Certbot wildcard role

This commit is contained in:
Alexandre Iooss 2020-05-09 12:54:38 +02:00
parent 544498c81a
commit 9c226c680c
No known key found for this signature in database
GPG key ID: 6C79278F3FCDCC02
4 changed files with 106 additions and 46 deletions

View file

@ -0,0 +1,34 @@
---
- name: Install certbot and RFC2136 plugin
apt:
update_cache: true
name:
- certbot
- python3-certbot-dns-rfc2136
state: present
register: apt_result
retries: 3
until: apt_result is succeeded
- name: Lookup DNS masters IPv4
set_fact:
dns_masters_ipv4: "{{ certbot.dns_masters_ipv4 }}"
cacheable: true
- name: Add DNS credentials
template:
src: letsencrypt/rfc2136.ini.j2
dest: /etc/letsencrypt/rfc2136.ini
mode: 0600
owner: root
- name: Create /etc/letsencrypt/conf.d
file:
path: /etc/letsencrypt/conf.d
state: directory
- name: Add Certbot configuration
template:
src: "letsencrypt/conf.d/certname.ini.j2"
dest: "/etc/letsencrypt/conf.d/{{ certbot.certname }}.ini"
mode: 0644

View file

@ -0,0 +1,25 @@
{{ ansible_header | comment(decoration='# ') }}
# Pour appliquer cette conf et générer la conf de renewal :
# certbot --config wildcard.ini certonly
# Use a 4096 bit RSA key instead of 2048
rsa-key-size = 4096
# Always use the staging/testing server
# server = https://acme-staging.api.letsencrypt.org/directory
# Uncomment and update to register with the specified e-mail address
email = {{ certbot.mail }}
# Uncomment to use a text interface instead of ncurses
text = True
# Use DNS-01 challenge
authenticator = dns-rfc2136
dns-rfc2136-credentials = /etc/letsencrypt/rfc2136.ini
dns-rfc2136-propagation-seconds = 30
# Wildcard the domain
cert-name = {{ certbot.certname }}
domains = {{ certbot.domains }}

View file

@ -0,0 +1,7 @@
{{ ansible_header | comment(decoration='# ') }}
dns_rfc2136_server = {{ dns_masters_ipv4 | first }}
dns_rfc2136_port = 53
dns_rfc2136_name = {{ certbot.dns_rfc2136_name }}
dns_rfc2136_secret = {{ certbot.dns_rfc2136_secret }}
dns_rfc2136_algorithm = HMAC-SHA512

View file

@ -10,51 +10,45 @@
roles: roles:
- passbolt - passbolt
# Install DokuWiki on the wiki TEST container # Deploy reverse proxy
# When it will be operational, horus-wikitest will replace horus-wiki - hosts: proxy*.adm.auro.re
- hosts: horus-wikitest
roles:
- dokuwiki
# Install NGINX with reverse proxy conf
- hosts: proxy.adm.auro.re
vars: vars:
reversed_proxy_subdomains: certbot:
- name: re2o dns_rfc2136_name: certbot_challenge.
from: re2o.auro.re dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
to: re2o-server.adm.auro.re mail: tech.aurore@lists.crans.org
- name: intranet certname: auro.re
from: intranet.auro.re domains: "auro.re, *.auro.re, aurores.net, *.aurores.net, fede-aurore.net, *.fede-aurore.net"
to: re2o-server.adm.auro.re dns_masters_ipv4: 92.222.211.196
- name: phabricator nginx:
from: phabricator.auro.re ssl:
to: phabricator.adm.auro.re cert: /etc/letsencrypt/live/auro.re/fullchain.pem
- name: wiki cert_key: /etc/letsencrypt/live/auro.re/privkey.pem
from: wiki.auro.re trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem
to: wiki.adm.auro.re
- name: www redirect_dnames:
from: www.auro.re - aurores.net
to: www.adm.auro.re - fede-aurore.net
- name: re2o-test
from: re2o-test.auro.re reverseproxy_sites:
to: re2o-test.adm.auro.re - {from: re2o.auro.re, to: 10.128.0.10}
- name: riot - {from: intranet.auro.re, to: 10.128.0.10}
from: riot.auro.re
to: docker-ovh.adm.auro.re:8080 - {from: phabricator.auro.re, to: 10.128.0.50}
- name: codimd - {from: wiki.auro.re, to: 10.128.0.51}
from: codimd.auro.re - {from: www.auro.re, to: 10.128.0.52}
to: docker-ovh.adm.auro.re:8081
- name: grafana - {from: re2o-test.auro.re, to: 10.128.0.100}
from: grafana.auro.re
to: docker-ovh.adm.auro.re:8082 - {from: riot.auro.re, to: "10.128.0.150:8080"}
- name: privatebin - {from: codimd.auro.re, to: "10.128.0.150:8081"}
from: privatebin.auro.re - {from: grafana.auro.re, to: "10.128.0.150:8082"}
to: docker-ovh.adm.auro.re:8083 - {from: privatebin.auro.re, to: "10.128.0.150:8083"}
- name: pad - {from: pad.auro.re, to: "10.128.0.150:8084"}
from: pad.auro.re - {from: cas.auro.re, to: "10.128.0.150:8085"}
to: docker-ovh.adm.auro.re:8084
- name: cas redirect_sites:
from: cas.auro.re - {from: auro.re, to: www.auro.re}
to: docker-ovh.adm.auro.re:8085
roles: roles:
- nginx-reverse-proxy - certbot
- nginx-reverseproxy