From c83ab551747352bd869f9fd373597b05c38d474f Mon Sep 17 00:00:00 2001
From: shirenn <shirenn@crans.org>
Date: Tue, 8 Nov 2022 14:59:28 +0100
Subject: [PATCH] Add certbot configuration for proxmox

---
 group_vars/certbot.yml                           |  2 +-
 group_vars/reverseproxy.yml                      |  6 +++---
 group_vars/virtu.yml                             | 16 ++++++++++++++++
 host_vars/gitzly.adm.crans.org.yml               |  4 ++--
 host_vars/redisdead.adm.crans.org.yml            |  4 ++--
 host_vars/sputnik.adm.crans.org.yml              |  4 ++--
 hosts                                            |  1 +
 plays/certbot.yml                                |  6 ++++++
 roles/proxmox-certbot/handlers/main.yml          |  4 ++++
 roles/proxmox-certbot/tasks/main.yml             |  7 +++++++
 .../letsencrypt/renewal-hooks/deploy/proxmox.j2  |  3 +++
 11 files changed, 47 insertions(+), 10 deletions(-)
 create mode 100644 roles/proxmox-certbot/handlers/main.yml
 create mode 100644 roles/proxmox-certbot/tasks/main.yml
 create mode 100644 roles/proxmox-certbot/templates/letsencrypt/renewal-hooks/deploy/proxmox.j2

diff --git a/group_vars/certbot.yml b/group_vars/certbot.yml
index 5c414fbe..15bca89b 100644
--- a/group_vars/certbot.yml
+++ b/group_vars/certbot.yml
@@ -19,5 +19,5 @@ glob_service_certbot:
       port: 53
       key:
         name: certbot_challenge.
-        secret: "{{ vault.bind.keys['certbot_challenge.'].secret }}"
+        secret: "{{ vault.bind.rfc2136_keys['certbot_challenge.'].secret }}"
         algorithm: HMAC-SHA512
diff --git a/group_vars/reverseproxy.yml b/group_vars/reverseproxy.yml
index fc4dc511..a25aba30 100644
--- a/group_vars/reverseproxy.yml
+++ b/group_vars/reverseproxy.yml
@@ -12,7 +12,7 @@ loc_service_certbot:
       port: 53
       key:
         name: certbot_challenge.
-        secret: "{{ vault.bind.keys['certbot_challenge.'].secret }}"
+        secret: "{{ vault.bind.rfc2136_keys['certbot_challenge.'].secret }}"
         algorithm: HMAC-SHA512
     "crans.eu":
       zone: _acme-challenge.crans.org
@@ -20,7 +20,7 @@ loc_service_certbot:
       port: 53
       key:
         name: certbot_challenge.
-        secret: "{{ vault.bind.keys['certbot_challenge.'].secret }}"
+        secret: "{{ vault.bind.rfc2136_keys['certbot_challenge.'].secret }}"
         algorithm: HMAC-SHA512
     "crans.fr":
       zone: _acme-challenge.crans.org
@@ -28,7 +28,7 @@ loc_service_certbot:
       port: 53
       key:
         name: certbot_challenge.
-        secret: "{{ vault.bind.keys['certbot_challenge.'].secret }}"
+        secret: "{{ vault.bind.rfc2136_keys['certbot_challenge.'].secret }}"
         algorithm: HMAC-SHA512
 
 loc_nginx:
diff --git a/group_vars/virtu.yml b/group_vars/virtu.yml
index 897d6520..bc9b8b6a 100644
--- a/group_vars/virtu.yml
+++ b/group_vars/virtu.yml
@@ -24,3 +24,19 @@ glob_service_proxmox_user:
   dependencies:
     - python3-jinja2
     - python3-ldap
+
+loc_certbot:
+  - mail: root@crans.org
+    certname: adm.crans.org
+    domains: "*.adm.crans.org"
+
+loc_service_certbot:
+  config:
+    "adm.crans.org":
+      zone: _acme-challenge.adm.crans.org
+      server: 172.16.10.147
+      port: 53
+      key:
+        name: certbot_adm_challenge.
+        secret: "{{ vault.bind.rfc2136_keys['certbot_adm_challenge.'].secret }}"
+        algorithm: HMAC-SHA512
diff --git a/host_vars/gitzly.adm.crans.org.yml b/host_vars/gitzly.adm.crans.org.yml
index 13b0558d..6f944d3d 100644
--- a/host_vars/gitzly.adm.crans.org.yml
+++ b/host_vars/gitzly.adm.crans.org.yml
@@ -19,7 +19,7 @@ loc_service_certbot:
       port: 53
       key:
         name: certbot_challenge.
-        secret: "{{ vault.bind.keys['certbot_challenge.'].secret }}"
+        secret: "{{ vault.bind.rfc2136_keys['certbot_challenge.'].secret }}"
         algorithm: HMAC-SHA512
     "adm.crans.org":
       zone: _acme-challenge.adm.crans.org
@@ -27,7 +27,7 @@ loc_service_certbot:
       port: 53
       key:
         name: certbot_adm_challenge.
-        secret: "{{ vault.bind.keys['certbot_adm_challenge.'].secret }}"
+        secret: "{{ vault.bind.rfc2136_keys['certbot_adm_challenge.'].secret }}"
         algorithm: HMAC-SHA512
 
