From 8a7a399b087d2a8f9e0b4de192f666f5e642fb20 Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Sat, 25 Apr 2020 20:57:32 +0200 Subject: [PATCH] Initial certbot conf --- .../templates/bind/named.conf.j2 | 3 --- roles/certbot/tasks/main.yml | 25 ++++++++++++++++++ .../letsencrypt/conf.d/wildcard.ini.j2 | 26 +++++++++++++++++++ .../templates/letsencrypt/rfc2136.ini.j2 | 7 +++++ 4 files changed, 58 insertions(+), 3 deletions(-) create mode 100644 roles/certbot/tasks/main.yml create mode 100644 roles/certbot/templates/letsencrypt/conf.d/wildcard.ini.j2 create mode 100644 roles/certbot/templates/letsencrypt/rfc2136.ini.j2 diff --git a/roles/bind-authoritative/templates/bind/named.conf.j2 b/roles/bind-authoritative/templates/bind/named.conf.j2 index fdac65db..c6bfaee4 100644 --- a/roles/bind-authoritative/templates/bind/named.conf.j2 +++ b/roles/bind-authoritative/templates/bind/named.conf.j2 @@ -8,9 +8,6 @@ // // If you are just adding zones, please do that in /etc/bind/named.conf.local -{% if bind.dnssec %} -include "/etc/bind/bind.keys"; -{% endif %} include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones"; diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml new file mode 100644 index 00000000..25c1c88b --- /dev/null +++ b/roles/certbot/tasks/main.yml @@ -0,0 +1,25 @@ +--- +- name: Install certbot and RFC2136 plugin + apt: + update_cache: true + name: + - certbot + - python3-certbot-dns-rfc2136 + state: present + register: apt_result + retries: 3 + until: apt_result is succeeded + +- name: Add DNS credentials + template: + src: letsencrypt/rfc2136.ini.j2 + dest: /etc/letsencrypt/rfc2136.ini + mode: 0600 + user: root + +- name: Add Certbot configuration + template: + src: letsencrypt/conf.d/wildcard.ini.j2 + dest: /etc/letsencrypt/conf.d/wildcard.ini + mode: 0644 + diff --git a/roles/certbot/templates/letsencrypt/conf.d/wildcard.ini.j2 b/roles/certbot/templates/letsencrypt/conf.d/wildcard.ini.j2 new file mode 100644 index 00000000..394632f6 --- /dev/null +++ b/roles/certbot/templates/letsencrypt/conf.d/wildcard.ini.j2 @@ -0,0 +1,26 @@ +{{ ansible_header | comment(decoration='# ') }} + +# Pour appliquer cette conf et générer la conf de renewal : +# certbot --config wildcard.ini certonly + +# Use a 4096 bit RSA key instead of 2048 +rsa-key-size = 4096 + +# Always use the staging/testing server +# server = https://acme-staging.api.letsencrypt.org/directory +# server = https://acme-v01.api.letsencrypt.org/directory + +# Uncomment and update to register with the specified e-mail address +email = root@crans.org + +# Uncomment to use a text interface instead of ncurses +text = True + +# Use DNS-01 challenge +authenticator = dns-rfc2136 +dns-rfc2136-credentials = /etc/letsencrypt/rfc2136.ini +dns-rfc2136-propagation-seconds = 30 + +# Wildcard the domain +cert-name = crans.org +domains = crans.org, *.crans.org diff --git a/roles/certbot/templates/letsencrypt/rfc2136.ini.j2 b/roles/certbot/templates/letsencrypt/rfc2136.ini.j2 new file mode 100644 index 00000000..80d3dde6 --- /dev/null +++ b/roles/certbot/templates/letsencrypt/rfc2136.ini.j2 @@ -0,0 +1,7 @@ +{{ ansible_header | comment(decoration='# ') }} + +dns_rfc2136_server = {{ dns_master }} +dns_rfc2136_port = 53 +dns_rfc2136_name = certbot_challenge. +dns_rfc2136_secret = {{ certbot_dns_secret }} +dns_rfc2136_algorithm = HMAC-SHA512