TLS with letsencryt. Manage some config options.
This commit is contained in:
parent
4a335ef841
commit
d53da5fda3
|
@ -3,3 +3,19 @@ influxdb_deb_repo: "deb https://repos.influxdata.com/ubuntu bionic stable"
|
|||
influxdb_repo_key: 'https://repos.influxdata.com/influxdb.key'
|
||||
influxdb_pkgs:
|
||||
- influxdb
|
||||
|
||||
influxdb_config_file: /etc/influxdb/influxdb.conf
|
||||
influxdb_config:
|
||||
- {section: http, option: 'enabled', value: 'true', state: present}
|
||||
- {section: http, option: 'bind-address', value: ':8086', state: present}
|
||||
- {section: http, option: 'log-enabled', value: 'true', state: present}
|
||||
|
||||
influxdb_tls_letsencrypt_managed: true
|
||||
influxdb_tls_enabled: false
|
||||
influxdb_tls_cert_dir: /etc/pki/influxdb
|
||||
influxdb_tls_cert_path: '{{ letsencrypt_acme_sh_certificates_install_path }}/cert'
|
||||
influxdb_tls_key_path: '{{ influxdb_tls_cert_dir }}/influxdb.key'
|
||||
influxdb_tls_config:
|
||||
- {section: http, option: 'https-enabled', value: '{{ influxdb_tls_enabled | lower }}', state: present}
|
||||
- {section: http, option: 'https-certificate', value: '{{ influxdb_tls_cert_path }}', state: present}
|
||||
- {section: http, option: 'https-private-key', value: '{{ influxdb_tls_key_path }}', state: present}
|
||||
|
|
|
@ -1,2 +1,6 @@
|
|||
---
|
||||
# handlers file for ansible-role-template
|
||||
- name: restart influxb
|
||||
service:
|
||||
name: influxdb
|
||||
state: restart
|
||||
enabled: true
|
||||
|
|
|
@ -21,6 +21,77 @@
|
|||
when: ansible_distribution_file_variety == "Debian"
|
||||
tags: ['influxdb', 'influxdb_repository']
|
||||
|
||||
- name: Manage the Influxd configuration
|
||||
block:
|
||||
- name: Influxdb configuration {{ influxdb_config_file }}
|
||||
ini_file:
|
||||
path: '{{ influxdb_config_file }}'
|
||||
section: '{{ item.section }}'
|
||||
option: '{{ item.option }}'
|
||||
value: '{{ item.value }}'
|
||||
state: "{{ item.state | default('present') }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
loop: '{{ influxdb_config }}'
|
||||
notify: reload influxdb
|
||||
|
||||
tags: ['influxdb', 'influxdb_config']
|
||||
|
||||
- name: Letsencrypt tls management
|
||||
block:
|
||||
- name: Create the acme hooks directory if it does not yet exist
|
||||
file:
|
||||
dest: '{{ letsencrypt_acme_services_scripts_dir }}'
|
||||
state: directory
|
||||
owner: root
|
||||
group: root
|
||||
|
||||
- name: Create the influxdb certificate directory
|
||||
file:
|
||||
dest: '{{ influxdb_tls_cert_dir }}'
|
||||
state: directory
|
||||
owner: root
|
||||
group: influxdb
|
||||
mode: 0750
|
||||
|
||||
- name: Copy the key file where influxdb expects it
|
||||
copy:
|
||||
src: '{{ letsencrypt_acme_sh_certificates_install_path }}/privkey'
|
||||
dest: '{{ influxdb_tls_key_path }}'
|
||||
owner: root
|
||||
group: influxdb
|
||||
mode: 0640
|
||||
remote_src: true
|
||||
notify: restart influxdb
|
||||
|
||||
- name: Influxdb configuration {{ influxdb_config_file }}
|
||||
ini_file:
|
||||
path: '{{ influxdb_config_file }}'
|
||||
section: '{{ item.section }}'
|
||||
option: '{{ item.option }}'
|
||||
value: '{{ item.value }}'
|
||||
state: "{{ item.state | default('present') }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
loop: '{{ influxdb_tls_config }}'
|
||||
notify: restart influxdb
|
||||
|
||||
- name: Install a script that fixes the letsencrypt certificate for influxdb and then restarts the service
|
||||
template:
|
||||
src: influxdb-letsencrypt-hook.j2
|
||||
dest: '{{ letsencrypt_acme_services_scripts_dir }}/influxdb'
|
||||
owner: root
|
||||
group: root
|
||||
mode: 4555
|
||||
|
||||
when:
|
||||
- influxdb_tls_enabled
|
||||
- influxdb_tls_letsencrypt_managed
|
||||
- letsencrypt_acme_install
|
||||
tags: ['influxdb', 'letsencrypt', 'influxdb_letsencrypt']
|
||||
|
||||
- name: Manage the Influxdata repository and packages
|
||||
block:
|
||||
- name: Ensure that influxdb is enabled and running
|
||||
|
|
|
@ -0,0 +1,38 @@
|
|||
#!/bin/bash
|
||||
|
||||
LE_CERTS_DIR="{{ letsencrypt_acme_sh_certificates_install_path }}"
|
||||
LE_LOG_DIR=/var/log/letsencrypt
|
||||
LE_LOGFILE="$LE_LOG_DIR/influxdb.log"
|
||||
INFLUXDB_KEYFILE="{{ influxdb_tls_key_path }}"
|
||||
DATE=$( date )
|
||||
RETVAL=
|
||||
|
||||
[ ! -d $LE_LOG_DIR ] && mkdir $LE_LOG_DIR
|
||||
echo "$DATE" >> "$LE_LOGFILE"
|
||||
|
||||
logger "acme-influxdb-hook: Check if the certificate has been renewed"
|
||||
cmp ${LE_CERTS_DIR}/privkey ${INFLUXDB_KEYFILE}
|
||||
RETVAL=$?
|
||||
if [ $RETVAL -eq 0 ] ; then
|
||||
logger "acme-influxdb-hook: No new cerficate."
|
||||
echo "acme-influxdb-hook: No new cerficate." >> $LE_LOGFILE
|
||||
exit 0
|
||||
else
|
||||
logger "acme-influxdb-hook: Copying the key file"
|
||||
echo "Copy the key file" >> $LE_LOGFILE
|
||||
/bin/cp -f ${LE_CERTS_DIR}/privkey ${INFLUXDB_KEYFILE}
|
||||
fi
|
||||
|
||||
chmod 440 ${INFLUXDB_KEYFILE}
|
||||
chown root ${INFLUXDB_KEYFILE}
|
||||
chgrp influxdb ${INFLUXDB_KEYFILE}
|
||||
|
||||
logger "acme-influxdb-hook: Restart the influxdb service after a certificate renewal"
|
||||
systemctl restart influxdb >> $LE_LOGFILE 2>&1
|
||||
echo "acme-influxdb-hook: Restart the influxdb service" >> $LE_LOGFILE
|
||||
|
||||
logger "acme-influxdb-hook: Done"
|
||||
echo "acme-influxdb-hook: Done." >> $LE_LOGFILE
|
||||
|
||||
exit 0
|
||||
|
Loading…
Reference in New Issue