crans
/
ansible
mirror of http://gitlab.adm.crans.org/nounous/ansible.git
19
0
Fork 0
Code Issues Projects Releases Wiki Activity

[certbot] Much things

certbot_on_virtu
_shirenn 2021-11-16 23:24:23 +01:00
parent 724afbd58c
commit d25eb9382f
12 changed files with 123 additions and 64 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
group_vars/certbot.yml
View File

@ -1,8 +1,23 @@
--- ---
glob_certbot: glob_certbot:
- dns_rfc2136_server: '172.16.10.147' - mail: root@crans.org
dns_rfc2136_name: certbot_challenge.
dns_rfc2136_secret: "{{ vault.certbot_dns_secret }}"
mail: root@crans.org
certname: crans.org certname: crans.org
domains: "*.crans.org" domains: "*.crans.org"
glob_service_certbot:
name: certbot
install_dir: /var/local/services/certbot
dependencies:
- python3-dnspython
git:
remote: https://gitlab.adm.crans.org/nounous/certbot
version: main
config:
"crans.org":
zone: _acme-challenge.crans.org
server: 172.16.10.147
port: 53
key:
name: certbot_challenge.
secret: "{{ vault.certbot_dns_secret }}"
algorithm: HMAC-SHA512

5
group_vars/radius.yml
View File

@ -19,9 +19,6 @@ glob_freeradius:
server: radius-wifi server: radius-wifi
loc_certbot: loc_certbot:
- dns_rfc2136_server: '172.16.10.147' - mail: root@crans.org
dns_rfc2136_name: certbot_challenge.
dns_rfc2136_secret: "{{ vault.certbot_dns_secret }}"
mail: root@crans.org
certname: crans.org certname: crans.org
domains: "crans.org" domains: "crans.org"

32
group_vars/reverseproxy.yml
View File

@ -1,11 +1,35 @@
loc_certbot: loc_certbot:
- dns_rfc2136_server: '172.16.10.147' - mail: root@crans.org
dns_rfc2136_name: certbot_challenge.
dns_rfc2136_secret: "{{ vault.certbot_dns_secret }}"
mail: root@crans.org
certname: crans.org certname: crans.org
domains: "crans.org, *.crans.org, crans.fr, *.crans.fr, crans.eu, *.crans.eu" domains: "crans.org, *.crans.org, crans.fr, *.crans.fr, crans.eu, *.crans.eu"
loc_service_certbot:
config:
"crans.org":
zone: _acme-challenge.crans.org
server: 172.16.10.147
port: 53
key:
name: certbot_challenge.
secret: "{{ vault.certbot_dns_secret }}"
algorithm: HMAC-SHA512
"crans.eu":
zone: _acme-challenge.crans.org
server: 172.16.10.147
port: 53
key:
name: certbot_challenge.
secret: "{{ vault.certbot_dns_secret }}"
algorithm: HMAC-SHA512
"crans.fr":
zone: _acme-challenge.crans.org
server: 172.16.10.147
port: 53
key:
name: certbot_challenge.
secret: "{{ vault.certbot_dns_secret }}"
algorithm: HMAC-SHA512
loc_nginx: loc_nginx:
servers: [] servers: []
ssl: ssl:

30
host_vars/gitzly.adm.crans.org.yml
View File

@ -4,20 +4,32 @@ interfaces:
srv: ens19 srv: ens19
loc_certbot: loc_certbot:
- dns_rfc2136_server: '172.16.10.147' - mail: root@crans.org
dns_rfc2136_name: certbot_challenge.
dns_rfc2136_secret: "{{ vault.certbot_dns_secret }}"
mail: root@crans.org
certname: crans.org certname: crans.org
domains: "*.crans.org" domains: "*.crans.org"
- mail: root@crans.org
- dns_rfc2136_server: '172.16.10.147'
dns_rfc2136_name: certbot_adm_challenge.
dns_rfc2136_secret: "{{ vault.certbot_adm_dns_secret }}"
mail: root@crans.org
certname: adm.crans.org certname: adm.crans.org
domains: "*.adm.crans.org" domains: "*.adm.crans.org"
loc_service_certbot:
config:
"crans.org":
zone: _acme-challenge.crans.org
server: 172.16.10.147
port: 53
key:
name: certbot_challenge.
secret: "{{ vault.certbot_dns_secret }}"
algorithm: HMAC-SHA512
"adm.crans.org":
zone: _acme-challenge.adm.crans.org
server: 172.16.10.147
port: 53
key:
name: certbot_adm_challenge.
secret: "{{ vault.certbot_adm_dns_secret }}"
algorithm: HMAC-SHA512
loc_nginx: loc_nginx:
ssl: ssl:
- name: adm.crans.org - name: adm.crans.org

23
host_vars/redisdead.adm.crans.org.yml
View File

@ -10,3 +10,26 @@ postfix:
dkim: true dkim: true
titanic: false titanic: false
loc_certbot:
- mail: root@crans.org
certname: crans.org
domains: "*.adm.crans.org, *.crans.org"
loc_service_certbot:
config:
"crans.org":
zone: _acme-challenge.crans.org
server: 172.16.10.147
port: 53
key:
name: certbot_challenge.
secret: "{{ vault.certbot_dns_secret }}"
algorithm: HMAC-SHA512
"adm.crans.org":
zone: _acme-challenge.adm.crans.org
server: 172.16.10.147
port: 53
key:
name: certbot_adm_challenge.
secret: "{{ vault.certbot_adm_dns_secret }}"
algorithm: HMAC-SHA512

