Clone certbot role from Crans

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>

group_vars/certbot.yml

@@ -0,0 +1,8 @@
+---
+glob_certbot:
+  dns_rfc2136_server: '10.128.0.30'
+  dns_rfc2136_name: certbot_challenge.
+  dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
+  mail: tech.aurore@lists.crans.org
+  certname: auro.re
+  domains: "auro.re"

roles/certbot/tasks/main.yml

@@ -1,10 +1,10 @@
 ---
-- name: Install certbot and nginx plugin
+- name: Install certbot and RFC2136 plugin
   apt:
     update_cache: true
     name:
       - certbot
-      - python3-certbot-nginx
+      - python3-certbot-dns-rfc2136
   register: pkg_result
   retries: 3
   until: pkg_result is succeeded
@@ -15,6 +15,19 @@
     state: directory
     mode: 0755
 
+- name: Lookup DNS masters IPv4
+  set_fact:
+    dns_masters_ipv4:
+      - "10.128.0.30"
+    cacheable: true
+
+- name: Add DNS credentials
+  template:
+    src: letsencrypt/rfc2136.ini.j2
+    dest: /etc/letsencrypt/rfc2136.ini
+    mode: 0600
+    owner: root
+
 - name: Add Certbot configuration
   template:
     src: "letsencrypt/conf.d/certname.ini.j2"

roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2

@@ -15,8 +15,13 @@ email = {{ certbot.mail }}
 # Uncomment to use a text interface instead of ncurses
 text = True
 
-# Use nginx challenge
-authenticator = nginx
+# Yes I want to sell my soul and my guinea pig.
+agree-tos = True
+
+# Use DNS-01 challenge
+authenticator = dns-rfc2136
+dns-rfc2136-credentials = /etc/letsencrypt/rfc2136.ini
+dns-rfc2136-propagation-seconds = 30
 
 # Wildcard the domain
 cert-name = {{ certbot.certname }}

roles/certbot/templates/letsencrypt/rfc2136.ini.j2

@@ -0,0 +1,7 @@
+{{ ansible_managed | comment(decoration='# ') }}
+
+dns_rfc2136_server = {{ certbot.dns_rfc2136_server }}
+dns_rfc2136_port = 53
+dns_rfc2136_name = {{ certbot.dns_rfc2136_name }}
+dns_rfc2136_secret = {{ certbot.dns_rfc2136_secret }}
+dns_rfc2136_algorithm = HMAC-SHA512