hifis-net · Normo · Nov 10, 2025 · Nov 10, 2025 · Aug 15, 2025
@@ -42,6 +42,7 @@ jobs:
       fail-fast: false
       matrix:
         image:
+          - "ghcr.io/hifis-net/almalinux-systemd:9"
           - "ghcr.io/hifis-net/ubuntu-systemd:22.04"
           - "ghcr.io/hifis-net/ubuntu-systemd:24.04"
 

@@ -6,9 +6,11 @@
 ---
 - name: "Converge"
   hosts: "all"
+  become: false
   tasks:
 
     - name: "Get private key content"
+      become: true
       ansible.builtin.command: "cat /etc/ssl/private/ssl-cert-snakeoil.key"
       changed_when: false
       check_mode: false

@@ -26,5 +26,10 @@ provisioner:
   playbooks:
     prepare: "prepare.yml"
     converge: "converge.yml"
+  inventory:
+    hosts:
+      all:
+        vars:
+          ansible_user: "ansible"
 verifier:
   name: "ansible"
@@ -6,10 +6,11 @@
 ---
 - name: "Prepare"
   hosts: "all"
+  become: true
   vars:
     # Apply suggested Elasticsearch configuration
     elasticsearch_version: "8.x"
-    elasticsearch_package: "elasticsearch=8.8.1"
+    elasticsearch_package: "elasticsearch"
     elasticsearch_heap_size_min: "256m"
     elasticsearch_heap_size_max: "256m"
     elasticsearch_extra_options: |
@@ -22,6 +23,7 @@
   tasks:
 
     - name: "Install required packages"
+      when: "ansible_facts.os_family == 'Debian'"
       ansible.builtin.apt:
         name:
           - "sudo"
@@ -33,6 +35,37 @@
         state: "present"
         update_cache: true
 
+    - name: "Provide SSL/TLS certificate on AlmaLinux"
+      when: "ansible_facts.os_family == 'RedHat'"
+      block:
+        - name: "Ensure SSL/TLS directories exist"
+          ansible.builtin.file:
+            path: "{{ item }}"
+            state: "directory"
+            mode: '0755'
+          loop:
+            - "/etc/ssl/private"
+            - "/etc/ssl/certs"
+
+        - name: "Install python-cryptography"
+          ansible.builtin.pip:
+            name: "cryptography"
+
+        - name: "Create RSA private key"
+          community.crypto.openssl_privatekey:
+            path: "/etc/ssl/private/ssl-cert-snakeoil.key"
+            size: 2048
+            type: "RSA"
+            mode: '0600'
+
+        - name: "Create a snakeoil certificate"
+          community.crypto.x509_certificate:
+            path: "/etc/ssl/certs/ssl-cert-snakeoil.pem"
+            privatekey_path: "/etc/ssl/private/ssl-cert-snakeoil.key"
+            provider: "selfsigned"
+            selfsigned_not_after: "+365d"
+            mode: '0644'
+
     - name: "Include geerlingguy.elasticsearch"
       ansible.builtin.include_role:
         name: "geerlingguy.elasticsearch"

@@ -64,7 +64,7 @@ File path to the SSL/TLS certificate which is used for HTTPS.
 zammad_ssl_key_path: "/etc/ssl/private/zammad_key.pem"
 ```
 
-File path to the SSL/TLS private key  which is used for HTTPS.
+File path to the SSL/TLS private key which is used for HTTPS.
 
 ```yaml
 zammad_ssl_cert:

@@ -5,16 +5,19 @@
 
 ---
 - name: "Reload nginx"
+  become: true
   ansible.builtin.service:
     name: "nginx"
     state: "reloaded"
 
 - name: "Set Elasticsearch server address"
+  become: true
   ansible.builtin.command: >-
     zammad run rails r "Setting.set('es_url', '{{ zammad_elasticsearch_url | quote }}')"
   changed_when: true
 
 - name: "Build search index"
+  become: true
   ansible.builtin.command: "zammad run rake zammad:searchindex:rebuild"
   changed_when: true
   when: "not __zammad_is_installed or zammad_force_es_searchindex_rebuild"

@@ -10,11 +10,13 @@
   block:
 
     - name: "Install | Install EPEL repo"
+      become: true
       ansible.builtin.dnf:
         name: "epel-release"
         state: "present"
 
     - name: "Install | Add Zammad yum repository"
+      become: true
       ansible.builtin.yum_repository:
         name: "zammad"
         state: "present"
@@ -31,18 +33,21 @@
   block:
 
     - name: "Remove Zammad apt key from legacy trusted.gpg keyring"
+      become: true
       ansible.builtin.apt_key:
         url: "https://dl.packager.io/srv/zammad/zammad/key"
         state: "absent"
 
     - name: "Remove Zammad DEB repository from sources.list"
+      become: true
       ansible.builtin.apt_repository:
         repo: "deb https://dl.packager.io/srv/deb/zammad/zammad/{{ zammad_release_channel }}/ubuntu {{ ansible_facts.distribution_version }} main"
         state: "absent"
         filename: "zammad"
         update_cache: false
 
     - name: "Install | Add Zammad DEB repository"
+      become: true
       ansible.builtin.deb822_repository:
         name: "zammad"
         types: "deb"
@@ -56,6 +61,7 @@
         enabled: true
 
     - name: "Update apt cache"
+      become: true
       ansible.builtin.apt:
         update_cache: true
       changed_when: false
@@ -69,15 +75,17 @@
     __zammad_is_installed: "{{ 'zammad' in ansible_facts.packages }}"
 
 - name: "Install | Install Zammad package"
+  become: true
   ansible.builtin.package:
     name: "zammad={{ zammad_version }}*"
     state: "present"
-    force: true
+    allow_downgrade: true
   notify:
     - "Set Elasticsearch server address"
     - "Build search index"
 
 - name: "Install | Start and enable services"
+  become: true
   ansible.builtin.service:
     name: "{{ item }}"
     state: "started"

@@ -6,6 +6,7 @@
 ---
 
 - name: "Nginx | Create config"
+  become: true
   ansible.builtin.template:
     src: "nginx-zammad.conf.j2"
     dest: "{{ zammad_nginx_config_path }}"

@@ -6,6 +6,7 @@
 ---
 
 - name:  "SSL | Insert private key"
+  become: true
   ansible.builtin.blockinfile:
     path: "{{ zammad_ssl_key_path }}"
     create: true
@@ -17,6 +18,7 @@
   when: "zammad_ssl_key | default('') | length > 0"
 
 - name: "SSL | Insert certificate"
+  become: true
   ansible.builtin.blockinfile:
     path: "{{ zammad_ssl_cert_path }}"
     create: true
@@ -34,6 +36,7 @@
   ignore_errors: "{{ ansible_check_mode }}"
 
 - name: "SSL | Ensure certificate and private key match"
+  become: true
   community.crypto.openssl_privatekey_info:
     path: "{{ zammad_ssl_key_path }}"
   register: "__private_key"