[certbot] Generate multiple certificates (useful for adm)

Signed-off-by: ynerant <ynerant@crans.org>

group_vars/certbot.yml

@@ -1,8 +1,8 @@
 ---
 glob_certbot:
-  dns_rfc2136_server: '172.16.10.147'
-  dns_rfc2136_name: certbot_challenge.
-  dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
-  mail: root@crans.org
-  certname: crans.org
-  domains: "crans.org"
+  - dns_rfc2136_server: '172.16.10.147'
+    dns_rfc2136_name: certbot_challenge.
+    dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
+    mail: root@crans.org
+    certname: crans.org
+    domains: "crans.org"

host_vars/gitzly.adm.crans.org.yml

@@ -4,7 +4,16 @@ interfaces:
   srv: ens19
 
 loc_certbot:
-  dns_rfc2136_name: certbot_adm_challenge.
-  dns_rfc2136_secret: "{{ vault_certbot_adm_dns_secret }}"
-  certname: adm.crans.org
-  domains: "*.adm.crans.org"
+  - dns_rfc2136_server: '172.16.10.147'
+    dns_rfc2136_name: certbot_challenge.
+    dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
+    mail: root@crans.org
+    certname: crans.org
+    domains: "*.crans.org"
+
+  - dns_rfc2136_server: '172.16.10.147'
+    dns_rfc2136_name: certbot_adm_challenge.
+    dns_rfc2136_secret: "{{ vault_certbot_adm_dns_secret }}"
+    mail: root@crans.org
+    certname: adm.crans.org
+    domains: "*.adm.crans.org"

host_vars/hodaur.adm.crans.org.yml

@@ -1,3 +1,8 @@
 ---
 loc_certbot:
-  domains: "crans.org, *.crans.org, crans.fr, *.crans.fr, crans.eu, *.crans.eu"
+  - dns_rfc2136_server: '172.16.10.147'
+    dns_rfc2136_name: certbot_challenge.
+    dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
+    mail: root@crans.org
+    certname: crans.org
+    domains: "crans.org, *.crans.org, crans.fr, *.crans.fr, crans.eu, *.crans.eu"

plays/certbot.yml

@@ -3,7 +3,7 @@
 # Deploy certbot for LE certificates
 - hosts: certbot
   vars:
-    certbot: '{{ glob_certbot | default({}) | combine(loc_certbot | default({})) }}'
+    certbot: '{{ loc_certbot | default(glob_certbot | default([])) }}'
     mirror: '{{ glob_mirror.name }}'
   roles:
     - certbot

plays/dovecot.yml

@@ -3,9 +3,9 @@
 # Deploy dovecot server
 - hosts: dovecot
   vars:
-    certbot: '{{ glob_certbot | default({}) | combine(loc_certbot | default({})) }}'
+    certbot: '{{ loc_certbot | default(glob_certbot | default([])) }}'
     ldap: '{{ glob_ldap | default({}) | combine(loc_ldap | default({})) }}'
     dovecot: '{{ glob_dovecot | default({}) | combine(loc_dovecot | default({})) }}'
   roles:
     - certbot
-    - dovecot
+    - dovecot

plays/freeradius.yml

@@ -3,7 +3,7 @@
 # Deploy radius server
 - hosts: radius
   vars:
-    certbot: '{{ glob_certbot | default({}) | combine(loc_certbot | default({})) }}'
+    certbot: '{{ loc_certbot | default(glob_certbot | default([])) }}'
     freeradius: '{{ glob_freeradius | default({}) | combine(loc_freeradius | default({})) }}'
     mirror: '{{ glob_mirror.name }}'
   roles:

plays/gitlab.yml

@@ -6,16 +6,9 @@
     - docker
     - gitlab-runner
 
-# This seems strange, don't know if it still used
-# - hosts: gitzly.adm.crans.org
-#   vars:
-#     certbot:
-#       dns_rfc2136_name: certbot_adm_challenge.
-#       dns_rfc2136_secret: "{{ vault_certbot_adm_dns_secret }}"
-#       mail: root@crans.org
-#       certname: adm.crans.org
-#       domains: "*.adm.crans.org"
-#     bind:
-#       masters: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-master')[0] }}"
-#   roles:
-#     - certbot
+# Install Gitlab
+- hosts: git
+  vars:
+    certbot: '{{ loc_certbot | default(glob_certbot | default([])) }}'
+  roles:
+    - certbot

