Clone certbot role from Crans

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
This commit is contained in:
ynerant 2021-02-01 17:07:10 +01:00 committed by ynerant
parent 154cbedec2
commit 889cb764c1
Signed by untrusted user: ynerant
GPG key ID: 3A75C55819C8CF85
4 changed files with 37 additions and 4 deletions

8
group_vars/certbot.yml Normal file
View file

@ -0,0 +1,8 @@
---
glob_certbot:
dns_rfc2136_server: '10.128.0.30'
dns_rfc2136_name: certbot_challenge.
dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
mail: tech.aurore@lists.crans.org
certname: auro.re
domains: "auro.re"

View file

@ -1,10 +1,10 @@
---
- name: Install certbot and nginx plugin
- name: Install certbot and RFC2136 plugin
apt:
update_cache: true
name:
- certbot
- python3-certbot-nginx
- python3-certbot-dns-rfc2136
register: pkg_result
retries: 3
until: pkg_result is succeeded
@ -15,6 +15,19 @@
state: directory
mode: 0755
- name: Lookup DNS masters IPv4
set_fact:
dns_masters_ipv4:
- "10.128.0.30"
cacheable: true
- name: Add DNS credentials
template:
src: letsencrypt/rfc2136.ini.j2
dest: /etc/letsencrypt/rfc2136.ini
mode: 0600
owner: root
- name: Add Certbot configuration
template:
src: "letsencrypt/conf.d/certname.ini.j2"

View file

@ -15,8 +15,13 @@ email = {{ certbot.mail }}
# Uncomment to use a text interface instead of ncurses
text = True
# Use nginx challenge
authenticator = nginx
# Yes I want to sell my soul and my guinea pig.
agree-tos = True
# Use DNS-01 challenge
authenticator = dns-rfc2136
dns-rfc2136-credentials = /etc/letsencrypt/rfc2136.ini
dns-rfc2136-propagation-seconds = 30
# Wildcard the domain
cert-name = {{ certbot.certname }}

View file

@ -0,0 +1,7 @@
{{ ansible_managed | comment(decoration='# ') }}
dns_rfc2136_server = {{ certbot.dns_rfc2136_server }}
dns_rfc2136_port = 53
dns_rfc2136_name = {{ certbot.dns_rfc2136_name }}
dns_rfc2136_secret = {{ certbot.dns_rfc2136_secret }}
dns_rfc2136_algorithm = HMAC-SHA512