Certbot wildcard role
This commit is contained in:
parent
544498c81a
commit
9c226c680c
4 changed files with 106 additions and 46 deletions
34
roles/certbot/tasks/main.yml
Normal file
34
roles/certbot/tasks/main.yml
Normal file
|
@ -0,0 +1,34 @@
|
||||||
|
---
|
||||||
|
- name: Install certbot and RFC2136 plugin
|
||||||
|
apt:
|
||||||
|
update_cache: true
|
||||||
|
name:
|
||||||
|
- certbot
|
||||||
|
- python3-certbot-dns-rfc2136
|
||||||
|
state: present
|
||||||
|
register: apt_result
|
||||||
|
retries: 3
|
||||||
|
until: apt_result is succeeded
|
||||||
|
|
||||||
|
- name: Lookup DNS masters IPv4
|
||||||
|
set_fact:
|
||||||
|
dns_masters_ipv4: "{{ certbot.dns_masters_ipv4 }}"
|
||||||
|
cacheable: true
|
||||||
|
|
||||||
|
- name: Add DNS credentials
|
||||||
|
template:
|
||||||
|
src: letsencrypt/rfc2136.ini.j2
|
||||||
|
dest: /etc/letsencrypt/rfc2136.ini
|
||||||
|
mode: 0600
|
||||||
|
owner: root
|
||||||
|
|
||||||
|
- name: Create /etc/letsencrypt/conf.d
|
||||||
|
file:
|
||||||
|
path: /etc/letsencrypt/conf.d
|
||||||
|
state: directory
|
||||||
|
|
||||||
|
- name: Add Certbot configuration
|
||||||
|
template:
|
||||||
|
src: "letsencrypt/conf.d/certname.ini.j2"
|
||||||
|
dest: "/etc/letsencrypt/conf.d/{{ certbot.certname }}.ini"
|
||||||
|
mode: 0644
|
25
roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2
Normal file
25
roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2
Normal file
|
@ -0,0 +1,25 @@
|
||||||
|
{{ ansible_header | comment(decoration='# ') }}
|
||||||
|
|
||||||
|
# Pour appliquer cette conf et générer la conf de renewal :
|
||||||
|
# certbot --config wildcard.ini certonly
|
||||||
|
|
||||||
|
# Use a 4096 bit RSA key instead of 2048
|
||||||
|
rsa-key-size = 4096
|
||||||
|
|
||||||
|
# Always use the staging/testing server
|
||||||
|
# server = https://acme-staging.api.letsencrypt.org/directory
|
||||||
|
|
||||||
|
# Uncomment and update to register with the specified e-mail address
|
||||||
|
email = {{ certbot.mail }}
|
||||||
|
|
||||||
|
# Uncomment to use a text interface instead of ncurses
|
||||||
|
text = True
|
||||||
|
|
||||||
|
# Use DNS-01 challenge
|
||||||
|
authenticator = dns-rfc2136
|
||||||
|
dns-rfc2136-credentials = /etc/letsencrypt/rfc2136.ini
|
||||||
|
dns-rfc2136-propagation-seconds = 30
|
||||||
|
|
||||||
|
# Wildcard the domain
|
||||||
|
cert-name = {{ certbot.certname }}
|
||||||
|
domains = {{ certbot.domains }}
|
7
roles/certbot/templates/letsencrypt/rfc2136.ini.j2
Normal file
7
roles/certbot/templates/letsencrypt/rfc2136.ini.j2
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
{{ ansible_header | comment(decoration='# ') }}
|
||||||
|
|
||||||
|
dns_rfc2136_server = {{ dns_masters_ipv4 | first }}
|
||||||
|
dns_rfc2136_port = 53
|
||||||
|
dns_rfc2136_name = {{ certbot.dns_rfc2136_name }}
|
||||||
|
dns_rfc2136_secret = {{ certbot.dns_rfc2136_secret }}
|
||||||
|
dns_rfc2136_algorithm = HMAC-SHA512
|
|
@ -10,51 +10,45 @@
|
||||||
roles:
|
roles:
|
||||||
- passbolt
|
- passbolt
|
||||||
|
|
||||||
# Install DokuWiki on the wiki TEST container
|
# Deploy reverse proxy
|
||||||
# When it will be operational, horus-wikitest will replace horus-wiki
|
- hosts: proxy*.adm.auro.re
|
||||||
- hosts: horus-wikitest
|
|
||||||
roles:
|
|
||||||
- dokuwiki
|
|
||||||
|
|
||||||
# Install NGINX with reverse proxy conf
|
|
||||||
- hosts: proxy.adm.auro.re
|
|
||||||
vars:
|
vars:
|
||||||
reversed_proxy_subdomains:
|
certbot:
|
||||||
- name: re2o
|
dns_rfc2136_name: certbot_challenge.
