[certbot] Much things

group_vars/certbot.yml

@@ -1,8 +1,23 @@
 ---
 glob_certbot:
-  - dns_rfc2136_server: '172.16.10.147'
-    dns_rfc2136_name: certbot_challenge.
-    dns_rfc2136_secret: "{{ vault.certbot_dns_secret }}"
-    mail: root@crans.org
+  - mail: root@crans.org
     certname: crans.org
     domains: "*.crans.org"
+
+glob_service_certbot:
+  name: certbot
+  install_dir: /var/local/services/certbot
+  dependencies:
+    - python3-dnspython
+  git:
+    remote: https://gitlab.adm.crans.org/nounous/certbot
+    version: main
+  config:
+    "crans.org":
+      zone: _acme-challenge.crans.org
+      server: 172.16.10.147
+      port: 53
+      key:
+        name: certbot_challenge.
+        secret: "{{ vault.certbot_dns_secret }}"
+        algorithm: HMAC-SHA512

group_vars/radius.yml

@@ -19,9 +19,6 @@ glob_freeradius:
       server: radius-wifi
       
 loc_certbot:
-  - dns_rfc2136_server: '172.16.10.147'
-    dns_rfc2136_name: certbot_challenge.
-    dns_rfc2136_secret: "{{ vault.certbot_dns_secret }}"
-    mail: root@crans.org
+  - mail: root@crans.org
     certname: crans.org
     domains: "crans.org"

group_vars/reverseproxy.yml

@@ -1,11 +1,35 @@
 loc_certbot:
-  - dns_rfc2136_server: '172.16.10.147'
-    dns_rfc2136_name: certbot_challenge.
-    dns_rfc2136_secret: "{{ vault.certbot_dns_secret }}"
-    mail: root@crans.org
+  - mail: root@crans.org
     certname: crans.org
     domains: "crans.org, *.crans.org, crans.fr, *.crans.fr, crans.eu, *.crans.eu"
 
+loc_service_certbot:
+  config:
+    "crans.org":
+      zone: _acme-challenge.crans.org
+      server: 172.16.10.147
+      port: 53
+      key:
+        name: certbot_challenge.
+        secret: "{{ vault.certbot_dns_secret }}"
+        algorithm: HMAC-SHA512
+    "crans.eu":
+      zone: _acme-challenge.crans.org
+      server: 172.16.10.147
+      port: 53
+      key:
+        name: certbot_challenge.
+        secret: "{{ vault.certbot_dns_secret }}"
+        algorithm: HMAC-SHA512
+    "crans.fr":
+      zone: _acme-challenge.crans.org
+      server: 172.16.10.147
+      port: 53
+      key:
+        name: certbot_challenge.
+        secret: "{{ vault.certbot_dns_secret }}"
+        algorithm: HMAC-SHA512
+
 loc_nginx:
   servers: []
   ssl:

host_vars/gitzly.adm.crans.org.yml

@@ -4,20 +4,32 @@ interfaces:
   srv: ens19
 
 loc_certbot:
-  - dns_rfc2136_server: '172.16.10.147'
-    dns_rfc2136_name: certbot_challenge.
-    dns_rfc2136_secret: "{{ vault.certbot_dns_secret }}"
-    mail: root@crans.org
+  - mail: root@crans.org
     certname: crans.org
     domains: "*.crans.org"
-
-  - dns_rfc2136_server: '172.16.10.147'
-    dns_rfc2136_name: certbot_adm_challenge.
-    dns_rfc2136_secret: "{{ vault.certbot_adm_dns_secret }}"
-    mail: root@crans.org
+  - mail: root@crans.org
     certname: adm.crans.org
     domains: "*.adm.crans.org"
 
+loc_service_certbot:
+  config:
+    "crans.org":
+      zone: _acme-challenge.crans.org
+      server: 172.16.10.147
+      port: 53
+      key:
+        name: certbot_challenge.
+        secret: "{{ vault.certbot_dns_secret }}"
+        algorithm: HMAC-SHA512
+    "adm.crans.org":
+      zone: _acme-challenge.adm.crans.org
+      server: 172.16.10.147
+      port: 53
+      key:
+        name: certbot_adm_challenge.
+        secret: "{{ vault.certbot_adm_dns_secret }}"
+        algorithm: HMAC-SHA512
+
 loc_nginx:
   ssl:
     - name: adm.crans.org

host_vars/redisdead.adm.crans.org.yml

@@ -10,3 +10,26 @@ postfix:
   dkim: true
   titanic: false
 
+loc_certbot:
+  - mail: root@crans.org
+    certname: crans.org
+    domains: "*.adm.crans.org, *.crans.org"
+
+loc_service_certbot:
+  config:
+    "crans.org":
+      zone: _acme-challenge.crans.org
+      server: 172.16.10.147
+      port: 53
+      key:
+        name: certbot_challenge.
+        secret: "{{ vault.certbot_dns_secret }}"
+        algorithm: HMAC-SHA512
+    "adm.crans.org":
+      zone: _acme-challenge.adm.crans.org
+      server: 172.16.10.147
+      port: 53
+      key:
+        name: certbot_adm_challenge.
+        secret: "{{ vault.certbot_adm_dns_secret }}"
+        algorithm: HMAC-SHA512

