Certbot wildcard role

roles/certbot/tasks/main.yml

@@ -0,0 +1,34 @@
+---
+- name: Install certbot and RFC2136 plugin
+  apt:
+    update_cache: true
+    name:
+      - certbot
+      - python3-certbot-dns-rfc2136
+    state: present
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded
+
+- name: Lookup DNS masters IPv4
+  set_fact:
+    dns_masters_ipv4: "{{ certbot.dns_masters_ipv4 }}"
+    cacheable: true
+
+- name: Add DNS credentials
+  template:
+    src: letsencrypt/rfc2136.ini.j2
+    dest: /etc/letsencrypt/rfc2136.ini
+    mode: 0600
+    owner: root
+
+- name: Create /etc/letsencrypt/conf.d
+  file:
+    path: /etc/letsencrypt/conf.d
+    state: directory
+
+- name: Add Certbot configuration
+  template:
+    src: "letsencrypt/conf.d/certname.ini.j2"
+    dest: "/etc/letsencrypt/conf.d/{{ certbot.certname }}.ini"
+    mode: 0644

roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2

@@ -0,0 +1,25 @@
+{{ ansible_header | comment(decoration='# ') }}
+
+# Pour appliquer cette conf et générer la conf de renewal :
+# certbot --config wildcard.ini certonly
+
+# Use a 4096 bit RSA key instead of 2048
+rsa-key-size = 4096
+
+# Always use the staging/testing server
+# server = https://acme-staging.api.letsencrypt.org/directory
+
+# Uncomment and update to register with the specified e-mail address
+email = {{ certbot.mail }}
+
+# Uncomment to use a text interface instead of ncurses
+text = True
+
+# Use DNS-01 challenge
+authenticator = dns-rfc2136
+dns-rfc2136-credentials = /etc/letsencrypt/rfc2136.ini
+dns-rfc2136-propagation-seconds = 30
+
+# Wildcard the domain
+cert-name = {{ certbot.certname }}
+domains = {{ certbot.domains }}

roles/certbot/templates/letsencrypt/rfc2136.ini.j2

@@ -0,0 +1,7 @@
+{{ ansible_header | comment(decoration='# ') }}
+
+dns_rfc2136_server = {{ dns_masters_ipv4 | first }}
+dns_rfc2136_port = 53
+dns_rfc2136_name = {{ certbot.dns_rfc2136_name }}
+dns_rfc2136_secret = {{ certbot.dns_rfc2136_secret }}
+dns_rfc2136_algorithm = HMAC-SHA512

services_web.yml

@@ -10,51 +10,45 @@
   roles:
     - passbolt
 
-# Install DokuWiki on the wiki TEST container
+# Deploy reverse proxy
-# When it will be operational, horus-wikitest will replace horus-wiki
+- hosts: proxy*.adm.auro.re
-- hosts: horus-wikitest
-  roles:
-    - dokuwiki
-
-# Install NGINX with reverse proxy conf
-- hosts: proxy.adm.auro.re
   vars:
-    reversed_proxy_subdomains:
+    certbot:
-      - name: re2o
+      dns_rfc2136_name: certbot_challenge.
-        from: re2o.auro.re
+      dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
-        to: re2o-server.adm.auro.re
+      mail: tech.aurore@lists.crans.org
-      - name: intranet
+      certname: auro.re
-        from: intranet.auro.re
+      domains: "auro.re, *.auro.re, aurores.net, *.aurores.net, fede-aurore.net, *.fede-aurore.net"
-        to: re2o-server.adm.auro.re
+      dns_masters_ipv4: 92.222.211.196
-      - name: phabricator
+    nginx:
-        from: phabricator.auro.re
+      ssl:
-        to: phabricator.adm.auro.re
+        cert: /etc/letsencrypt/live/auro.re/fullchain.pem
-      - name: wiki
+        cert_key: /etc/letsencrypt/live/auro.re/privkey.pem
-        from: wiki.auro.re
+        trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem
-        to: wiki.adm.auro.re
+
-      - name: www
+      redirect_dnames:
-        from: www.auro.re
+        - aurores.net
-        to: www.adm.auro.re
+        - fede-aurore.net
-      - name: re2o-test
+
-        from: re2o-test.auro.re
+      reverseproxy_sites:
-        to: re2o-test.adm.auro.re
+        - {from: re2o.auro.re,          to: 10.128.0.10}
-      - name: riot
+        - {from: intranet.auro.re,      to: 10.128.0.10}
-        from: riot.auro.re
+
-        to: docker-ovh.adm.auro.re:8080
+        - {from: phabricator.auro.re,   to: 10.128.0.50}
-      - name: codimd
+        - {from: wiki.auro.re,          to: 10.128.0.51}
-        from: codimd.auro.re
+        - {from: www.auro.re,           to: 10.128.0.52}
-        to: docker-ovh.adm.auro.re:8081
+
-      - name: grafana
+        - {from: re2o-test.auro.re,     to: 10.128.0.100}
-        from: grafana.auro.re
+
-        to: docker-ovh.adm.auro.re:8082
+        - {from: riot.auro.re,          to: "10.128.0.150:8080"}
-      - name: privatebin
+        - {from: codimd.auro.re,        to: "10.128.0.150:8081"}
-        from: privatebin.auro.re
+        - {from: grafana.auro.re,       to: "10.128.0.150:8082"}
-        to: docker-ovh.adm.auro.re:8083
+        - {from: privatebin.auro.re,    to: "10.128.0.150:8083"}
-      - name: pad
+        - {from: pad.auro.re,           to: "10.128.0.150:8084"}
-        from: pad.auro.re
+        - {from: cas.auro.re,           to: "10.128.0.150:8085"}
-        to: docker-ovh.adm.auro.re:8084
+
-      - name: cas
+      redirect_sites:
-        from: cas.auro.re
+        - {from: auro.re,               to: www.auro.re}
-        to: docker-ovh.adm.auro.re:8085
   roles:
-    - nginx-reverse-proxy
+    - certbot
+    - nginx-reverseproxy