TLS with letsencryt. Manage some config options.
This commit is contained in:
parent
4a335ef841
commit
d53da5fda3
|
@ -3,3 +3,19 @@ influxdb_deb_repo: "deb https://repos.influxdata.com/ubuntu bionic stable"
|
||||||
influxdb_repo_key: 'https://repos.influxdata.com/influxdb.key'
|
influxdb_repo_key: 'https://repos.influxdata.com/influxdb.key'
|
||||||
influxdb_pkgs:
|
influxdb_pkgs:
|
||||||
- influxdb
|
- influxdb
|
||||||
|
|
||||||
|
influxdb_config_file: /etc/influxdb/influxdb.conf
|
||||||
|
influxdb_config:
|
||||||
|
- {section: http, option: 'enabled', value: 'true', state: present}
|
||||||
|
- {section: http, option: 'bind-address', value: ':8086', state: present}
|
||||||
|
- {section: http, option: 'log-enabled', value: 'true', state: present}
|
||||||
|
|
||||||
|
influxdb_tls_letsencrypt_managed: true
|
||||||
|
influxdb_tls_enabled: false
|
||||||
|
influxdb_tls_cert_dir: /etc/pki/influxdb
|
||||||
|
influxdb_tls_cert_path: '{{ letsencrypt_acme_sh_certificates_install_path }}/cert'
|
||||||
|
influxdb_tls_key_path: '{{ influxdb_tls_cert_dir }}/influxdb.key'
|
||||||
|
influxdb_tls_config:
|
||||||
|
- {section: http, option: 'https-enabled', value: '{{ influxdb_tls_enabled | lower }}', state: present}
|
||||||
|
- {section: http, option: 'https-certificate', value: '{{ influxdb_tls_cert_path }}', state: present}
|
||||||
|
- {section: http, option: 'https-private-key', value: '{{ influxdb_tls_key_path }}', state: present}
|
||||||
|
|
|
@ -1,2 +1,6 @@
|
||||||
---
|
---
|
||||||
# handlers file for ansible-role-template
|
- name: restart influxb
|
||||||
|
service:
|
||||||
|
name: influxdb
|
||||||
|
state: restart
|
||||||
|
enabled: true
|
||||||
|
|
|
@ -21,6 +21,77 @@
|
||||||
when: ansible_distribution_file_variety == "Debian"
|
when: ansible_distribution_file_variety == "Debian"
|
||||||
tags: ['influxdb', 'influxdb_repository']
|
tags: ['influxdb', 'influxdb_repository']
|
||||||
|
|
||||||
|
- name: Manage the Influxd configuration
|
||||||
|
block:
|
||||||
|
- name: Influxdb configuration {{ influxdb_config_file }}
|
||||||
|
ini_file:
|
||||||
|
path: '{{ influxdb_config_file }}'
|
||||||
|
section: '{{ item.section }}'
|
||||||
|
option: '{{ item.option }}'
|
||||||
|
value: '{{ item.value }}'
|
||||||
|
state: "{{ item.state | default('present') }}"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0644
|
||||||
|
loop: '{{ influxdb_config }}'
|
||||||
|
notify: reload influxdb
|
||||||
|
|
||||||
|
tags: ['influxdb', 'influxdb_config']
|
||||||
|
|
||||||
|
- name: Letsencrypt tls management
|
||||||
|
block:
|
||||||
|
- name: Create the acme hooks directory if it does not yet exist
|
||||||
|
file:
|
||||||
|
dest: '{{ letsencrypt_acme_services_scripts_dir }}'
|
||||||
|
state: directory
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
|
||||||
|
- name: Create the influxdb certificate directory
|
||||||
|
file:
|
||||||
|
dest: '{{ influxdb_tls_cert_dir }}'
|
||||||
|
state: directory
|
||||||
|
owner: root
|
||||||
|
group: influxdb
|
||||||
|
mode: 0750
|
||||||
|
|
||||||
|
- name: Copy the key file where influxdb expects it
|
||||||