plays/postfix.yml

@@ -4,11 +4,12 @@
 - hosts: sputnik.adm.crans.org, boeing.adm.crans.org, redisdead.adm.crans.org, titanic.adm.crans.org
   vars:
     certbot:
-      dns_rfc2136_name: certbot_challenge.
-      dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
-      mail: root@crans.org
-      certname: crans.org
-      domains: "*.crans.org"
+      - dns_rfc2136_server: '172.16.10.147'
+        dns_rfc2136_name: certbot_challenge.
+        dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
+        mail: root@crans.org
+        certname: crans.org
+        domains: "*.crans.org"
     bind:
       masters: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-master')[0] }}"
     opendkim:

plays/reverse-proxy.yml

@@ -2,7 +2,7 @@
 ---
 - hosts: reverseproxy
   vars:
-    certbot: '{{ glob_certbot | default({}) | combine(loc_certbot | default({})) }}'
+    certbot: '{{ loc_certbot | default(glob_certbot | default([])) }}'
     mirror: '{{ glob_mirror.name }}'
   roles:
     - certbot

roles/certbot/tasks/main.yml

@@ -20,9 +20,16 @@
 - name: Add DNS credentials
   template:
     src: letsencrypt/rfc2136.ini.j2
-    dest: /etc/letsencrypt/rfc2136.ini
+    dest: "/etc/letsencrypt/rfc2136.{{ item.certname }}.ini"
     mode: 0600
     owner: root
+  loop: "{{ certbot }}"
+
+- name: Add dhparam
+  template:
+    src: "letsencrypt/dhparam.j2"
+    dest: "/etc/letsencrypt/dhparam"
+    mode: 0644
 
 - name: Create /etc/letsencrypt/conf.d
   file:
@@ -32,8 +39,10 @@
 - name: Add Certbot configuration
   template:
     src: "letsencrypt/conf.d/certname.ini.j2"
-    dest: "/etc/letsencrypt/conf.d/{{ certbot.certname }}.ini"
+    dest: "/etc/letsencrypt/conf.d/{{ item.certname }}.ini"
     mode: 0644
+  loop: "{{ certbot }}"
 
-- name: Run certbot                                                                                      
-  command: certbot --non-interactive --config /etc/letsencrypt/conf.d/{{ certbot.certname }}.ini certonly
+- name: Run certbot
+  command: certbot --non-interactive --config /etc/letsencrypt/conf.d/{{ item.certname }}.ini certonly
+  loop: "{{ certbot }}"

roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2

@@ -1,7 +1,7 @@
 {{ ansible_header | comment(decoration='# ') }}
 
 # To generate the certificate, please use the following command
-# certbot --config /etc/letsencrypt/conf.d/{{ certbot.certname }}.ini certonly
+# certbot --config /etc/letsencrypt/conf.d/{{ item.certname }}.ini certonly
 
 # Use a 4096 bit RSA key instead of 2048
 rsa-key-size = 4096
@@ -10,7 +10,7 @@ rsa-key-size = 4096
 # server = https://acme-staging.api.letsencrypt.org/directory
 
 # Uncomment and update to register with the specified e-mail address
-email = {{ certbot.mail }}
+email = {{ item.mail }}
 
 # Uncomment to use a text interface instead of ncurses
 text = True
@@ -20,9 +20,9 @@ agree-tos = True
 
 # Use DNS-01 challenge
 authenticator = dns-rfc2136
-dns-rfc2136-credentials = /etc/letsencrypt/rfc2136.ini
+dns-rfc2136-credentials = /etc/letsencrypt/rfc2136.{{ item.certname }}.ini
 dns-rfc2136-propagation-seconds = 30
 
 # Wildcard the domain
-cert-name = {{ certbot.certname }}
-domains = {{ certbot.domains }}
+cert-name = {{ item.certname }}
+domains = {{ item.domains }}

roles/certbot/templates/letsencrypt/dhparam.j2

@@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
+-----END DH PARAMETERS-----

roles/certbot/templates/letsencrypt/rfc2136.ini.j2

@@ -1,7 +1,7 @@
 {{ ansible_header | comment(decoration='# ') }}
 
-dns_rfc2136_server = {{ certbot.dns_rfc2136_server }}
+dns_rfc2136_server = {{ item.dns_rfc2136_server }}
 dns_rfc2136_port = 53
-dns_rfc2136_name = {{ certbot.dns_rfc2136_name }}
-dns_rfc2136_secret = {{ certbot.dns_rfc2136_secret }}
+dns_rfc2136_name = {{ item.dns_rfc2136_name }}
+dns_rfc2136_secret = {{ item.dns_rfc2136_secret }}
 dns_rfc2136_algorithm = HMAC-SHA512