diff --git a/DNSservice.yml b/DNSservice.yml index eed1b9e..99628de 100644 --- a/DNSservice.yml +++ b/DNSservice.yml @@ -1,6 +1,6 @@ --- -- hosts: test +- hosts: iloth roles: - common - ssl-cert @@ -8,9 +8,10 @@ - dnsdist # déclaration de la variables globales vars: - email: votre_email - cthostname: nom_du_conteneur - domain: nom_de_domaine - create_user: false - installCertbot: false - + email: votre_adresse_email + cthostname: machine-name + domain: machine-name.domain.tld + create_user: False + installCertbot: True + mode: standalone # nginx or standalone + alt_domains: "" # -d sub.domain.told diff --git a/roles/dnsdist/tasks/main.yml b/roles/dnsdist/tasks/main.yml index a359a5e..4026db2 100644 --- a/roles/dnsdist/tasks/main.yml +++ b/roles/dnsdist/tasks/main.yml @@ -38,20 +38,20 @@ path: /etc/dnsdist/dnsdist.conf regexp: '__SSL_CRT__' replace: '/etc/ssl/{{ domain}}.crt' - when: installCertbot == false + when: installCertbot == False - name: Add SSL keys to dnsdist.conf ansible.builtin.replace: path: /etc/dnsdist/dnsdist.conf regexp: '__SSL_KEY__' replace: '/etc/ssl/{{ domain}}.key' - when: installCertbot == false + when: installCertbot == False - name: permission to ssl cert shell: | setfacl -R -m u:_dnsdist:rx /etc/ssl/"{{ domain }}".key setfacl -R -m u:_dnsdist:rx /etc/ssl/"{{ domain }}".crt - when: installCertbot == false + when: installCertbot == False @@ -59,23 +59,30 @@ ansible.builtin.replace: path: /etc/dnsdist/dnsdist.conf regexp: '__SSL_CRT__' - replace: '/etc/letsencrypt/{{ domain}}/fullchain.pem' - when: installCertbot == true + replace: '/etc/letsencrypt/live/{{ domain}}/fullchain.pem' + when: installCertbot == True - name: Add SSL keys to dnsdist.conf ansible.builtin.replace: path: /etc/dnsdist/dnsdist.conf regexp: '__SSL_KEY__' - replace: '/etc/letsencrypt/{{ domain}}/privkey.pem' - when: installCertbot == true + replace: '/etc/letsencrypt/live/{{ domain}}/privkey.pem' + when: installCertbot == True - name: Set permission letsencrypt SSL keys shell: setfacl -R -m u:_dnsdist:rx /etc/letsencrypt/ - when: installCertbot == true + when: installCertbot == True + +- name: Disable and stop systemd-resolved + shell: | + systemctl disable systemd-resolved + systemctl stop systemd-resolved || echo "systemd-resolved is already stopped" + - name: Start dnsdist service shell: "systemctl start dnsdist" + - name: Enable systemd service shell: "systemctl enable dnsdist" \ No newline at end of file diff --git a/roles/ssl-cert/tasks/main.yml b/roles/ssl-cert/tasks/main.yml index ba69f2e..e088a8e 100644 --- a/roles/ssl-cert/tasks/main.yml +++ b/roles/ssl-cert/tasks/main.yml @@ -20,6 +20,13 @@ shell: openssl req -x509 -nodes -subj '/CN={{ domain }}' -days 3650 -newkey rsa:4096 -sha256 -keyout /etc/ssl/"{{ domain }}".key -out /etc/ssl/"{{ domain }}".crt when: installCertbot == False -- name: Create self-signed certificate, if configured. - shell: "certbot -certonly -d {{ domain }} {{ alt_domains }} --{{ mode }} -m {{ email }} --agree-tos" +- name: Open port 80 for letsencrypt challenge + ufw: + rule: allow + port: 80 + proto: tcp + when: installCertbot == True + +- name: Create self-signed certificate, if configured. + shell: "certbot certonly --{{ mode }} -d {{ domain }} {{ alt_domains }} -m {{ email }} --agree-tos" when: installCertbot == True