From 009e7b42cb665fc2c22882f4bad5d9996f7ce380 Mon Sep 17 00:00:00 2001
From: ynerant <ynerant@crans.org>
Date: Thu, 11 Feb 2021 17:35:31 +0100
Subject: [PATCH] [certbot] Generate multiple certificates (useful for adm)
Signed-off-by: ynerant <ynerant@crans.org>
---
group_vars/certbot.yml | 12 ++++++------
host_vars/gitzly.adm.crans.org.yml | 17 +++++++++++++----
host_vars/hodaur.adm.crans.org.yml | 7 ++++++-
plays/certbot.yml | 2 +-
plays/dovecot.yml | 4 ++--
plays/freeradius.yml | 2 +-
plays/gitlab.yml | 19 ++++++-------------
plays/postfix.yml | 11 ++++++-----
plays/reverse-proxy.yml | 2 +-
roles/certbot/tasks/main.yml | 17 +++++++++++++----
.../letsencrypt/conf.d/certname.ini.j2 | 10 +++++-----
.../certbot/templates/letsencrypt/dhparam.j2 | 8 ++++++++
.../templates/letsencrypt/rfc2136.ini.j2 | 6 +++---
13 files changed, 71 insertions(+), 46 deletions(-)
create mode 100644 roles/certbot/templates/letsencrypt/dhparam.j2
diff --git a/group_vars/certbot.yml b/group_vars/certbot.yml
index 3dd13db9..311e9ac8 100644
--- a/group_vars/certbot.yml
+++ b/group_vars/certbot.yml
@@ -1,8 +1,8 @@
---
glob_certbot:
- dns_rfc2136_server: '172.16.10.147'
- dns_rfc2136_name: certbot_challenge.
- dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
- mail: root@crans.org
- certname: crans.org
- domains: "crans.org"
+ - dns_rfc2136_server: '172.16.10.147'
+ dns_rfc2136_name: certbot_challenge.
+ dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
+ mail: root@crans.org
+ certname: crans.org
+ domains: "crans.org"
diff --git a/host_vars/gitzly.adm.crans.org.yml b/host_vars/gitzly.adm.crans.org.yml
index f7105157..f72209b3 100644
--- a/host_vars/gitzly.adm.crans.org.yml
+++ b/host_vars/gitzly.adm.crans.org.yml
@@ -4,7 +4,16 @@ interfaces:
srv: ens19
loc_certbot:
- dns_rfc2136_name: certbot_adm_challenge.
- dns_rfc2136_secret: "{{ vault_certbot_adm_dns_secret }}"
- certname: adm.crans.org
- domains: "*.adm.crans.org"
+ - dns_rfc2136_server: '172.16.10.147'
+ dns_rfc2136_name: certbot_challenge.
+ dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
+ mail: root@crans.org
+ certname: crans.org
+ domains: "*.crans.org"
+
+ - dns_rfc2136_server: '172.16.10.147'
+ dns_rfc2136_name: certbot_adm_challenge.
+ dns_rfc2136_secret: "{{ vault_certbot_adm_dns_secret }}"
+ mail: root@crans.org
+ certname: adm.crans.org
+ domains: "*.adm.crans.org"
diff --git a/host_vars/hodaur.adm.crans.org.yml b/host_vars/hodaur.adm.crans.org.yml
index 2aa4c194..ddf97016 100644
--- a/host_vars/hodaur.adm.crans.org.yml
+++ b/host_vars/hodaur.adm.crans.org.yml
@@ -1,3 +1,8 @@
---
loc_certbot:
- domains: "crans.org, *.crans.org, crans.fr, *.crans.fr, crans.eu, *.crans.eu"
+ - dns_rfc2136_server: '172.16.10.147'
+ dns_rfc2136_name: certbot_challenge.
+ dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
+ mail: root@crans.org
+ certname: crans.org
+ domains: "crans.org, *.crans.org, crans.fr, *.crans.fr, crans.eu, *.crans.eu"
diff --git a/plays/certbot.yml b/plays/certbot.yml
index e1a97312..76bb969a 100755
--- a/plays/certbot.yml
+++ b/plays/certbot.yml
@@ -3,7 +3,7 @@
# Deploy certbot for LE certificates
- hosts: certbot
vars:
- certbot: '{{ glob_certbot | default({}) | combine(loc_certbot | default({})) }}'
+ certbot: '{{ loc_certbot | default(glob_certbot | default([])) }}'
mirror: '{{ glob_mirror.name }}'
roles:
- certbot
diff --git a/plays/dovecot.yml b/plays/dovecot.yml
index 13a70d7f..32e02ca4 100755
--- a/plays/dovecot.yml
+++ b/plays/dovecot.yml
@@ -3,9 +3,9 @@
# Deploy dovecot server
- hosts: dovecot
vars:
- certbot: '{{ glob_certbot | default({}) | combine(loc_certbot | default({})) }}'
+ certbot: '{{ loc_certbot | default(glob_certbot | default([])) }}'
ldap: '{{ glob_ldap | default({}) | combine(loc_ldap | default({})) }}'
dovecot: '{{ glob_dovecot | default({}) | combine(loc_dovecot | default({})) }}'
roles:
- certbot
- - dovecot
\ No newline at end of file
+ - dovecot
diff --git a/plays/freeradius.yml b/plays/freeradius.yml
index 51d994e1..f356fe49 100755
--- a/plays/freeradius.yml
+++ b/plays/freeradius.yml
@@ -3,7 +3,7 @@
# Deploy radius server
- hosts: radius
vars:
- certbot: '{{ glob_certbot | default({}) | combine(loc_certbot | default({})) }}'
+ certbot: '{{ loc_certbot | default(glob_certbot | default([])) }}'
freeradius: '{{ glob_freeradius | default({}) | combine(loc_freeradius | default({})) }}'
mirror: '{{ glob_mirror.name }}'
roles:
diff --git a/plays/gitlab.yml b/plays/gitlab.yml
index 1e1b6410..9a47c8c5 100755
--- a/plays/gitlab.yml
+++ b/plays/gitlab.yml
@@ -6,16 +6,9 @@
- docker
- gitlab-runner
-# This seems strange, don't know if it still used
-# - hosts: gitzly.adm.crans.org
-# vars:
-# certbot:
-# dns_rfc2136_name: certbot_adm_challenge.
