diff --git a/group_vars/certbot.yml b/group_vars/certbot.yml
index 3dd13db998ea06e82c28d11561aec33a5df745a6..311e9ac839c06e8e8e38597c7f1f61c9f96bb610 100644
--- a/group_vars/certbot.yml
+++ b/group_vars/certbot.yml
@@ -1,8 +1,8 @@
---
glob_certbot:
- dns_rfc2136_server: '172.16.10.147'
- dns_rfc2136_name: certbot_challenge.
- dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
- mail: root@crans.org
- certname: crans.org
- domains: "crans.org"
+ - dns_rfc2136_server: '172.16.10.147'
+ dns_rfc2136_name: certbot_challenge.
+ dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
+ mail: root@crans.org
+ certname: crans.org
+ domains: "crans.org"
diff --git a/host_vars/gitzly.adm.crans.org.yml b/host_vars/gitzly.adm.crans.org.yml
index f7105157029d0f0cbeaa40b5efde5c904c798356..f72209b395eb1d8ebdfdba12df8e4004a615939e 100644
--- a/host_vars/gitzly.adm.crans.org.yml
+++ b/host_vars/gitzly.adm.crans.org.yml
@@ -4,7 +4,16 @@ interfaces:
srv: ens19
loc_certbot:
- dns_rfc2136_name: certbot_adm_challenge.
- dns_rfc2136_secret: "{{ vault_certbot_adm_dns_secret }}"
- certname: adm.crans.org
- domains: "*.adm.crans.org"
+ - dns_rfc2136_server: '172.16.10.147'
+ dns_rfc2136_name: certbot_challenge.
+ dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
+ mail: root@crans.org
+ certname: crans.org
+ domains: "*.crans.org"
+
+ - dns_rfc2136_server: '172.16.10.147'
+ dns_rfc2136_name: certbot_adm_challenge.
+ dns_rfc2136_secret: "{{ vault_certbot_adm_dns_secret }}"
+ mail: root@crans.org
+ certname: adm.crans.org
+ domains: "*.adm.crans.org"
diff --git a/host_vars/hodaur.adm.crans.org.yml b/host_vars/hodaur.adm.crans.org.yml
index 2aa4c1945303a1ebd593b9b139ad6a63e8bc23d5..ddf9701620a899ac2973c8fa009362769530c9d7 100644
--- a/host_vars/hodaur.adm.crans.org.yml
+++ b/host_vars/hodaur.adm.crans.org.yml
@@ -1,3 +1,8 @@
---
loc_certbot:
- domains: "crans.org, *.crans.org, crans.fr, *.crans.fr, crans.eu, *.crans.eu"
+ - dns_rfc2136_server: '172.16.10.147'
+ dns_rfc2136_name: certbot_challenge.
+ dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
+ mail: root@crans.org
+ certname: crans.org
+ domains: "crans.org, *.crans.org, crans.fr, *.crans.fr, crans.eu, *.crans.eu"
diff --git a/plays/certbot.yml b/plays/certbot.yml
index e1a97312ced74b69656d2de251dfa0c507ce3112..76bb969a9947fb872869cf6e62e3708bc6f736cc 100755
--- a/plays/certbot.yml
+++ b/plays/certbot.yml
@@ -3,7 +3,7 @@
# Deploy certbot for LE certificates
- hosts: certbot
vars:
- certbot: '{{ glob_certbot | default({}) | combine(loc_certbot | default({})) }}'
+ certbot: '{{ loc_certbot | default(glob_certbot | default([])) }}'
mirror: '{{ glob_mirror.name }}'
roles:
- certbot
diff --git a/plays/dovecot.yml b/plays/dovecot.yml
index 13a70d7f8e6cea8d4b8c83f9e7f28e01a6f81044..32e02ca4a3e2e5319ba5a5c2f55485479a70f2ef 100755
--- a/plays/dovecot.yml
+++ b/plays/dovecot.yml
@@ -3,9 +3,9 @@
# Deploy dovecot server
- hosts: dovecot
vars:
- certbot: '{{ glob_certbot | default({}) | combine(loc_certbot | default({})) }}'
+ certbot: '{{ loc_certbot | default(glob_certbot | default([])) }}'
ldap: '{{ glob_ldap | default({}) | combine(loc_ldap | default({})) }}'