host_vars/rodauh.cachan-adm.crans.org.yml

@@ -4,10 +4,7 @@ interfaces:
   cachan_srv: ens19
 
 loc_certbot:
-  - dns_rfc2136_server: '185.230.79.9'
-    dns_rfc2136_name: certbot_challenge.
-    dns_rfc2136_secret: "{{ vault.certbot_dns_secret }}"
-    mail: root@crans.org
+  - mail: root@crans.org
     certname: crans.org
     domains: "crans.org, *.crans.org, crans.fr, *.crans.fr, crans.eu, *.crans.eu"
 

host_vars/sputnik.adm.crans.org.yml

@@ -33,19 +33,32 @@ loc_moinmoin:
   main: false
 
 loc_certbot:
-  - dns_rfc2136_server: '172.16.10.147'
-    dns_rfc2136_name: certbot_adm_challenge.
-    dns_rfc2136_secret: "{{ vault.certbot_adm_dns_secret }}"
-    mail: root@crans.org
+  - mail: root@crans.org
     certname: adm.crans.org
     domains: "*.adm.crans.org"
-  - dns_rfc2136_server: '172.16.10.147'
-    dns_rfc2136_name: certbot_challenge.
-    dns_rfc2136_secret: "{{ vault.certbot_dns_secret }}"
-    mail: root@crans.org
+  - mail: root@crans.org
     certname: crans.org
     domains: "*.crans.org"
 
+loc_service_certbot:
+  config:
+    "crans.org":
+      zone: _acme-challenge.crans.org
+      server: 172.16.10.147
+      port: 53
+      key:
+        name: certbot_challenge.
+        secret: "{{ vault.certbot_dns_secret }}"
+        algorithm: HMAC-SHA512
+    "adm.crans.org":
+      zone: _acme-challenge.adm.crans.org
+      server: 172.16.10.147
+      port: 53
+      key:
+        name: certbot_adm_challenge.
+        secret: "{{ vault.certbot_adm_dns_secret }}"
+        algorithm: HMAC-SHA512
+
 loc_nginx:
   service_name: wiki
   ssl:

hosts

@@ -38,6 +38,7 @@ galene
 gitlab
 jitsi
 mailman
+postfix
 radius  # We use certbot to manage LE certificates
 reverseproxy
 thelounge

plays/certbot.yml

@@ -1,9 +1,9 @@
 #!/usr/bin/env ansible-playbook
 ---
-# Deploy certbot for LE certificates
-- hosts: certbot
+- hosts: certbot !zamok.adm.crans.org
   vars:
+    service: "{{ glob_service_certbot | default({}) | combine(loc_service_certbot | default({})) }}"
     certbot: '{{ loc_certbot | default(glob_certbot | default([])) }}'
-    mirror: '{{ glob_mirror.name }}'
   roles:
+    - service
     - certbot

roles/certbot/tasks/main.yml

@@ -4,20 +4,11 @@
     update_cache: true
     name:
       - certbot
-      - python3-certbot-dns-rfc2136
     state: present
   register: apt_result
   retries: 3
   until: apt_result is succeeded
 
-- name: Add DNS credentials
-  template:
-    src: letsencrypt/rfc2136.ini.j2
-    dest: "/etc/letsencrypt/rfc2136.{{ item.certname }}.ini"
-    mode: 0600
-    owner: root
-  loop: "{{ certbot }}"
-
 - name: Add dhparam
   template:
     src: "letsencrypt/dhparam.j2"
@@ -41,12 +32,3 @@
   register: certbot_output
   changed_when: not "Certificate not yet due for renewal" in certbot_output.stdout
   loop: "{{ certbot }}"
-
-- name: Clean old files
-  file:
-    path: "{{ item }}"
-    state: absent
-  loop:
-    - "/etc/letsencrypt/options-ssl-nginx.conf"
-    - "/etc/letsencrypt/ssl-dhparams.pem"
-    - "/etc/letsencrypt/rfc2136.ini"

roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2

@@ -19,9 +19,11 @@ text = True
 agree-tos = True
 
 # Use DNS-01 challenge
-authenticator = dns-rfc2136
-dns-rfc2136-credentials = /etc/letsencrypt/rfc2136.{{ item.certname }}.ini
-dns-rfc2136-propagation-seconds = 30
+authenticator = manual
+manual-auth-hook = /var/local/services/certbot/authenticator.py
+manual-cleanup-hook = /var/local/services/certbot/cleanup.py
+preferred-challenges = dns-01,
+manual-public-ip-logging-ok = True
 
 # Wildcard the domain
 cert-name = {{ item.certname }}

roles/certbot/templates/letsencrypt/rfc2136.ini.j2

@@ -1,7 +0,0 @@
-{{ ansible_header | comment(decoration='# ') }}
-
-dns_rfc2136_server = {{ item.dns_rfc2136_server }}
-dns_rfc2136_port = 53
-dns_rfc2136_name = {{ item.dns_rfc2136_name }}
-dns_rfc2136_secret = {{ item.dns_rfc2136_secret }}
-dns_rfc2136_algorithm = HMAC-SHA512