[certbot] Configure certbot

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
2021-05-25 08:26:01 +02:00 · 2021-05-25 08:26:01 +02:00 · f9491c6553
commit f9491c6553
parent c0a466db6a
8 changed files with 115 additions and 1 deletions
--- a/group_vars/certbot.yml
+++ b/group_vars/certbot.yml
@ -0,0 +1,9 @@
 ---
 glob_certbot:
  - dns_rfc2136_server: '172.16.42.103'
    dns_rfc2136_name: certbot_challenge.
    dns_rfc2136_secret: "{{ vault.certbot_dns_secret }}"
    mail: ynerant@crans.org
    certname: ynerant.fr
    # domains: "*.ynerant.fr"
    domains: "ynerant.fr, *.ynerant.fr, ens.kitchen, *.ens.kitchen, ananas.paris, *.ananas.paris, saperlistpopette.fr, *.saperlistpopette.fr"
--- a/3
+++ b/3
@ -1,6 +1,9 @@
 [archlinux:children]
 perso
 [certbot]
 proxy.adm.ynerant.fr
 [debian:children]
 server
--- a/plays/certbot.yml
+++ b/plays/certbot.yml
@ -0,0 +1,7 @@
 #!/usr/bin/env ansible-playbook
 ---
 - hosts: certbot
  vars:
    certbot: "{{ glob_certbot | default(service_certbot | default(loc_certbot | default([]))) }}"
  roles:
    - certbot
--- a/roles/certbot/tasks/main.yml
+++ b/roles/certbot/tasks/main.yml
@ -0,0 +1,52 @@
 ---
 - name: Install certbot and RFC2136 plugin
  apt:
    update_cache: true
    name:
      - certbot
      - python3-certbot-dns-rfc2136
    state: present
  register: apt_result
  retries: 3
  until: apt_result is succeeded
 - name: Add DNS credentials
  template:
    src: letsencrypt/rfc2136.ini.j2
    dest: "/etc/letsencrypt/rfc2136.{{ item.certname }}.ini"
    mode: 0600
    owner: root
  loop: "{{ certbot }}"
 - name: Add dhparam
  template:
    src: "letsencrypt/dhparam.j2"
    dest: "/etc/letsencrypt/dhparam"
    mode: 0600
 - name: Create /etc/letsencrypt/conf.d
  file:
    path: /etc/letsencrypt/conf.d
    state: directory
 - name: Add Certbot configuration
  template:
    src: "letsencrypt/conf.d/certname.ini.j2"
    dest: "/etc/letsencrypt/conf.d/{{ item.certname }}.ini"
    mode: 0644
  loop: "{{ certbot }}"
 - name: Run certbot
  command: certbot --non-interactive --config /etc/letsencrypt/conf.d/{{ item.certname }}.ini certonly
  register: certbot_output
  changed_when: not "Certificate not yet due for renewal" in certbot_output.stdout
  loop: "{{ certbot }}"
 - name: Clean old files
  file:
    path: "{{ item }}"
    state: absent
  loop:
    - "/etc/letsencrypt/options-ssl-nginx.conf"
    - "/etc/letsencrypt/ssl-dhparams.pem"
    - "/etc/letsencrypt/rfc2136.ini"
--- a/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2
+++ b/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2
@ -0,0 +1,28 @@
 {{ ansible_header | comment(decoration='# ') }}
 # To generate the certificate, please use the following command
 # certbot --config /etc/letsencrypt/conf.d/{{ item.certname }}.ini certonly
 # Use a 4096 bit RSA key instead of 2048
 rsa-key-size = 4096
 # Always use the staging/testing server
 # server = https://acme-staging.api.letsencrypt.org/directory
 # Uncomment and update to register with the specified e-mail address
 email = {{ item.mail }}
 # Uncomment to use a text interface instead of ncurses
 text = True
 # Yes I want to sell my soul and my guinea pig.
 agree-tos = True
 # Use DNS-01 challenge
 authenticator = dns-rfc2136
 dns-rfc2136-credentials = /etc/letsencrypt/rfc2136.{{ item.certname }}.ini
 dns-rfc2136-propagation-seconds = 30
 # Wildcard the domain
 cert-name = {{ item.certname }}
 domains = {{ item.domains }}
--- a/roles/certbot/templates/letsencrypt/dhparam.j2
+++ b/roles/certbot/templates/letsencrypt/dhparam.j2
@ -0,0 +1,8 @@
 -----BEGIN DH PARAMETERS-----
 MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
 +8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
 87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
 YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
 7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
 ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
 -----END DH PARAMETERS-----
--- a/roles/certbot/templates/letsencrypt/rfc2136.ini.j2
+++ b/roles/certbot/templates/letsencrypt/rfc2136.ini.j2
@ -0,0 +1,7 @@
 {{ ansible_header | comment(decoration='# ') }}
 dns_rfc2136_server = {{ item.dns_rfc2136_server }}
 dns_rfc2136_port = 53
 dns_rfc2136_name = {{ item.dns_rfc2136_name }}
 dns_rfc2136_secret = {{ item.dns_rfc2136_secret }}
 dns_rfc2136_algorithm = HMAC-SHA512
--- a/vars_plugins/pass.ini
+++ b/vars_plugins/pass.ini
@ -1,6 +1,6 @@
 [pass]
 # password_store_dir=/home/ynerant/.password-store
-# crans_password_store_submodule=crans
+crans_password_store_submodule=.
 [pass_become]
 all=templier