Re-work tasks installing server certificates.

Postfix does not seem to need to reload an updated certificate file.
And a =/etc/server.crt= file installed by the institute should not
clobber.

diff --git a/README.org b/README.org
index 1cbd6ffef193a43b356423dab7749a00fdf0a17d..b4e49bf28184779d37a367b370cd3093c10f5b95 100644 (file)
--- a/README.org
+++ b/README.org
@@ -1522,9 +1522,8 @@ recipient" replies.  The [[*Account Management][Account Management]] chapter des
 ** Install Server Certificate
 
 The servers on Front use the same certificate (and key) to
-authenticate themselves to institute clients.  They share the
-=/etc/server.crt= and =/etc/server.key= files, the latter only
-readable by ~root~.
+authenticate to institute clients.  They share the =/etc/server.crt=
+and =/etc/server.key= files, the latter only readable by ~root~.
 
 #+CAPTION: [[file:roles_t/front/tasks/main.yml][=roles_t/front/tasks/main.yml=]]
 #+BEGIN_SRC conf :tangle roles_t/front/tasks/main.yml
@@ -1532,17 +1531,18 @@ readable by ~root~.
 - name: Install server certificate/key.
   become: yes
   copy:
-    src: ../Secret/CA/pki/{{ item.path }}.{{ item.typ }}
-    dest: /etc/server.{{ item.typ }}
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
     mode: "{{ item.mode }}"
     force: no
   loop:
-  - { path: "issued/{{ domain_name }}", typ: crt,
-      mode: "u=r,g=r,o=r" }
-  - { path: "private/{{ domain_name }}", typ: key,
-      mode: "u=r,g=,o=" }
+  - src: "../Secret/CA/pki/issued/{{ domain_name }}.crt"
+    dest: "/etc/server.crt"
+    mode: "u=r,g=r,o=r"
+  - src: "../Secret/CA/pki/private/{{ domain_name }}.key"
+    dest: "/etc/server.key"
+    mode: "u=r,g=,o="
   notify:
-  - Restart Postfix.
   - Restart Dovecot.
 #+END_SRC
 
@@ -2962,7 +2962,7 @@ describes the ~members~ and ~usernames~ variables.
 ** Install Server Certificate
 
 The servers on Core use the same certificate (and key) to authenticate
-themselves to institute clients.  They share the =/etc/server.crt= and
+to institute clients.  They share the =/etc/server.crt= and
 =/etc/server.key= files, the latter only readable by ~root~.
 
 #+CAPTION: [[file:roles_t/core/tasks/main.yml][=roles_t/core/tasks/main.yml=]]
@@ -2971,16 +2971,18 @@ themselves to institute clients.  They share the =/etc/server.crt= and
 - name: Install server certificate/key.
   become: yes
   copy:
-    src: ../Secret/CA/pki/{{ item.path }}.{{ item.typ }}
-    dest: /etc/server.{{ item.typ }}
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
     mode: "{{ item.mode }}"
+    force: no
   loop:
-  - { path: "issued/core.{{ domain_priv }}", typ: crt,
-      mode: "u=r,g=r,o=r" }
-  - { path: "private/core.{{ domain_priv }}", typ: key,
-      mode: "u=r,g=,o=" }
+  - src: "../Secret/CA/pki/issued/core.{{ domain_priv }}.crt"
+    dest: "/etc/server.crt"
+    mode: "u=r,g=r,o=r"
+  - src: "../Secret/CA/pki/private/core.{{ domain_priv }}.key"
+    dest: "/etc/server.key"
+    mode: "u=r,g=,o="
   notify:
-  - Restart Postfix.
   - Restart Dovecot.
 #+END_SRC
 

diff --git a/roles_t/core/tasks/main.yml b/roles_t/core/tasks/main.yml
index 1adde76234d2108a8b9dac443f4c907e5f116224..94e911456cf24c2860f92bd1f9ef6cb8bcb459be 100644 (file)
--- a/roles_t/core/tasks/main.yml
+++ b/roles_t/core/tasks/main.yml
@@ -283,16 +283,18 @@
 - name: Install server certificate/key.
   become: yes
   copy:
-    src: ../Secret/CA/pki/{{ item.path }}.{{ item.typ }}
-    dest: /etc/server.{{ item.typ }}
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
     mode: "{{ item.mode }}"
+    force: no
   loop:
-  - { path: "issued/core.{{ domain_priv }}", typ: crt,
-      mode: "u=r,g=r,o=r" }
-  - { path: "private/core.{{ domain_priv }}", typ: key,
-      mode: "u=r,g=,o=" }
+  - src: "../Secret/CA/pki/issued/core.{{ domain_priv }}.crt"
+    dest: "/etc/server.crt"
+    mode: "u=r,g=r,o=r"
+  - src: "../Secret/CA/pki/private/core.{{ domain_priv }}.key"
+    dest: "/etc/server.key"
+    mode: "u=r,g=,o="
   notify:
-  - Restart Postfix.
   - Restart Dovecot.
 
 - name: Install Chrony.

diff --git a/roles_t/front/tasks/main.yml b/roles_t/front/tasks/main.yml
index 1256286cd57b128b5028385e35d521dbb6775f24..afa0415bb1aef5533a7df4ee233981f591e74356 100644 (file)
--- a/roles_t/front/tasks/main.yml
+++ b/roles_t/front/tasks/main.yml
@@ -91,17 +91,18 @@
 - name: Install server certificate/key.
   become: yes
   copy:
-    src: ../Secret/CA/pki/{{ item.path }}.{{ item.typ }}
-    dest: /etc/server.{{ item.typ }}
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
     mode: "{{ item.mode }}"
     force: no
   loop:
-  - { path: "issued/{{ domain_name }}", typ: crt,
-      mode: "u=r,g=r,o=r" }
-  - { path: "private/{{ domain_name }}", typ: key,
-      mode: "u=r,g=,o=" }
+  - src: "../Secret/CA/pki/issued/{{ domain_name }}.crt"
+    dest: "/etc/server.crt"
+    mode: "u=r,g=r,o=r"
+  - src: "../Secret/CA/pki/private/{{ domain_name }}.key"
+    dest: "/etc/server.key"
+    mode: "u=r,g=,o="
   notify:
-  - Restart Postfix.
   - Restart Dovecot.
 
 - name: Install Postfix.