dovecot: '{{ glob_dovecot | default({}) | combine(loc_dovecot | default({})) }}'
roles:
- certbot
- - dovecot
\ No newline at end of file
+ - dovecot
diff --git a/plays/freeradius.yml b/plays/freeradius.yml
index 51d994e1343636338301c66f70b841b0f7f391a8..f356fe4911ee6cd09a38b2f8e7a16fde75497c3f 100755
--- a/plays/freeradius.yml
+++ b/plays/freeradius.yml
@@ -3,7 +3,7 @@
# Deploy radius server
- hosts: radius
vars:
- certbot: '{{ glob_certbot | default({}) | combine(loc_certbot | default({})) }}'
+ certbot: '{{ loc_certbot | default(glob_certbot | default([])) }}'
freeradius: '{{ glob_freeradius | default({}) | combine(loc_freeradius | default({})) }}'
mirror: '{{ glob_mirror.name }}'
roles:
diff --git a/plays/gitlab.yml b/plays/gitlab.yml
index 1e1b6410bd3f25a79e6dce224789f3f7b89e65f6..9a47c8c57bc3a408439b3e174877e3dddd77ec29 100755
--- a/plays/gitlab.yml
+++ b/plays/gitlab.yml
@@ -6,16 +6,9 @@
- docker
- gitlab-runner
-# This seems strange, don't know if it still used
-# - hosts: gitzly.adm.crans.org
-# vars:
-# certbot:
-# dns_rfc2136_name: certbot_adm_challenge.
-# dns_rfc2136_secret: "{{ vault_certbot_adm_dns_secret }}"
-# mail: root@crans.org
-# certname: adm.crans.org
-# domains: "*.adm.crans.org"
-# bind:
-# masters: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-master')[0] }}"
-# roles:
-# - certbot
+# Install Gitlab
+- hosts: git
+ vars:
+ certbot: '{{ loc_certbot | default(glob_certbot | default([])) }}'
+ roles:
+ - certbot
diff --git a/plays/postfix.yml b/plays/postfix.yml
index 8f66e28b93f81c1519d856c507eac81ea22688ad..37195fa6cd3f8e9cdb69ceb2ad8f4f37656d6c66 100755
--- a/plays/postfix.yml
+++ b/plays/postfix.yml
@@ -4,11 +4,12 @@
- hosts: sputnik.adm.crans.org, boeing.adm.crans.org, redisdead.adm.crans.org, titanic.adm.crans.org
vars:
certbot:
- dns_rfc2136_name: certbot_challenge.
- dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
- mail: root@crans.org
- certname: crans.org
- domains: "*.crans.org"
+ - dns_rfc2136_server: '172.16.10.147'
+ dns_rfc2136_name: certbot_challenge.
+ dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
+ mail: root@crans.org
+ certname: crans.org
+ domains: "*.crans.org"
bind:
masters: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-master')[0] }}"
opendkim:
diff --git a/plays/reverse-proxy.yml b/plays/reverse-proxy.yml
index 0e25fc503a45ebf6f9ba936d7143ac6b96fa43be..04c3fb38f94672e9d346b8b6b9cc621f3a5948b0 100755
--- a/plays/reverse-proxy.yml
+++ b/plays/reverse-proxy.yml
@@ -2,7 +2,7 @@
---
- hosts: reverseproxy
vars:
- certbot: '{{ glob_certbot | default({}) | combine(loc_certbot | default({})) }}'
+ certbot: '{{ loc_certbot | default(glob_certbot | default([])) }}'
mirror: '{{ glob_mirror.name }}'
roles:
- certbot
diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml
index fbe6a6ae9989009b4ece12115b7c88b067feed0d..812aff2cb551c659f376e78f4ead3142b1a7269e 100644
--- a/roles/certbot/tasks/main.yml
+++ b/roles/certbot/tasks/main.yml
@@ -20,9 +20,16 @@
- name: Add DNS credentials
template:
src: letsencrypt/rfc2136.ini.j2
- dest: /etc/letsencrypt/rfc2136.ini
+ dest: "/etc/letsencrypt/rfc2136.{{ item.certname }}.ini"
mode: 0600
owner: root
+ loop: "{{ certbot }}"
+
+- name: Add dhparam
+ template:
