[inspircd] Enable multiple certificate support

host_vars/irc.adm.crans.org.yml

@@ -41,18 +41,30 @@ loc_inspircd:
     name: Pierre-Elliott Bécue
     nick: PEB
     email: root@crans.org
+  ssl:
+    - name: crans.org
+    - name: adm.crans.org
   bind:
     - address: "{{ query('ldap', 'ip4', 'irc', 'srv') }}"
       type: clients
       clair: 6667
       ssl: 6697
+      certificate: crans.org
     - address: "{{ query('ldap', 'ip6', 'irc', 'srv') }}"
       type: clients
       clair: 6667
       ssl: 6697
+      certificate: crans.org
     - address: "{{ query('ldap', 'ip4', 'irc', 'adm') }}"
       type: clients
       clair: 6667
+      ssl: 6697
+      certificate: adm.crans.org
+    - address: "{{ query('ldap', 'ip6', 'irc', 'adm') }}"
+      type: clients
+      clair: 6667
+      ssl: 6697
+      certificate: adm.crans.org
     - address: 127.0.0.1
       type: servers
       clair: 6668
@@ -93,3 +105,30 @@ loc_anope:
   options_seed: "{{ vault.anope.options_seed }}"
   services_roots: "{{ vault.anope.services_roots }}"
   services_host: "services.irc.crans.org"
+
+loc_certbot:
+  - mail: root@crans.org
+    certname: crans.org
+    domains: "*.crans.org"
+  - mail: root@crans.org
+    certname: adm.crans.org
+    domains: "*.adm.crans.org"
+
+loc_service_certbot:
+  config:
+    "crans.org":
+      zone: _acme-challenge.crans.org
+      server: "{{ query('ldap', 'ip4', 'silice', 'adm') }}"
+      port: 53
+      key:
+        name: certbot_challenge.
+        secret: "{{ vault.bind.rfc2136_keys['certbot_challenge.'].secret }}"
+        algorithm: HMAC-SHA512
+    "adm.crans.org":
+      zone: _acme-challenge.adm.crans.org
+      server: "{{ query('ldap', 'ip4', 'silice', 'adm') }}"
+      port: 53
+      key:
+        name: certbot_adm_challenge.
+        secret: "{{ vault.bind.rfc2136_keys['certbot_adm_challenge.'].secret }}"
+        algorithm: HMAC-SHA512

roles/inspircd/tasks/main.yml

@@ -15,8 +15,8 @@
     - { dest: inspircd.motd, mode: "0644" }
   notify: Reload InspIRCd
 
-- name: Deploy certificate refresh CRON
+- name: Deploy certificate deploy hook
   template:
-    src: cron.monthly/irc-certs.j2
-    dest: /etc/cron.monthly/irc-certs
+    src: letsencrypt/renewal-hooks/deploy/inspircd.j2
+    dest: /etc/letsencrypt/renewal-hooks/deploy/inspircd
     mode: 0755

roles/inspircd/templates/cron.monthly/irc-certs.j2

@@ -1,7 +0,0 @@
-#!/bin/sh
-{{ ansible_header | comment }}
-
-cp /etc/letsencrypt/live/crans.org/fullchain.pem /etc/inspircd/fullchain.pem
-cp /etc/letsencrypt/live/crans.org/privkey.pem /etc/inspircd/privkey.pem
-chown irc:irc /etc/inspircd/fullchain.pem /etc/inspircd/privkey.pem
-kill -USR1 $(cat /var/run/inspircd/inspircd.pid)

roles/inspircd/templates/inspircd/inspircd.conf.j2

@@ -21,17 +21,19 @@
 {% for bind in inspircd.bind %}
 <bind address="{{ bind.address }}" port="{{ bind.clair }}" type="{{ bind.type }}">
 {% if bind.ssl is defined %}
-<bind address="{{ bind.address }}" port="{{ bind.ssl }}" type="{{ bind.type }}" ssl="openssl">
+<bind address="{{ bind.address }}" port="{{ bind.ssl }}" type="{{ bind.type }}" ssl="{{ bind.certificate }}">
 {% endif %}
 {% endfor %}
 
+{% for ssl in inspircd.ssl %}
 <sslprofile
-	name="openssl"
+	name="{{ ssl.name }}"
 	provider="openssl"
-	certfile="/etc/inspircd/fullchain.pem"
-	keyfile="/etc/inspircd/privkey.pem"
+	certfile="/etc/inspircd/fullchain.{{ ssl.name }}.pem"
+	keyfile="/etc/inspircd/privkey.{{ ssl.name }}.pem"
 	hash="sha1"
 >
+{% endfor %}
 
 <include file="/etc/inspircd/power.conf">
 

roles/inspircd/templates/letsencrypt/renewal-hooks/deploy/inspircd.j2

@@ -0,0 +1,8 @@
+#!/bin/sh
+{{ ansible_header | comment }}
+
+CERTNAME=$(basename ${RENEWED_LINEAGE})
+
+install -o root -g irc -m 0644 ${RENEWED_LINEAGE}/fullchain.pem /etc/inspircd/fullchain.${CERTNAME}.pem
+install -o root -g irc -m 0640 ${RENEWED_LINEAGE}/privkey.pem /etc/inspircd/privkey.${CERTNAME}.pem
+kill -USR1 $(cat /var/run/inspircd/inspircd.pid)