdb.retention.time {{ retention }}
 Restart=always

diff --git a/roles/prometheus/templates/web-config.yml.j2 b/roles/prometheus/templates/web-config.yml.j2
@@ -1,6 +1,6 @@
 tls_server_config:
-  cert_file: {{ ssl_cert_path }}
-  key_file: {{ ssl_key_path }}
+  cert_file: {{ prometheus_ssl_cert_path }}
+  key_file: {{ prometheus_ssl_key_path }}
 
 basic_auth_users:
   {{ username }}: {{ password_bcrypt }}
diff --git a/roles/prometheus/vars/main.yml b/roles/prometheus/vars/main.yml
@@ -36,8 +36,11 @@ prometheus_port: !vault |
   6666363932366563630a343333633861376233376466656664353033393431306436306463353965
   3234
 
-certificate_filename: cert.pem
-key_filename: key.pem
+prometheus_ssl_cert_filename: cert.pem
+prometheus_ssl_key_filename: key.pem
+
+prometheus_ssl_cert_path: /home/{{ user }}/{{ prometheus_ssl_cert_filename }}
+prometheus_ssl_key_path: /home/{{ user }}/{{ prometheus_ssl_key_filename }}
 
 # parameters for https://prometheus.io/docs/practices/remote_write
 remote: