Fix certificates for bastion.

2024-10-04 21:22:55 -04:00 · 2024-10-04 21:22:55 -04:00 · 913d2e9f15
commit 913d2e9f15
parent bb66c9a907
4 changed files with 30 additions and 16 deletions
--- a/ansible/roles/base/tasks/freebsd.yaml
+++ b/ansible/roles/base/tasks/freebsd.yaml
@ -39,18 +39,6 @@
  command: cap_mkdb /etc/login.conf
  when: login_config.changed

- name: Enable periodic scrub
-  community.general.sysrc:
-    name: daily_scrub_zfs_enable
-    value: "YES"
-    path: /etc/periodic.conf.local
-
- name: Set scrub interval
-  community.general.sysrc:
-    name: daily_scrub_zfs_default_threshold
-    value: "7"
-    path: /etc/periodic.conf.local
-
 - name: Install loader.conf
  copy:
    src: "{{loader_conf}}"
@ -134,3 +122,29 @@
      value: 65
    - name: net.inet6.ip6.hlim
      value: 65
+
+- name: Log periodic output instead of getting it as mail
+  blockinfile:
+    path: "/etc/periodic.conf.local"
+    marker: "# {mark} ANSIBLE MANAGED BLOCK log"
+    # create: true
+    mode: 0644
+    owner: root
+    group: wheel
+    block: |
+      daily_output=/var/log/daily.log
+      weekly_output=/var/log/weekly.log
+      monthly_output=/var/log/monthly.log
+
+- name: Enable periodic zfs scrub
+  when: install_zfs
+  blockinfile:
+    path: "/etc/periodic.conf.local"
+    marker: "# {mark} ANSIBLE MANAGED BLOCK zfs"
+    # create: true
+    mode: 0644
+    owner: root
+    group: wheel
+    block: |
+      daily_scrub_zfs_enable="YES"
+      daily_scrub_zfs_default_threshold="7"
--- a/ansible/roles/jail/files/fstab_bastion
+++ b/ansible/roles/jail/files/fstab_bastion
@ -1,4 +1,4 @@
 tmpfs /jail/bastion/tmp tmpfs rw,mode=777 0 0
 tmpfs /jail/bastion/var/run tmpfs rw,mode=755 0 0

-/jail/certificate/usr/local/etc/letsencrypt/archive/stuff.fizz.buzz       /jail/bastion/stuff.fizz.buzz     nullfs    ro,noexec     0      0
+/jail/certificate/usr/local/etc/letsencrypt       /jail/bastion/letsencrypt     nullfs    ro,noexec     0      0
--- a/ansible/roles/jail_bastion/files/nginx.conf
+++ b/ansible/roles/jail_bastion/files/nginx.conf
@ -36,8 +36,8 @@ http {

        include conf.d/tls_settings.include;
        # RSA
-        ssl_certificate /stuff.fizz.buzz/fullchain1.pem;
-        ssl_certificate_key /stuff.fizz.buzz/privkey1.pem;
+        ssl_certificate /letsencrypt/live/stuff.fizz.buzz/fullchain.pem;
+        ssl_certificate_key /letsencrypt/live/stuff.fizz.buzz/privkey.pem;

        # Nginx by default only allows file uploads up to 1M in size
        client_max_body_size 50M;
--- a/ansible/roles/jail_bastion/tasks/freebsd.yaml
+++ b/ansible/roles/jail_bastion/tasks/freebsd.yaml
@ -17,7 +17,7 @@
    owner: root
    group: wheel
  loop:
-    - /stuff.fizz.buzz
+    - /letsencrypt
    - /etc/rc.conf.d
    - /usr/local/etc/nginx/conf.d