diff --git a/host_vars/irc.adm.crans.org.yml b/host_vars/irc.adm.crans.org.yml index bdcb7478..bea251ea 100644 --- a/host_vars/irc.adm.crans.org.yml +++ b/host_vars/irc.adm.crans.org.yml @@ -41,18 +41,30 @@ loc_inspircd: name: Pierre-Elliott Bécue nick: PEB email: root@crans.org + ssl: + - name: crans.org + - name: adm.crans.org bind: - address: "{{ query('ldap', 'ip4', 'irc', 'srv') }}" type: clients clair: 6667 ssl: 6697 + certificate: crans.org - address: "{{ query('ldap', 'ip6', 'irc', 'srv') }}" type: clients clair: 6667 ssl: 6697 + certificate: crans.org - address: "{{ query('ldap', 'ip4', 'irc', 'adm') }}" type: clients clair: 6667 + ssl: 6697 + certificate: adm.crans.org + - address: "{{ query('ldap', 'ip6', 'irc', 'adm') }}" + type: clients + clair: 6667 + ssl: 6697 + certificate: adm.crans.org - address: 127.0.0.1 type: servers clair: 6668 @@ -93,3 +105,30 @@ loc_anope: options_seed: "{{ vault.anope.options_seed }}" services_roots: "{{ vault.anope.services_roots }}" services_host: "services.irc.crans.org" + +loc_certbot: + - mail: root@crans.org + certname: crans.org + domains: "*.crans.org" + - mail: root@crans.org + certname: adm.crans.org + domains: "*.adm.crans.org" + +loc_service_certbot: + config: + "crans.org": + zone: _acme-challenge.crans.org + server: "{{ query('ldap', 'ip4', 'silice', 'adm') }}" + port: 53 + key: + name: certbot_challenge. + secret: "{{ vault.bind.rfc2136_keys['certbot_challenge.'].secret }}" + algorithm: HMAC-SHA512 + "adm.crans.org": + zone: _acme-challenge.adm.crans.org + server: "{{ query('ldap', 'ip4', 'silice', 'adm') }}" + port: 53 + key: + name: certbot_adm_challenge. + secret: "{{ vault.bind.rfc2136_keys['certbot_adm_challenge.'].secret }}" + algorithm: HMAC-SHA512 diff --git a/roles/inspircd/tasks/main.yml b/roles/inspircd/tasks/main.yml index 5a1a6dd1..8f5e3d78 100644 --- a/roles/inspircd/tasks/main.yml +++ b/roles/inspircd/tasks/main.yml @@ -15,8 +15,8 @@ - { dest: inspircd.motd, mode: "0644" } notify: Reload InspIRCd -- name: Deploy certificate refresh CRON +- name: Deploy certificate deploy hook template: - src: cron.monthly/irc-certs.j2 - dest: /etc/cron.monthly/irc-certs + src: letsencrypt/renewal-hooks/deploy/inspircd.j2 + dest: /etc/letsencrypt/renewal-hooks/deploy/inspircd mode: 0755 diff --git a/roles/inspircd/templates/cron.monthly/irc-certs.j2 b/roles/inspircd/templates/cron.monthly/irc-certs.j2 deleted file mode 100644 index 3fcad2ca..00000000 --- a/roles/inspircd/templates/cron.monthly/irc-certs.j2 +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/sh -{{ ansible_header | comment }} - -cp /etc/letsencrypt/live/crans.org/fullchain.pem /etc/inspircd/fullchain.pem -cp /etc/letsencrypt/live/crans.org/privkey.pem /etc/inspircd/privkey.pem -chown irc:irc /etc/inspircd/fullchain.pem /etc/inspircd/privkey.pem -kill -USR1 $(cat /var/run/inspircd/inspircd.pid) diff --git a/roles/inspircd/templates/inspircd/inspircd.conf.j2 b/roles/inspircd/templates/inspircd/inspircd.conf.j2 index 9229fba6..6188375e 100644 --- a/roles/inspircd/templates/inspircd/inspircd.conf.j2 +++ b/roles/inspircd/templates/inspircd/inspircd.conf.j2 @@ -21,17 +21,19 @@ {% for bind in inspircd.bind %} {% if bind.ssl is defined %} - + {% endif %} {% endfor %} +{% for ssl in inspircd.ssl %} +{% endfor %} diff --git a/roles/inspircd/templates/letsencrypt/renewal-hooks/deploy/inspircd.j2 b/roles/inspircd/templates/letsencrypt/renewal-hooks/deploy/inspircd.j2 new file mode 100644 index 00000000..00555961 --- /dev/null +++ b/roles/inspircd/templates/letsencrypt/renewal-hooks/deploy/inspircd.j2 @@ -0,0 +1,8 @@ +#!/bin/sh +{{ ansible_header | comment }} + +CERTNAME=$(basename ${RENEWED_LINEAGE}) + +install -o root -g irc -m 0644 ${RENEWED_LINEAGE}/fullchain.pem /etc/inspircd/fullchain.${CERTNAME}.pem +install -o root -g irc -m 0640 ${RENEWED_LINEAGE}/privkey.pem /etc/inspircd/privkey.${CERTNAME}.pem +kill -USR1 $(cat /var/run/inspircd/inspircd.pid)