Set certificate ownership and add www-data to ssl-cert group.
ssl-cert has permissions to read certificates. No other regular user does.
This commit is contained in:
Jim Hague
parent
d5aa257de5
commit
ffa92ca891
|
|
@ -2,6 +2,13 @@ apache:
|
|||
pkg.installed:
|
||||
- name: apache2
|
||||
|
||||
apache_certs_group:
|
||||
group.present:
|
||||
- name: ssl-cert
|
||||
- system: true
|
||||
- addusers:
|
||||
- www-data
|
||||
|
||||
apache_cgi_module:
|
||||
apache_module.enabled:
|
||||
- name: cgi
|
||||
|
|
|
|||
|
|
@ -29,6 +29,21 @@ dehydrated_mythic_dns01:
|
|||
- "*-challenge"
|
||||
- "common"
|
||||
|
||||
dehydrated_cert_group:
|
||||
group.present:
|
||||
- name: ssl-cert
|
||||
- system: true
|
||||
|
||||
dehydrated_permissions:
|
||||
file.directory:
|
||||
- name: /var/lib/dehydrated/certs
|
||||
- group: ssl-cert
|
||||
- dir_mode: 2750
|
||||
- file_mode: 0640
|
||||
- recurse:
|
||||
- group
|
||||
- mode
|
||||
|
||||
dehydrated_hooks:
|
||||
file.recurse:
|
||||
- name: /etc/dehydrated/conf.d
|
||||
|
|
|
|||
Loading…
Reference in New Issue