 loc_nginx:
diff --git a/host_vars/redisdead.adm.crans.org.yml b/host_vars/redisdead.adm.crans.org.yml
index 9bd797c4..61536825 100644
--- a/host_vars/redisdead.adm.crans.org.yml
+++ b/host_vars/redisdead.adm.crans.org.yml
@@ -23,7 +23,7 @@ loc_service_certbot:
       port: 53
       key:
         name: certbot_challenge.
-        secret: "{{ vault.bind.keys['certbot_challenge.'].secret }}"
+        secret: "{{ vault.bind.rfc2136_keys['certbot_challenge.'].secret }}"
         algorithm: HMAC-SHA512
     "adm.crans.org":
       zone: _acme-challenge.adm.crans.org
@@ -31,5 +31,5 @@ loc_service_certbot:
       port: 53
       key:
         name: certbot_adm_challenge.
-        secret: "{{ vault.bind.keys['certbot_adm_challenge.'].secret }}"
+        secret: "{{ vault.bind.rfc2136_keys['certbot_adm_challenge.'].secret }}"
         algorithm: HMAC-SHA512
diff --git a/host_vars/sputnik.adm.crans.org.yml b/host_vars/sputnik.adm.crans.org.yml
index 92678fef..3fd06ed4 100644
--- a/host_vars/sputnik.adm.crans.org.yml
+++ b/host_vars/sputnik.adm.crans.org.yml
@@ -49,7 +49,7 @@ loc_service_certbot:
       port: 53
       key:
         name: certbot_challenge.
-        secret: "{{ vault.bind.keys['certbot_challenge.'].secret }}"
+        secret: "{{ vault.bind.rfc2136_keys['certbot_challenge.'].secret }}"
         algorithm: HMAC-SHA512
     "adm.crans.org":
       zone: _acme-challenge.adm.crans.org
@@ -57,7 +57,7 @@ loc_service_certbot:
       port: 53
       key:
         name: certbot_adm_challenge.
-        secret: "{{ vault.bind.keys['certbot_adm_challenge.'].secret }}"
+        secret: "{{ vault.bind.rfc2136_keys['certbot_adm_challenge.'].secret }}"
         algorithm: HMAC-SHA512
 
 loc_nginx:
diff --git a/hosts b/hosts
index 7d4c4e76..01e9610e 100644
--- a/hosts
+++ b/hosts
@@ -51,6 +51,7 @@ jitsi
 mailman
 postfix
 reverseproxy
+virtu
 vsftpd_mirror
 
 [constellation:children]
diff --git a/plays/certbot.yml b/plays/certbot.yml
index d3817ce0..57151f91 100755
--- a/plays/certbot.yml
+++ b/plays/certbot.yml
@@ -7,3 +7,9 @@
   roles:
     - service
     - certbot
+
+- hosts: virtu
+  vars:
+    certbot: "{{ loc_certbot | default(glob_certbot | default([])) }}"
+  roles:
+    - proxmox-certbot
diff --git a/roles/proxmox-certbot/handlers/main.yml b/roles/proxmox-certbot/handlers/main.yml
new file mode 100644
index 00000000..9fdce5ff
--- /dev/null
+++ b/roles/proxmox-certbot/handlers/main.yml
@@ -0,0 +1,4 @@
+---
+- name: import certificate to proxmox
+  shell: "/usr/bin/pvenode cert set /etc/letsencrypt/live/{{ item.certname }}/cert.pem /etc/letsencrypt/live/{{ item.certname }}/privkey.pem --force 1 --restart 1"
+  loop: "{{ certbot }}"
diff --git a/roles/proxmox-certbot/tasks/main.yml b/roles/proxmox-certbot/tasks/main.yml
new file mode 100644
index 00000000..82d31bd3
--- /dev/null
+++ b/roles/proxmox-certbot/tasks/main.yml
@@ -0,0 +1,7 @@
+---
+- name: Deploy proxmox renewal-hooks
+  template:
+    src: letsencrypt/renewal-hooks/deploy/proxmox.j2
+    dest: /etc/letsencrypt/renewal-hooks/deploy/proxmox
+    mode: 0755
+  notify: import certificate to proxmox
diff --git a/roles/proxmox-certbot/templates/letsencrypt/renewal-hooks/deploy/proxmox.j2 b/roles/proxmox-certbot/templates/letsencrypt/renewal-hooks/deploy/proxmox.j2
new file mode 100644
index 00000000..a7a89bf3
--- /dev/null
+++ b/roles/proxmox-certbot/templates/letsencrypt/renewal-hooks/deploy/proxmox.j2
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+pvenode cert set ${RENEWED_LINEAGE}/{cert,privkey}.pem --force 1 --restart 1