Add certbot configuration for proxmox

2022-11-08 14:59:28 +01:00 · 2022-11-08 14:59:28 +01:00 · c83ab55174
parent 93623264d6
commit c83ab55174
11 changed files with 47 additions and 10 deletions
--- a/group_vars/certbot.yml
+++ b/group_vars/certbot.yml
@ -19,5 +19,5 @@ glob_service_certbot:
      port: 53
      key:
        name: certbot_challenge.
-        secret: "{{ vault.bind.keys['certbot_challenge.'].secret }}"
+        secret: "{{ vault.bind.rfc2136_keys['certbot_challenge.'].secret }}"
        algorithm: HMAC-SHA512
--- a/group_vars/reverseproxy.yml
+++ b/group_vars/reverseproxy.yml
@ -12,7 +12,7 @@ loc_service_certbot:
      port: 53
      key:
        name: certbot_challenge.
-        secret: "{{ vault.bind.keys['certbot_challenge.'].secret }}"
+        secret: "{{ vault.bind.rfc2136_keys['certbot_challenge.'].secret }}"
        algorithm: HMAC-SHA512
    "crans.eu":
      zone: _acme-challenge.crans.org
@ -20,7 +20,7 @@ loc_service_certbot:
      port: 53
      key:
        name: certbot_challenge.
-        secret: "{{ vault.bind.keys['certbot_challenge.'].secret }}"
+        secret: "{{ vault.bind.rfc2136_keys['certbot_challenge.'].secret }}"
        algorithm: HMAC-SHA512
    "crans.fr":
      zone: _acme-challenge.crans.org
@ -28,7 +28,7 @@ loc_service_certbot:
      port: 53
      key:
        name: certbot_challenge.
-        secret: "{{ vault.bind.keys['certbot_challenge.'].secret }}"
+        secret: "{{ vault.bind.rfc2136_keys['certbot_challenge.'].secret }}"
        algorithm: HMAC-SHA512

 loc_nginx:
--- a/group_vars/virtu.yml
+++ b/group_vars/virtu.yml
@ -24,3 +24,19 @@ glob_service_proxmox_user:
  dependencies:
    - python3-jinja2
    - python3-ldap
+
+loc_certbot:
+  - mail: root@crans.org
+    certname: adm.crans.org
+    domains: "*.adm.crans.org"
+
+loc_service_certbot:
+  config:
+    "adm.crans.org":
+      zone: _acme-challenge.adm.crans.org
+      server: 172.16.10.147
+      port: 53
+      key:
+        name: certbot_adm_challenge.
+        secret: "{{ vault.bind.rfc2136_keys['certbot_adm_challenge.'].secret }}"
+        algorithm: HMAC-SHA512
--- a/host_vars/gitzly.adm.crans.org.yml
+++ b/host_vars/gitzly.adm.crans.org.yml
@ -19,7 +19,7 @@ loc_service_certbot:
      port: 53
      key:
        name: certbot_challenge.
-        secret: "{{ vault.bind.keys['certbot_challenge.'].secret }}"
+        secret: "{{ vault.bind.rfc2136_keys['certbot_challenge.'].secret }}"
        algorithm: HMAC-SHA512
    "adm.crans.org":
      zone: _acme-challenge.adm.crans.org
@ -27,7 +27,7 @@ loc_service_certbot:
      port: 53
      key:
        name: certbot_adm_challenge.
-        secret: "{{ vault.bind.keys['certbot_adm_challenge.'].secret }}"
+        secret: "{{ vault.bind.rfc2136_keys['certbot_adm_challenge.'].secret }}"
        algorithm: HMAC-SHA512

 loc_nginx:
--- a/host_vars/redisdead.adm.crans.org.yml
+++ b/host_vars/redisdead.adm.crans.org.yml
@ -23,7 +23,7 @@ loc_service_certbot:
      port: 53
      key:
        name: certbot_challenge.
-        secret: "{{ vault.bind.keys['certbot_challenge.'].secret }}"
+        secret: "{{ vault.bind.rfc2136_keys['certbot_challenge.'].secret }}"
        algorithm: HMAC-SHA512
    "adm.crans.org":
      zone: _acme-challenge.adm.crans.org
@ -31,5 +31,5 @@ loc_service_certbot:
      port: 53
      key:
        name: certbot_adm_challenge.
-        secret: "{{ vault.bind.keys['certbot_adm_challenge.'].secret }}"
+        secret: "{{ vault.bind.rfc2136_keys['certbot_adm_challenge.'].secret }}"
        algorithm: HMAC-SHA512
--- a/host_vars/sputnik.adm.crans.org.yml
+++ b/host_vars/sputnik.adm.crans.org.yml
@ -49,7 +49,7 @@ loc_service_certbot:
      port: 53
      key:
        name: certbot_challenge.
-        secret: "{{ vault.bind.keys['certbot_challenge.'].secret }}"
+        secret: "{{ vault.bind.rfc2136_keys['certbot_challenge.'].secret }}"
        algorithm: HMAC-SHA512
    "adm.crans.org":
      zone: _acme-challenge.adm.crans.org
@ -57,7 +57,7 @@ loc_service_certbot:
      port: 53
      key:
        name: certbot_adm_challenge.
-        secret: "{{ vault.bind.keys['certbot_adm_challenge.'].secret }}"
+        secret: "{{ vault.bind.rfc2136_keys['certbot_adm_challenge.'].secret }}"
        algorithm: HMAC-SHA512

 loc_nginx:
--- a/1
+++ b/1
@ -51,6 +51,7 @@ jitsi
 mailman
 postfix
 reverseproxy
+virtu
 vsftpd_mirror

 [constellation:children]
--- a/plays/certbot.yml
+++ b/plays/certbot.yml
@ -7,3 +7,9 @@
  roles:
    - service
    - certbot
+
+- hosts: virtu
+  vars:
+    certbot: "{{ loc_certbot | default(glob_certbot | default([])) }}"
+  roles:
+    - proxmox-certbot
--- a/roles/proxmox-certbot/handlers/main.yml
+++ b/roles/proxmox-certbot/handlers/main.yml
@ -0,0 +1,4 @@
+---
+- name: import certificate to proxmox
+  shell: "/usr/bin/pvenode cert set /etc/letsencrypt/live/{{ item.certname }}/cert.pem /etc/letsencrypt/live/{{ item.certname }}/privkey.pem --force 1 --restart 1"
+  loop: "{{ certbot }}"
--- a/roles/proxmox-certbot/tasks/main.yml
+++ b/roles/proxmox-certbot/tasks/main.yml
@ -0,0 +1,7 @@
+---
+- name: Deploy proxmox renewal-hooks
+  template:
+    src: letsencrypt/renewal-hooks/deploy/proxmox.j2
+    dest: /etc/letsencrypt/renewal-hooks/deploy/proxmox
+    mode: 0755
+  notify: import certificate to proxmox
--- a/roles/proxmox-certbot/templates/letsencrypt/renewal-hooks/deploy/proxmox.j2
+++ b/roles/proxmox-certbot/templates/letsencrypt/renewal-hooks/deploy/proxmox.j2
@ -0,0 +1,3 @@
+#!/bin/bash
+
+pvenode cert set ${RENEWED_LINEAGE}/{cert,privkey}.pem --force 1 --restart 1