reduce permissions while creating config files

simple configuration changes will no longer require root access, however you may have to chown -R ircd:ircd ircd to fix some of the permissions creating init services now lives in a new playbook, `enable.yml` which does require root access
2022-07-23 21:45:48 -04:00 · 2022-07-23 21:45:48 -04:00 · 67191fd363
commit 67191fd363
parent 787af75211
3 changed files with 32 additions and 24 deletions
--- a/README.md
+++ b/README.md
@ -3,10 +3,12 @@
 ansible playbook for solanum that supports hosts running debian or alpine

 ## setup
- add new host to your hosts file
+- add new host to your ansible hosts file
 - run `solanum.yml` on new host to compile solanum
+- (optional) add your ssh key to ircd user
 - (optional) add your `ssl.pem` and `ssl.key` to `/home/ircd/ircd/etc/`. you probably want to make a cronjob for acme to automatically do this when the cert expires. make sure to `openssl dhparam -out dh.pem 2048` in `/home/ircd/ircd/etc/` to make safe dh parameters!
- run config.yml on the whole network
+- run `config.yml` on the whole network
+- run `enable.yml` on new host to enable and install the service file
 - repeat steps periodically for network maintainance

 ## hosts ini
--- a/config.yml
+++ b/config.yml
@ -1,5 +1,5 @@
 - hosts: all
-  remote_user: root
+  remote_user: ircd

  tasks:
    - name: check for ssl cert
@ -27,26 +27,7 @@
        src: challenge/
        dest: /home/ircd/ircd/challenge/

-    - name: create openrc service
-      template:
-        src: openrc.j2
-        dest: /etc/init.d/solanum
-        mode: 0755
-      when: ansible_distribution == 'Alpine'
-
-    - name: create systemd service
-      template:
-        src: systemd.j2
-        dest: /etc/systemd/system/solanum.service
-        mode: 0755
-      when: ansible_distribution == 'Debian'
-
-    - name: enable service
-      service:
-        name: solanum
-        state: started
-        enabled: yes
-      ignore_errors: yes
-
    - name: reload solanum
      command: killall -1 solanum
+      ignore_errors: yes
+
--- a/enable.yml
+++ b/enable.yml
@ -0,0 +1,25 @@
+- hosts: all
+  remote_user: root
+
+  tasks:
+    - name: create openrc service
+      template:
+        src: openrc.j2
+        dest: /etc/init.d/solanum
+        mode: 0755
+      when: ansible_distribution == 'Alpine'
+
+    - name: create systemd service
+      template:
+        src: systemd.j2
+        dest: /etc/systemd/system/solanum.service
+        mode: 0755
+      when: ansible_distribution == 'Debian'
+
+    - name: enable service
+      service:
+        name: solanum
+        state: started
+        enabled: yes
+      ignore_errors: yes
+