From 80040dd35c45c6848ff557a8ba10c8276205cade Mon Sep 17 00:00:00 2001
From: Alexandre Iooss <erdnaxe@crans.org>
Date: Fri, 1 May 2020 17:17:18 +0200
Subject: [PATCH] Certbot role for gitzly

---
 network.yml                                   | 20 ++++++++++++++++++-
 roles/certbot/tasks/main.yml                  |  4 ++--
 .../letsencrypt/conf.d/crans.org.ini.j2       |  6 +++---
 .../templates/letsencrypt/rfc2136.ini.j2      |  4 ++--
 4 files changed, 26 insertions(+), 8 deletions(-)

diff --git a/network.yml b/network.yml
index b7d09a19..ed74f96c 100755
--- a/network.yml
+++ b/network.yml
@@ -51,7 +51,25 @@
 # Deploy reverse proxy
 - hosts: bakdaur.adm.crans.org
   vars:
-    certbot_dns_secret: "{{ vault_certbot_dns_secret }}"
+    certbot:
+      dns_rfc2136_name: certbot_challenge.
+      dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
+      mail: root@crans.org
+      certname: crans.org
+      domains: "crans.org, *.crans.org, crans.fr, *.crans.fr, crans.eu, *.crans.eu"
+    bind:
+      masters: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-master')[0] }}"
+  roles:
+    - certbot
+
+- hosts: gitzly.adm.crans.org
+  vars:
+    certbot:
+      dns_rfc2136_name: certbot_adm_challenge.
+      dns_rfc2136_secret: "{{ vault_certbot_adm_dns_secret }}"
+      mail: root@crans.org
+      certname: adm.crans.org
+      domains: "*.adm.crans.org"
     bind:
       masters: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-master')[0] }}"
   roles:
diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml
index 86e7c6e3..3a862fcb 100644
--- a/roles/certbot/tasks/main.yml
+++ b/roles/certbot/tasks/main.yml
@@ -24,6 +24,6 @@
 
 - name: Add Certbot configuration
   template:
-    src: letsencrypt/conf.d/crans.org.ini.j2
-    dest: /etc/letsencrypt/conf.d/crans.org.ini
+    src: "letsencrypt/conf.d/{{ certbot.certname }}.ini.j2"
+    dest: "/etc/letsencrypt/conf.d/{{ certbot.certname }}.ini"
     mode: 0644
diff --git a/roles/certbot/templates/letsencrypt/conf.d/crans.org.ini.j2 b/roles/certbot/templates/letsencrypt/conf.d/crans.org.ini.j2
index d311fa76..837a60a9 100644
--- a/roles/certbot/templates/letsencrypt/conf.d/crans.org.ini.j2
+++ b/roles/certbot/templates/letsencrypt/conf.d/crans.org.ini.j2
@@ -10,7 +10,7 @@ rsa-key-size = 4096
 # server = https://acme-staging.api.letsencrypt.org/directory
 
 # Uncomment and update to register with the specified e-mail address
-email = root@crans.org
+email = {{ certbot.mail }}
 
 # Uncomment to use a text interface instead of ncurses
 text = True
@@ -21,5 +21,5 @@ dns-rfc2136-credentials = /etc/letsencrypt/rfc2136.ini
 dns-rfc2136-propagation-seconds = 30
 
 # Wildcard the domain
-cert-name = crans.org
-domains = crans.org, *.crans.org, crans.fr, *.crans.fr, crans.eu, *.crans.eu
+cert-name = {{ certbot.certname }}
+domains = {{ certbot.domains }}
diff --git a/roles/certbot/templates/letsencrypt/rfc2136.ini.j2 b/roles/certbot/templates/letsencrypt/rfc2136.ini.j2
index 54b272b5..a41a547d 100644
--- a/roles/certbot/templates/letsencrypt/rfc2136.ini.j2
+++ b/roles/certbot/templates/letsencrypt/rfc2136.ini.j2
@@ -2,6 +2,6 @@
 
 dns_rfc2136_server = {{ dns_masters_ipv4 | first }}
 dns_rfc2136_port = 53
-dns_rfc2136_name = certbot_challenge.
-dns_rfc2136_secret = {{ certbot_dns_secret }}
+dns_rfc2136_name = {{ certbot.dns_rfc2136_name }}
+dns_rfc2136_secret = {{ certbot.dns_rfc2136_secret }}
 dns_rfc2136_algorithm = HMAC-SHA512