5
host_vars/rodauh.cachan-adm.crans.org.yml
View File

@ -4,10 +4,7 @@ interfaces:
cachan_srv: ens19 cachan_srv: ens19
loc_certbot: loc_certbot:
- dns_rfc2136_server: '185.230.79.9' - mail: root@crans.org
dns_rfc2136_name: certbot_challenge.
dns_rfc2136_secret: "{{ vault.certbot_dns_secret }}"
mail: root@crans.org
certname: crans.org certname: crans.org
domains: "crans.org, *.crans.org, crans.fr, *.crans.fr, crans.eu, *.crans.eu" domains: "crans.org, *.crans.org, crans.fr, *.crans.fr, crans.eu, *.crans.eu"

29
host_vars/sputnik.adm.crans.org.yml
View File

@ -33,19 +33,32 @@ loc_moinmoin:
main: false main: false
loc_certbot: loc_certbot:
- dns_rfc2136_server: '172.16.10.147' - mail: root@crans.org
dns_rfc2136_name: certbot_adm_challenge.
dns_rfc2136_secret: "{{ vault.certbot_adm_dns_secret }}"
mail: root@crans.org
certname: adm.crans.org certname: adm.crans.org
domains: "*.adm.crans.org" domains: "*.adm.crans.org"
- dns_rfc2136_server: '172.16.10.147' - mail: root@crans.org
dns_rfc2136_name: certbot_challenge.
dns_rfc2136_secret: "{{ vault.certbot_dns_secret }}"
mail: root@crans.org
certname: crans.org certname: crans.org
domains: "*.crans.org" domains: "*.crans.org"
loc_service_certbot:
config:
"crans.org":
zone: _acme-challenge.crans.org
server: 172.16.10.147
port: 53
key:
name: certbot_challenge.
secret: "{{ vault.certbot_dns_secret }}"
algorithm: HMAC-SHA512
"adm.crans.org":
zone: _acme-challenge.adm.crans.org
server: 172.16.10.147
port: 53
key:
name: certbot_adm_challenge.
secret: "{{ vault.certbot_adm_dns_secret }}"
algorithm: HMAC-SHA512
loc_nginx: loc_nginx:
service_name: wiki service_name: wiki
ssl: ssl:

1
hosts
View File

@ -38,6 +38,7 @@ galene
gitlab gitlab
jitsi jitsi
mailman mailman
postfix
radius # We use certbot to manage LE certificates radius # We use certbot to manage LE certificates
reverseproxy reverseproxy
thelounge thelounge

6
plays/certbot.yml
View File

@ -1,9 +1,9 @@
#!/usr/bin/env ansible-playbook #!/usr/bin/env ansible-playbook
--- ---
# Deploy certbot for LE certificates - hosts: certbot !zamok.adm.crans.org
- hosts: certbot
vars: vars:
service: "{{ glob_service_certbot | default({}) | combine(loc_service_certbot | default({})) }}"
certbot: '{{ loc_certbot | default(glob_certbot | default([])) }}' certbot: '{{ loc_certbot | default(glob_certbot | default([])) }}'
mirror: '{{ glob_mirror.name }}'
roles: roles:
- service
- certbot - certbot

18
roles/certbot/tasks/main.yml
View File

@ -4,20 +4,11 @@
update_cache: true update_cache: true
name: name:
- certbot - certbot
- python3-certbot-dns-rfc2136
state: present state: present
register: apt_result register: apt_result
retries: 3 retries: 3
until: apt_result is succeeded until: apt_result is succeeded
- name: Add DNS credentials
template:
src: letsencrypt/rfc2136.ini.j2
dest: "/etc/letsencrypt/rfc2136.{{ item.certname }}.ini"
mode: 0600
owner: root
loop: "{{ certbot }}"
- name: Add dhparam - name: Add dhparam
template: template:
src: "letsencrypt/dhparam.j2" src: "letsencrypt/dhparam.j2"
@ -41,12 +32,3 @@
register: certbot_output register: certbot_output
changed_when: not "Certificate not yet due for renewal" in certbot_output.stdout changed_when: not "Certificate not yet due for renewal" in certbot_output.stdout
loop: "{{ certbot }}" loop: "{{ certbot }}"
- name: Clean old files
file:
path: "{{ item }}"
state: absent
loop:
- "/etc/letsencrypt/options-ssl-nginx.conf"
- "/etc/letsencrypt/ssl-dhparams.pem"
- "/etc/letsencrypt/rfc2136.ini"

8
roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2
View File

@ -19,9 +19,11 @@ text = True
agree-tos = True agree-tos = True
# Use DNS-01 challenge # Use DNS-01 challenge
authenticator = dns-rfc2136 authenticator = manual
dns-rfc2136-credentials = /etc/letsencrypt/rfc2136.{{ item.certname }}.ini manual-auth-hook = /var/local/services/certbot/authenticator.py
dns-rfc2136-propagation-seconds = 30 manual-cleanup-hook = /var/local/services/certbot/cleanup.py
preferred-challenges = dns-01,
manual-public-ip-logging-ok = True
# Wildcard the domain # Wildcard the domain
cert-name = {{ item.certname }} cert-name = {{ item.certname }}

7
roles/certbot/templates/letsencrypt/rfc2136.ini.j2
View File

@ -1,7 +0,0 @@
{{ ansible_header | comment(decoration='# ') }}
dns_rfc2136_server = {{ item.dns_rfc2136_server }}
dns_rfc2136_port = 53
dns_rfc2136_name = {{ item.dns_rfc2136_name }}
dns_rfc2136_secret = {{ item.dns_rfc2136_secret }}
dns_rfc2136_algorithm = HMAC-SHA512