Set certificate ownership and add www-data to ssl-cert group.

ssl-cert has permissions to read certificates. No other regular user
does.
This commit is contained in:
Jim Hague 2023-05-12 15:26:34 +01:00
parent d5aa257de5
commit ffa92ca891
2 changed files with 22 additions and 0 deletions

View File

@ -2,6 +2,13 @@ apache:
pkg.installed: pkg.installed:
- name: apache2 - name: apache2
apache_certs_group:
group.present:
- name: ssl-cert
- system: true
- addusers:
- www-data
apache_cgi_module: apache_cgi_module:
apache_module.enabled: apache_module.enabled:
- name: cgi - name: cgi

View File

@ -29,6 +29,21 @@ dehydrated_mythic_dns01:
- "*-challenge" - "*-challenge"
- "common" - "common"
dehydrated_cert_group:
group.present:
- name: ssl-cert
- system: true
dehydrated_permissions:
file.directory:
- name: /var/lib/dehydrated/certs
- group: ssl-cert
- dir_mode: 2750
- file_mode: 0640
- recurse:
- group
- mode
dehydrated_hooks: dehydrated_hooks:
file.recurse: file.recurse:
- name: /etc/dehydrated/conf.d - name: /etc/dehydrated/conf.d