+ src: "letsencrypt/dhparam.j2"
+ dest: "/etc/letsencrypt/dhparam"
+ mode: 0644
- name: Create /etc/letsencrypt/conf.d
file:
@@ -32,8 +39,10 @@
- name: Add Certbot configuration
template:
src: "letsencrypt/conf.d/certname.ini.j2"
- dest: "/etc/letsencrypt/conf.d/{{ certbot.certname }}.ini"
+ dest: "/etc/letsencrypt/conf.d/{{ item.certname }}.ini"
mode: 0644
+ loop: "{{ certbot }}"
-- name: Run certbot
- command: certbot --non-interactive --config /etc/letsencrypt/conf.d/{{ certbot.certname }}.ini certonly
+- name: Run certbot
+ command: certbot --non-interactive --config /etc/letsencrypt/conf.d/{{ item.certname }}.ini certonly
+ loop: "{{ certbot }}"
diff --git a/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2 b/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2
index cbf247b455d83234ce51f81f823da55efa184ab7..1fc1a19b29cc4f00a50a3968c2fb2857efd0026e 100644
--- a/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2
+++ b/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2
@@ -1,7 +1,7 @@
{{ ansible_header | comment(decoration='# ') }}
# To generate the certificate, please use the following command
-# certbot --config /etc/letsencrypt/conf.d/{{ certbot.certname }}.ini certonly
+# certbot --config /etc/letsencrypt/conf.d/{{ item.certname }}.ini certonly
# Use a 4096 bit RSA key instead of 2048
rsa-key-size = 4096
@@ -10,7 +10,7 @@ rsa-key-size = 4096
# server = https://acme-staging.api.letsencrypt.org/directory
# Uncomment and update to register with the specified e-mail address
-email = {{ certbot.mail }}
+email = {{ item.mail }}
# Uncomment to use a text interface instead of ncurses
text = True
@@ -20,9 +20,9 @@ agree-tos = True
# Use DNS-01 challenge
authenticator = dns-rfc2136
-dns-rfc2136-credentials = /etc/letsencrypt/rfc2136.ini
+dns-rfc2136-credentials = /etc/letsencrypt/rfc2136.{{ item.certname }}.ini
dns-rfc2136-propagation-seconds = 30
# Wildcard the domain
-cert-name = {{ certbot.certname }}
-domains = {{ certbot.domains }}
+cert-name = {{ item.certname }}
+domains = {{ item.domains }}
diff --git a/roles/certbot/templates/letsencrypt/dhparam.j2 b/roles/certbot/templates/letsencrypt/dhparam.j2
new file mode 100644
index 0000000000000000000000000000000000000000..9b182b7201fd94b6d896f863418517808bbbe7f9
--- /dev/null
+++ b/roles/certbot/templates/letsencrypt/dhparam.j2
@@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
+-----END DH PARAMETERS-----
diff --git a/roles/certbot/templates/letsencrypt/rfc2136.ini.j2 b/roles/certbot/templates/letsencrypt/rfc2136.ini.j2
index 140283cb44a9884587f8ec53119a178eb76c9d4e..0fb2a8d9f34e56c1fdd956d603b5e2be6d1732cb 100644
--- a/roles/certbot/templates/letsencrypt/rfc2136.ini.j2
+++ b/roles/certbot/templates/letsencrypt/rfc2136.ini.j2
@@ -1,7 +1,7 @@
{{ ansible_header | comment(decoration='# ') }}
-dns_rfc2136_server = {{ certbot.dns_rfc2136_server }}
+dns_rfc2136_server = {{ item.dns_rfc2136_server }}
dns_rfc2136_port = 53
-dns_rfc2136_name = {{ certbot.dns_rfc2136_name }}
-dns_rfc2136_secret = {{ certbot.dns_rfc2136_secret }}
+dns_rfc2136_name = {{ item.dns_rfc2136_name }}
+dns_rfc2136_secret = {{ item.dns_rfc2136_secret }}
dns_rfc2136_algorithm = HMAC-SHA512