|
||||||
from: re2o.auro.re
|
dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
|
||||||
to: re2o-server.adm.auro.re
|
mail: tech.aurore@lists.crans.org
|
||||||
- name: intranet
|
certname: auro.re
|
||||||
from: intranet.auro.re
|
domains: "auro.re, *.auro.re, aurores.net, *.aurores.net, fede-aurore.net, *.fede-aurore.net"
|
||||||
to: re2o-server.adm.auro.re
|
dns_masters_ipv4: 92.222.211.196
|
||||||
- name: phabricator
|
nginx:
|
||||||
from: phabricator.auro.re
|
ssl:
|
||||||
to: phabricator.adm.auro.re
|
cert: /etc/letsencrypt/live/auro.re/fullchain.pem
|
||||||
- name: wiki
|
cert_key: /etc/letsencrypt/live/auro.re/privkey.pem
|
||||||
from: wiki.auro.re
|
trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem
|
||||||
to: wiki.adm.auro.re
|
|
||||||
- name: www
|
redirect_dnames:
|
||||||
from: www.auro.re
|
- aurores.net
|
||||||
to: www.adm.auro.re
|
- fede-aurore.net
|
||||||
- name: re2o-test
|
|
||||||
from: re2o-test.auro.re
|
reverseproxy_sites:
|
||||||
to: re2o-test.adm.auro.re
|
- {from: re2o.auro.re, to: 10.128.0.10}
|
||||||
- name: riot
|
- {from: intranet.auro.re, to: 10.128.0.10}
|
||||||
from: riot.auro.re
|
|
||||||
to: docker-ovh.adm.auro.re:8080
|
- {from: phabricator.auro.re, to: 10.128.0.50}
|
||||||
- name: codimd
|
- {from: wiki.auro.re, to: 10.128.0.51}
|
||||||
from: codimd.auro.re
|
- {from: www.auro.re, to: 10.128.0.52}
|
||||||
to: docker-ovh.adm.auro.re:8081
|
|
||||||
- name: grafana
|
- {from: re2o-test.auro.re, to: 10.128.0.100}
|
||||||
from: grafana.auro.re
|
|
||||||
to: docker-ovh.adm.auro.re:8082
|
- {from: riot.auro.re, to: "10.128.0.150:8080"}
|
||||||
- name: privatebin
|
- {from: codimd.auro.re, to: "10.128.0.150:8081"}
|
||||||
from: privatebin.auro.re
|
- {from: grafana.auro.re, to: "10.128.0.150:8082"}
|
||||||
to: docker-ovh.adm.auro.re:8083
|
- {from: privatebin.auro.re, to: "10.128.0.150:8083"}
|
||||||
- name: pad
|
- {from: pad.auro.re, to: "10.128.0.150:8084"}
|
||||||
from: pad.auro.re
|
- {from: cas.auro.re, to: "10.128.0.150:8085"}
|
||||||
to: docker-ovh.adm.auro.re:8084
|
|
||||||
- name: cas
|
redirect_sites:
|
||||||
from: cas.auro.re
|
- {from: auro.re, to: www.auro.re}
|
||||||
to: docker-ovh.adm.auro.re:8085
|
|
||||||
roles:
|
roles:
|
||||||
- nginx-reverse-proxy
|
- certbot
|
||||||
|
- nginx-reverseproxy
|
||||||
|
|
Loading…
Reference in a new issue