Initial certbot conf

2020-04-25 20:57:32 +02:00 · 2020-04-25 20:57:32 +02:00 · 8a7a399b08
parent d1911ff6ad
commit 8a7a399b08
4 changed files with 58 additions and 3 deletions
--- a/roles/bind-authoritative/templates/bind/named.conf.j2
+++ b/roles/bind-authoritative/templates/bind/named.conf.j2
@ -8,9 +8,6 @@
 //
 // If you are just adding zones, please do that in /etc/bind/named.conf.local

-{% if bind.dnssec %}
-include "/etc/bind/bind.keys";
-{% endif %}
 include "/etc/bind/named.conf.options";
 include "/etc/bind/named.conf.local";
 include "/etc/bind/named.conf.default-zones";
--- a/roles/certbot/tasks/main.yml
+++ b/roles/certbot/tasks/main.yml
@ -0,0 +1,25 @@
+---
+- name: Install certbot and RFC2136 plugin
+  apt:
+    update_cache: true
+    name:
+      - certbot
+      - python3-certbot-dns-rfc2136
+    state: present
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded
+
+- name: Add DNS credentials
+  template:
+    src: letsencrypt/rfc2136.ini.j2
+    dest: /etc/letsencrypt/rfc2136.ini
+    mode: 0600
+    user: root
+
+- name: Add Certbot configuration
+  template:
+    src: letsencrypt/conf.d/wildcard.ini.j2
+    dest: /etc/letsencrypt/conf.d/wildcard.ini
+    mode: 0644
+
--- a/roles/certbot/templates/letsencrypt/conf.d/wildcard.ini.j2
+++ b/roles/certbot/templates/letsencrypt/conf.d/wildcard.ini.j2
@ -0,0 +1,26 @@
+{{ ansible_header | comment(decoration='# ') }}
+
+# Pour appliquer cette conf et générer la conf de renewal :
+# certbot --config wildcard.ini certonly
+
+# Use a 4096 bit RSA key instead of 2048
+rsa-key-size = 4096
+
+# Always use the staging/testing server
+# server = https://acme-staging.api.letsencrypt.org/directory
+# server = https://acme-v01.api.letsencrypt.org/directory
+
+# Uncomment and update to register with the specified e-mail address
+email = root@crans.org
+
+# Uncomment to use a text interface instead of ncurses
+text = True
+
+# Use DNS-01 challenge
+authenticator = dns-rfc2136
+dns-rfc2136-credentials = /etc/letsencrypt/rfc2136.ini
+dns-rfc2136-propagation-seconds = 30
+
+# Wildcard the domain
+cert-name = crans.org
+domains = crans.org, *.crans.org
--- a/roles/certbot/templates/letsencrypt/rfc2136.ini.j2
+++ b/roles/certbot/templates/letsencrypt/rfc2136.ini.j2
@ -0,0 +1,7 @@
+{{ ansible_header | comment(decoration='# ') }}
+
+dns_rfc2136_server = {{ dns_master }}
+dns_rfc2136_port = 53
+dns_rfc2136_name = certbot_challenge.
+dns_rfc2136_secret = {{ certbot_dns_secret }}
+dns_rfc2136_algorithm = HMAC-SHA512