From 1bf27f84872db3086a1fa9c00567eb846e3cc3be Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Mon, 27 Apr 2020 09:40:48 +0200 Subject: [PATCH] [certbot] Wildcard DNS --- network.yml | 9 +++++++++ roles/certbot/tasks/main.yml | 7 ++++++- roles/certbot/templates/letsencrypt/rfc2136.ini.j2 | 2 +- 3 files changed, 16 insertions(+), 2 deletions(-) diff --git a/network.yml b/network.yml index 14bdcc9d..52e46483 100755 --- a/network.yml +++ b/network.yml @@ -47,6 +47,15 @@ roles: - bind-authoritative +# Deploy reverse proxy +- hosts: bakdaur.adm.crans.org + vars: + certbot_dns_secret: "{{ vault_certbot_dns_secret }}" + bind: + masters: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-master')[0] }}" + roles: + - certbot + # Deploy firewall - hosts: gulp.adm.crans.org roles: [] # TODO diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml index 5f78a3f0..029f1d63 100644 --- a/roles/certbot/tasks/main.yml +++ b/roles/certbot/tasks/main.yml @@ -10,12 +10,17 @@ retries: 3 until: apt_result is succeeded +- name: Lookup DNS masters IPv4 + set_fact: + dns_masters_ipv4: "{{ bind.masters | json_query('servers[].interface[?vlan_id==`2`].ipv4[]') }}" + cacheable: true + - name: Add DNS credentials template: src: letsencrypt/rfc2136.ini.j2 dest: /etc/letsencrypt/rfc2136.ini mode: 0600 - user: root + owner: root - name: Add Certbot configuration template: diff --git a/roles/certbot/templates/letsencrypt/rfc2136.ini.j2 b/roles/certbot/templates/letsencrypt/rfc2136.ini.j2 index 80d3dde6..54b272b5 100644 --- a/roles/certbot/templates/letsencrypt/rfc2136.ini.j2 +++ b/roles/certbot/templates/letsencrypt/rfc2136.ini.j2 @@ -1,6 +1,6 @@ {{ ansible_header | comment(decoration='# ') }} -dns_rfc2136_server = {{ dns_master }} +dns_rfc2136_server = {{ dns_masters_ipv4 | first }} dns_rfc2136_port = 53 dns_rfc2136_name = certbot_challenge. dns_rfc2136_secret = {{ certbot_dns_secret }}