[certbot] Generate multiple certificates (useful for adm)

Signed-off-by: ynerant <ynerant@crans.org>
2021-02-11 17:35:31 +01:00 · 2021-02-11 17:35:31 +01:00 · 009e7b42cb
parent 167818eb90
commit 009e7b42cb
13 changed files with 71 additions and 46 deletions
--- a/group_vars/certbot.yml
+++ b/group_vars/certbot.yml
@ -1,6 +1,6 @@
 ---
 glob_certbot:
-  dns_rfc2136_server: '172.16.10.147'
+  - dns_rfc2136_server: '172.16.10.147'
    dns_rfc2136_name: certbot_challenge.
    dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
    mail: root@crans.org
--- a/host_vars/gitzly.adm.crans.org.yml
+++ b/host_vars/gitzly.adm.crans.org.yml
@ -4,7 +4,16 @@ interfaces:
  srv: ens19
 loc_certbot:
  - dns_rfc2136_server: '172.16.10.147'
    dns_rfc2136_name: certbot_challenge.
    dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
    mail: root@crans.org
    certname: crans.org
    domains: "*.crans.org"
  - dns_rfc2136_server: '172.16.10.147'
    dns_rfc2136_name: certbot_adm_challenge.
    dns_rfc2136_secret: "{{ vault_certbot_adm_dns_secret }}"
    mail: root@crans.org
    certname: adm.crans.org
    domains: "*.adm.crans.org"
--- a/host_vars/hodaur.adm.crans.org.yml
+++ b/host_vars/hodaur.adm.crans.org.yml
@ -1,3 +1,8 @@
 ---
 loc_certbot:
  - dns_rfc2136_server: '172.16.10.147'
    dns_rfc2136_name: certbot_challenge.
    dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
    mail: root@crans.org
    certname: crans.org
    domains: "crans.org, *.crans.org, crans.fr, *.crans.fr, crans.eu, *.crans.eu"
--- a/plays/certbot.yml
+++ b/plays/certbot.yml
@ -3,7 +3,7 @@
 # Deploy certbot for LE certificates
 - hosts: certbot
  vars:
-    certbot: '{{ glob_certbot | default({}) | combine(loc_certbot | default({})) }}'
+    certbot: '{{ loc_certbot | default(glob_certbot | default([])) }}'
    mirror: '{{ glob_mirror.name }}'
  roles:
    - certbot
--- a/plays/dovecot.yml
+++ b/plays/dovecot.yml
@ -3,7 +3,7 @@
 # Deploy dovecot server
 - hosts: dovecot
  vars:
-    certbot: '{{ glob_certbot | default({}) | combine(loc_certbot | default({})) }}'
+    certbot: '{{ loc_certbot | default(glob_certbot | default([])) }}'
    ldap: '{{ glob_ldap | default({}) | combine(loc_ldap | default({})) }}'
    dovecot: '{{ glob_dovecot | default({}) | combine(loc_dovecot | default({})) }}'
  roles:
--- a/plays/freeradius.yml
+++ b/plays/freeradius.yml
@ -3,7 +3,7 @@
 # Deploy radius server
 - hosts: radius
  vars:
-    certbot: '{{ glob_certbot | default({}) | combine(loc_certbot | default({})) }}'
+    certbot: '{{ loc_certbot | default(glob_certbot | default([])) }}'
    freeradius: '{{ glob_freeradius | default({}) | combine(loc_freeradius | default({})) }}'
    mirror: '{{ glob_mirror.name }}'
  roles:
--- a/plays/gitlab.yml
+++ b/plays/gitlab.yml
@ -6,16 +6,9 @@
    - docker
    - gitlab-runner
-# This seems strange, don't know if it still used
+# Install Gitlab
-# - hosts: gitzly.adm.crans.org
+- hosts: git
-#   vars:
+  vars:
-#     certbot:
+    certbot: '{{ loc_certbot | default(glob_certbot | default([])) }}'
-#       dns_rfc2136_name: certbot_adm_challenge.