|
copy:
|
||||||
|
src: '{{ letsencrypt_acme_sh_certificates_install_path }}/privkey'
|
||||||
|
dest: '{{ influxdb_tls_key_path }}'
|
||||||
|
owner: root
|
||||||
|
group: influxdb
|
||||||
|
mode: 0640
|
||||||
|
remote_src: true
|
||||||
|
notify: restart influxdb
|
||||||
|
|
||||||
|
- name: Influxdb configuration {{ influxdb_config_file }}
|
||||||
|
ini_file:
|
||||||
|
path: '{{ influxdb_config_file }}'
|
||||||
|
section: '{{ item.section }}'
|
||||||
|
option: '{{ item.option }}'
|
||||||
|
value: '{{ item.value }}'
|
||||||
|
state: "{{ item.state | default('present') }}"
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0644
|
||||||
|
loop: '{{ influxdb_tls_config }}'
|
||||||
|
notify: restart influxdb
|
||||||
|
|
||||||
|
- name: Install a script that fixes the letsencrypt certificate for influxdb and then restarts the service
|
||||||
|
template:
|
||||||
|
src: influxdb-letsencrypt-hook.j2
|
||||||
|
dest: '{{ letsencrypt_acme_services_scripts_dir }}/influxdb'
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 4555
|
||||||
|
|
||||||
|
when:
|
||||||
|
- influxdb_tls_enabled
|
||||||
|
- influxdb_tls_letsencrypt_managed
|
||||||
|
- letsencrypt_acme_install
|
||||||
|
tags: ['influxdb', 'letsencrypt', 'influxdb_letsencrypt']
|
||||||
|
|
||||||
- name: Manage the Influxdata repository and packages
|
- name: Manage the Influxdata repository and packages
|
||||||
block:
|
block:
|
||||||
- name: Ensure that influxdb is enabled and running
|
- name: Ensure that influxdb is enabled and running
|
||||||
|
|
|
@ -0,0 +1,38 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
LE_CERTS_DIR="{{ letsencrypt_acme_sh_certificates_install_path }}"
|
||||||
|
LE_LOG_DIR=/var/log/letsencrypt
|
||||||
|
LE_LOGFILE="$LE_LOG_DIR/influxdb.log"
|
||||||
|
INFLUXDB_KEYFILE="{{ influxdb_tls_key_path }}"
|
||||||
|
DATE=$( date )
|
||||||
|
RETVAL=
|
||||||
|
|
||||||
|
[ ! -d $LE_LOG_DIR ] && mkdir $LE_LOG_DIR
|
||||||
|
echo "$DATE" >> "$LE_LOGFILE"
|
||||||
|
|
||||||
|
logger "acme-influxdb-hook: Check if the certificate has been renewed"
|
||||||
|
cmp ${LE_CERTS_DIR}/privkey ${INFLUXDB_KEYFILE}
|
||||||
|
RETVAL=$?
|
||||||
|
if [ $RETVAL -eq 0 ] ; then
|
||||||
|
logger "acme-influxdb-hook: No new cerficate."
|
||||||
|
echo "acme-influxdb-hook: No new cerficate." >> $LE_LOGFILE
|
||||||
|
exit 0
|
||||||
|
else
|
||||||
|
logger "acme-influxdb-hook: Copying the key file"
|
||||||
|
echo "Copy the key file" >> $LE_LOGFILE
|
||||||
|
/bin/cp -f ${LE_CERTS_DIR}/privkey ${INFLUXDB_KEYFILE}
|
||||||
|
fi
|
||||||
|
|
||||||
|
chmod 440 ${INFLUXDB_KEYFILE}
|
||||||
|
chown root ${INFLUXDB_KEYFILE}
|
||||||
|
chgrp influxdb ${INFLUXDB_KEYFILE}
|
||||||
|
|
||||||
|
logger "acme-influxdb-hook: Restart the influxdb service after a certificate renewal"
|
||||||
|
systemctl restart influxdb >> $LE_LOGFILE 2>&1
|
||||||
|
echo "acme-influxdb-hook: Restart the influxdb service" >> $LE_LOGFILE
|
||||||
|
|
||||||
|
logger "acme-influxdb-hook: Done"
|
||||||
|
echo "acme-influxdb-hook: Done." >> $LE_LOGFILE
|
||||||
|
|
||||||
|
exit 0
|
||||||
|
|
Loading…
Reference in New Issue