Certbot wildcard role

4 years ago · 9c226c680c
parent 544498c81a
commit 9c226c680c
4 changed files with 106 additions and 46 deletions
--- a/roles/certbot/tasks/main.yml
+++ b/roles/certbot/tasks/main.yml
@ -0,0 +1,34 @@
+---
+- name: Install certbot and RFC2136 plugin
+  apt:
+    update_cache: true
+    name:
+      - certbot
+      - python3-certbot-dns-rfc2136
+    state: present
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded
+
+- name: Lookup DNS masters IPv4
+  set_fact:
+    dns_masters_ipv4: "{{ certbot.dns_masters_ipv4 }}"
+    cacheable: true
+
+- name: Add DNS credentials
+  template:
+    src: letsencrypt/rfc2136.ini.j2
+    dest: /etc/letsencrypt/rfc2136.ini
+    mode: 0600
+    owner: root
+
+- name: Create /etc/letsencrypt/conf.d
+  file:
+    path: /etc/letsencrypt/conf.d
+    state: directory
+
+- name: Add Certbot configuration
+  template:
+    src: "letsencrypt/conf.d/certname.ini.j2"
+    dest: "/etc/letsencrypt/conf.d/{{ certbot.certname }}.ini"
+    mode: 0644
--- a/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2
+++ b/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2
@ -0,0 +1,25 @@
+{{ ansible_header | comment(decoration='# ') }}
+
+# Pour appliquer cette conf et générer la conf de renewal :
+# certbot --config wildcard.ini certonly
+
+# Use a 4096 bit RSA key instead of 2048
+rsa-key-size = 4096
+
+# Always use the staging/testing server
+# server = https://acme-staging.api.letsencrypt.org/directory
+
+# Uncomment and update to register with the specified e-mail address
+email = {{ certbot.mail }}
+
+# Uncomment to use a text interface instead of ncurses
+text = True
+
+# Use DNS-01 challenge
+authenticator = dns-rfc2136
+dns-rfc2136-credentials = /etc/letsencrypt/rfc2136.ini
+dns-rfc2136-propagation-seconds = 30
+
+# Wildcard the domain
+cert-name = {{ certbot.certname }}
+domains = {{ certbot.domains }}
--- a/roles/certbot/templates/letsencrypt/rfc2136.ini.j2
+++ b/roles/certbot/templates/letsencrypt/rfc2136.ini.j2
@ -0,0 +1,7 @@
+{{ ansible_header | comment(decoration='# ') }}
+
+dns_rfc2136_server = {{ dns_masters_ipv4 | first }}
+dns_rfc2136_port = 53
+dns_rfc2136_name = {{ certbot.dns_rfc2136_name }}
+dns_rfc2136_secret = {{ certbot.dns_rfc2136_secret }}
+dns_rfc2136_algorithm = HMAC-SHA512
--- a/services_web.yml
+++ b/services_web.yml
@ -10,51 +10,45 @@
  roles:
    - passbolt

-# Install DokuWiki on the wiki TEST container
-# When it will be operational, horus-wikitest will replace horus-wiki
- hosts: horus-wikitest
-  roles:
-    - dokuwiki
-
-# Install NGINX with reverse proxy conf
- hosts: proxy.adm.auro.re
+# Deploy reverse proxy
+- hosts: proxy*.adm.auro.re
  vars:
-    reversed_proxy_subdomains:
-      - name: re2o
-        from: re2o.auro.re
-        to: re2o-server.adm.auro.re
-      - name: intranet
-        from: intranet.auro.re
-        to: re2o-server.adm.auro.re
-      - name: phabricator
-        from: phabricator.auro.re
-        to: phabricator.adm.auro.re
-      - name: wiki
-        from: wiki.auro.re
-        to: wiki.adm.auro.re
-      - name: www
-        from: www.auro.re
-        to: www.adm.auro.re
-      - name: re2o-test
-        from: re2o-test.auro.re
-        to: re2o-test.adm.auro.re
-      - name: riot
-        from: riot.auro.re
-        to: docker-ovh.adm.auro.re:8080
-      - name: codimd
-        from: codimd.auro.re
-        to: docker-ovh.adm.auro.re:8081
-      - name: grafana
-        from: grafana.auro.re
-        to: docker-ovh.adm.auro.re:8082
-      - name: privatebin
-        from: privatebin.auro.re
-        to: docker-ovh.adm.auro.re:8083
-      - name: pad
-        from: pad.auro.re
-        to: docker-ovh.adm.auro.re:8084
-      - name: cas
-        from: cas.auro.re
-        to: docker-ovh.adm.auro.re:8085
+    certbot:
+      dns_rfc2136_name: certbot_challenge.
+      dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
+      mail: tech.aurore@lists.crans.org
+      certname: auro.re
+      domains: "auro.re, *.auro.re, aurores.net, *.aurores.net, fede-aurore.net, *.fede-aurore.net"
+      dns_masters_ipv4: 92.222.211.196
+    nginx:
+      ssl:
+        cert: /etc/letsencrypt/live/auro.re/fullchain.pem
+        cert_key: /etc/letsencrypt/live/auro.re/privkey.pem
+        trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem
+
+      redirect_dnames:
+        - aurores.net
+        - fede-aurore.net
+
+      reverseproxy_sites:
+        - {from: re2o.auro.re,          to: 10.128.0.10}
+        - {from: intranet.auro.re,      to: 10.128.0.10}
+
+        - {from: phabricator.auro.re,   to: 10.128.0.50}
+        - {from: wiki.auro.re,          to: 10.128.0.51}
+        - {from: www.auro.re,           to: 10.128.0.52}
+
+        - {from: re2o-test.auro.re,     to: 10.128.0.100}
+
+        - {from: riot.auro.re,          to: "10.128.0.150:8080"}
+        - {from: codimd.auro.re,        to: "10.128.0.150:8081"}
+        - {from: grafana.auro.re,       to: "10.128.0.150:8082"}
+        - {from: privatebin.auro.re,    to: "10.128.0.150:8083"}
+        - {from: pad.auro.re,           to: "10.128.0.150:8084"}
+        - {from: cas.auro.re,           to: "10.128.0.150:8085"}
+
+      redirect_sites:
+        - {from: auro.re,               to: www.auro.re}
  roles:
-    - nginx-reverse-proxy
+    - certbot
+    - nginx-reverseproxy