+  roles:
-#       dns_rfc2136_secret: "{{ vault_certbot_adm_dns_secret }}"
+    - certbot
 #       mail: root@crans.org
 #       certname: adm.crans.org
 #       domains: "*.adm.crans.org"
 #     bind:
 #       masters: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-master')[0] }}"
 #   roles:
 #     - certbot
--- a/plays/postfix.yml
+++ b/plays/postfix.yml
@ -4,6 +4,7 @@
 - hosts: sputnik.adm.crans.org, boeing.adm.crans.org, redisdead.adm.crans.org, titanic.adm.crans.org
  vars:
    certbot:
      - dns_rfc2136_server: '172.16.10.147'
        dns_rfc2136_name: certbot_challenge.
        dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
        mail: root@crans.org
--- a/plays/reverse-proxy.yml
+++ b/plays/reverse-proxy.yml
@ -2,7 +2,7 @@
 ---
 - hosts: reverseproxy
  vars:
-    certbot: '{{ glob_certbot | default({}) | combine(loc_certbot | default({})) }}'
+    certbot: '{{ loc_certbot | default(glob_certbot | default([])) }}'
    mirror: '{{ glob_mirror.name }}'
  roles:
    - certbot
--- a/roles/certbot/tasks/main.yml
+++ b/roles/certbot/tasks/main.yml
@ -20,9 +20,16 @@
 - name: Add DNS credentials
  template:
    src: letsencrypt/rfc2136.ini.j2
-    dest: /etc/letsencrypt/rfc2136.ini
+    dest: "/etc/letsencrypt/rfc2136.{{ item.certname }}.ini"
    mode: 0600
    owner: root
  loop: "{{ certbot }}"
 - name: Add dhparam
  template:
    src: "letsencrypt/dhparam.j2"
    dest: "/etc/letsencrypt/dhparam"
    mode: 0644
 - name: Create /etc/letsencrypt/conf.d
  file:
@ -32,8 +39,10 @@
 - name: Add Certbot configuration
  template:
    src: "letsencrypt/conf.d/certname.ini.j2"
-    dest: "/etc/letsencrypt/conf.d/{{ certbot.certname }}.ini"
+    dest: "/etc/letsencrypt/conf.d/{{ item.certname }}.ini"
    mode: 0644
  loop: "{{ certbot }}"
 - name: Run certbot
-  command: certbot --non-interactive --config /etc/letsencrypt/conf.d/{{ certbot.certname }}.ini certonly
+  command: certbot --non-interactive --config /etc/letsencrypt/conf.d/{{ item.certname }}.ini certonly
  loop: "{{ certbot }}"
--- a/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2
+++ b/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2
@ -1,7 +1,7 @@
 {{ ansible_header | comment(decoration='# ') }}
 # To generate the certificate, please use the following command
-# certbot --config /etc/letsencrypt/conf.d/{{ certbot.certname }}.ini certonly
+# certbot --config /etc/letsencrypt/conf.d/{{ item.certname }}.ini certonly
 # Use a 4096 bit RSA key instead of 2048
 rsa-key-size = 4096
@ -10,7 +10,7 @@ rsa-key-size = 4096
 # server = https://acme-staging.api.letsencrypt.org/directory
 # Uncomment and update to register with the specified e-mail address
-email = {{ certbot.mail }}
+email = {{ item.mail }}
 # Uncomment to use a text interface instead of ncurses
 text = True
@ -20,9 +20,9 @@ agree-tos = True
 # Use DNS-01 challenge
 authenticator = dns-rfc2136
-dns-rfc2136-credentials = /etc/letsencrypt/rfc2136.ini
+dns-rfc2136-credentials = /etc/letsencrypt/rfc2136.{{ item.certname }}.ini
 dns-rfc2136-propagation-seconds = 30
 # Wildcard the domain
-cert-name = {{ certbot.certname }}
+cert-name = {{ item.certname }}
-domains = {{ certbot.domains }}
+domains = {{ item.domains }}
--- a/roles/certbot/templates/letsencrypt/dhparam.j2
+++ b/roles/certbot/templates/letsencrypt/dhparam.j2
@ -0,0 +1,8 @@
 -----BEGIN DH PARAMETERS-----
 MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
 +8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
 87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
 YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
 7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
 ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
 -----END DH PARAMETERS-----
--- a/roles/certbot/templates/letsencrypt/rfc2136.ini.j2
+++ b/roles/certbot/templates/letsencrypt/rfc2136.ini.j2
@ -1,7 +1,7 @@
 {{ ansible_header | comment(decoration='# ') }}
-dns_rfc2136_server = {{ certbot.dns_rfc2136_server }}
+dns_rfc2136_server = {{ item.dns_rfc2136_server }}
 dns_rfc2136_port = 53
-dns_rfc2136_name = {{ certbot.dns_rfc2136_name }}
+dns_rfc2136_name = {{ item.dns_rfc2136_name }}
-dns_rfc2136_secret = {{ certbot.dns_rfc2136_secret }}
+dns_rfc2136_secret = {{ item.dns_rfc2136_secret }}
 dns_rfc2136_algorithm = HMAC-SHA512