[certbot] Wildcard DNS

network.yml

@@ -47,6 +47,15 @@
   roles:
     - bind-authoritative
 
+# Deploy reverse proxy
+- hosts: bakdaur.adm.crans.org
+  vars:
+    certbot_dns_secret: "{{ vault_certbot_dns_secret }}"
+    bind:
+      masters: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-master')[0] }}"
+  roles:
+    - certbot
+
 # Deploy firewall
 - hosts: gulp.adm.crans.org
   roles: []  # TODO

roles/certbot/tasks/main.yml

@@ -10,12 +10,17 @@
   retries: 3
   until: apt_result is succeeded
 
+- name: Lookup DNS masters IPv4
+  set_fact:
+    dns_masters_ipv4: "{{ bind.masters | json_query('servers[].interface[?vlan_id==`2`].ipv4[]') }}"
+    cacheable: true
+
 - name: Add DNS credentials
   template:
     src: letsencrypt/rfc2136.ini.j2
     dest: /etc/letsencrypt/rfc2136.ini
     mode: 0600
-    user: root
+    owner: root
 
 - name: Add Certbot configuration
   template:

roles/certbot/templates/letsencrypt/rfc2136.ini.j2

@@ -1,6 +1,6 @@
 {{ ansible_header | comment(decoration='# ') }}
 
-dns_rfc2136_server = {{ dns_master }}
+dns_rfc2136_server = {{ dns_masters_ipv4 | first }}
 dns_rfc2136_port = 53
 dns_rfc2136_name = certbot_challenge.
 dns_rfc2136_secret = {{ certbot_dns_secret }}