From f9491c6553781675ba32354d7098a413e5a57c46 Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Tue, 25 May 2021 08:26:01 +0200 Subject: [PATCH] [certbot] Configure certbot Signed-off-by: Yohann D'ANELLO --- group_vars/certbot.yml | 9 ++++ hosts | 3 ++ plays/certbot.yml | 7 +++ roles/certbot/tasks/main.yml | 52 +++++++++++++++++++ .../letsencrypt/conf.d/certname.ini.j2 | 28 ++++++++++ .../certbot/templates/letsencrypt/dhparam.j2 | 8 +++ .../templates/letsencrypt/rfc2136.ini.j2 | 7 +++ vars_plugins/pass.ini | 2 +- 8 files changed, 115 insertions(+), 1 deletion(-) create mode 100644 group_vars/certbot.yml create mode 100755 plays/certbot.yml create mode 100644 roles/certbot/tasks/main.yml create mode 100644 roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2 create mode 100644 roles/certbot/templates/letsencrypt/dhparam.j2 create mode 100644 roles/certbot/templates/letsencrypt/rfc2136.ini.j2 diff --git a/group_vars/certbot.yml b/group_vars/certbot.yml new file mode 100644 index 0000000..dfd8500 --- /dev/null +++ b/group_vars/certbot.yml @@ -0,0 +1,9 @@ +--- +glob_certbot: + - dns_rfc2136_server: '172.16.42.103' + dns_rfc2136_name: certbot_challenge. + dns_rfc2136_secret: "{{ vault.certbot_dns_secret }}" + mail: ynerant@crans.org + certname: ynerant.fr + # domains: "*.ynerant.fr" + domains: "ynerant.fr, *.ynerant.fr, ens.kitchen, *.ens.kitchen, ananas.paris, *.ananas.paris, saperlistpopette.fr, *.saperlistpopette.fr" diff --git a/hosts b/hosts index 5816761..5971df5 100644 --- a/hosts +++ b/hosts @@ -1,6 +1,9 @@ [archlinux:children] perso +[certbot] +proxy.adm.ynerant.fr + [debian:children] server diff --git a/plays/certbot.yml b/plays/certbot.yml new file mode 100755 index 0000000..e10dffa --- /dev/null +++ b/plays/certbot.yml @@ -0,0 +1,7 @@ +#!/usr/bin/env ansible-playbook +--- +- hosts: certbot + vars: + certbot: "{{ glob_certbot | default(service_certbot | default(loc_certbot | default([]))) }}" + roles: + - certbot diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml new file mode 100644 index 0000000..eb50fc0 --- /dev/null +++ b/roles/certbot/tasks/main.yml @@ -0,0 +1,52 @@ +--- +- name: Install certbot and RFC2136 plugin + apt: + update_cache: true + name: + - certbot + - python3-certbot-dns-rfc2136 + state: present + register: apt_result + retries: 3 + until: apt_result is succeeded + +- name: Add DNS credentials + template: + src: letsencrypt/rfc2136.ini.j2 + dest: "/etc/letsencrypt/rfc2136.{{ item.certname }}.ini" + mode: 0600 + owner: root + loop: "{{ certbot }}" + +- name: Add dhparam + template: + src: "letsencrypt/dhparam.j2" + dest: "/etc/letsencrypt/dhparam" + mode: 0600 + +- name: Create /etc/letsencrypt/conf.d + file: + path: /etc/letsencrypt/conf.d + state: directory + +- name: Add Certbot configuration + template: + src: "letsencrypt/conf.d/certname.ini.j2" + dest: "/etc/letsencrypt/conf.d/{{ item.certname }}.ini" + mode: 0644 + loop: "{{ certbot }}" + +- name: Run certbot + command: certbot --non-interactive --config /etc/letsencrypt/conf.d/{{ item.certname }}.ini certonly + register: certbot_output + changed_when: not "Certificate not yet due for renewal" in certbot_output.stdout + loop: "{{ certbot }}" + +- name: Clean old files + file: + path: "{{ item }}" + state: absent + loop: + - "/etc/letsencrypt/options-ssl-nginx.conf" + - "/etc/letsencrypt/ssl-dhparams.pem" + - "/etc/letsencrypt/rfc2136.ini" diff --git a/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2 b/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2 new file mode 100644 index 0000000..1fc1a19 --- /dev/null +++ b/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2 @@ -0,0 +1,28 @@ +{{ ansible_header | comment(decoration='# ') }} + +# To generate the certificate, please use the following command +# certbot --config /etc/letsencrypt/conf.d/{{ item.certname }}.ini certonly + +# Use a 4096 bit RSA key instead of 2048 +rsa-key-size = 4096 + +# Always use the staging/testing server +# server = https://acme-staging.api.letsencrypt.org/directory + +# Uncomment and update to register with the specified e-mail address +email = {{ item.mail }} + +# Uncomment to use a text interface instead of ncurses +text = True + +# Yes I want to sell my soul and my guinea pig. +agree-tos = True + +# Use DNS-01 challenge +authenticator = dns-rfc2136 +dns-rfc2136-credentials = /etc/letsencrypt/rfc2136.{{ item.certname }}.ini +dns-rfc2136-propagation-seconds = 30 + +# Wildcard the domain +cert-name = {{ item.certname }} +domains = {{ item.domains }} diff --git a/roles/certbot/templates/letsencrypt/dhparam.j2 b/roles/certbot/templates/letsencrypt/dhparam.j2 new file mode 100644 index 0000000..9b182b7 --- /dev/null +++ b/roles/certbot/templates/letsencrypt/dhparam.j2 @@ -0,0 +1,8 @@ +-----BEGIN DH PARAMETERS----- +MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz ++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a +87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 +YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi +7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD +ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg== +-----END DH PARAMETERS----- diff --git a/roles/certbot/templates/letsencrypt/rfc2136.ini.j2 b/roles/certbot/templates/letsencrypt/rfc2136.ini.j2 new file mode 100644 index 0000000..0fb2a8d --- /dev/null +++ b/roles/certbot/templates/letsencrypt/rfc2136.ini.j2 @@ -0,0 +1,7 @@ +{{ ansible_header | comment(decoration='# ') }} + +dns_rfc2136_server = {{ item.dns_rfc2136_server }} +dns_rfc2136_port = 53 +dns_rfc2136_name = {{ item.dns_rfc2136_name }} +dns_rfc2136_secret = {{ item.dns_rfc2136_secret }} +dns_rfc2136_algorithm = HMAC-SHA512 diff --git a/vars_plugins/pass.ini b/vars_plugins/pass.ini index 94c6ce9..e99364a 100644 --- a/vars_plugins/pass.ini +++ b/vars_plugins/pass.ini @@ -1,6 +1,6 @@ [pass] # password_store_dir=/home/ynerant/.password-store -# crans_password_store_submodule=crans +crans_password_store_submodule=. [pass_become] all=templier