-# dns_rfc2136_secret: "{{ vault_certbot_adm_dns_secret }}"
-# mail: root@crans.org
-# certname: adm.crans.org
-# domains: "*.adm.crans.org"
-# bind:
-# masters: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-master')[0] }}"
-# roles:
-# - certbot
+# Install Gitlab
+- hosts: git
+ vars:
+ certbot: '{{ loc_certbot | default(glob_certbot | default([])) }}'
+ roles:
+ - certbot
diff --git a/plays/postfix.yml b/plays/postfix.yml
index 8f66e28b..37195fa6 100755
--- a/plays/postfix.yml
+++ b/plays/postfix.yml
@@ -4,11 +4,12 @@
- hosts: sputnik.adm.crans.org, boeing.adm.crans.org, redisdead.adm.crans.org, titanic.adm.crans.org
vars:
certbot:
- dns_rfc2136_name: certbot_challenge.
- dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
- mail: root@crans.org
- certname: crans.org
- domains: "*.crans.org"
+ - dns_rfc2136_server: '172.16.10.147'
+ dns_rfc2136_name: certbot_challenge.
+ dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
+ mail: root@crans.org
+ certname: crans.org
+ domains: "*.crans.org"
bind:
masters: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-master')[0] }}"
opendkim:
diff --git a/plays/reverse-proxy.yml b/plays/reverse-proxy.yml
index 0e25fc50..04c3fb38 100755
--- a/plays/reverse-proxy.yml
+++ b/plays/reverse-proxy.yml
@@ -2,7 +2,7 @@
---
- hosts: reverseproxy
vars:
- certbot: '{{ glob_certbot | default({}) | combine(loc_certbot | default({})) }}'
+ certbot: '{{ loc_certbot | default(glob_certbot | default([])) }}'
mirror: '{{ glob_mirror.name }}'
roles:
- certbot
diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml
index fbe6a6ae..812aff2c 100644
--- a/roles/certbot/tasks/main.yml
+++ b/roles/certbot/tasks/main.yml
@@ -20,9 +20,16 @@
- name: Add DNS credentials
template:
src: letsencrypt/rfc2136.ini.j2
- dest: /etc/letsencrypt/rfc2136.ini
+ dest: "/etc/letsencrypt/rfc2136.{{ item.certname }}.ini"
mode: 0600
owner: root
+ loop: "{{ certbot }}"
+
+- name: Add dhparam
+ template:
+ src: "letsencrypt/dhparam.j2"
+ dest: "/etc/letsencrypt/dhparam"
+ mode: 0644
- name: Create /etc/letsencrypt/conf.d
file:
@@ -32,8 +39,10 @@
- name: Add Certbot configuration
template:
src: "letsencrypt/conf.d/certname.ini.j2"
- dest: "/etc/letsencrypt/conf.d/{{ certbot.certname }}.ini"
+ dest: "/etc/letsencrypt/conf.d/{{ item.certname }}.ini"
mode: 0644
+ loop: "{{ certbot }}"
-- name: Run certbot
- command: certbot --non-interactive --config /etc/letsencrypt/conf.d/{{ certbot.certname }}.ini certonly
+- name: Run certbot
+ command: certbot --non-interactive --config /etc/letsencrypt/conf.d/{{ item.certname }}.ini certonly
+ loop: "{{ certbot }}"
diff --git a/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2 b/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2
index cbf247b4..1fc1a19b 100644
--- a/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2
+++ b/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2
@@ -1,7 +1,7 @@
{{ ansible_header | comment(decoration='# ') }}
# To generate the certificate, please use the following command
-# certbot --config /etc/letsencrypt/conf.d/{{ certbot.certname }}.ini certonly
+# certbot --config /etc/letsencrypt/conf.d/{{ item.certname }}.ini certonly
# Use a 4096 bit RSA key instead of 2048
rsa-key-size = 4096
@@ -10,7 +10,7 @@ rsa-key-size = 4096
# server = https://acme-staging.api.letsencrypt.org/directory
# Uncomment and update to register with the specified e-mail address
-email = {{ certbot.mail }}
+email = {{ item.mail }}
# Uncomment to use a text interface instead of ncurses
text = True
@@ -20,9 +20,9 @@ agree-tos = True
# Use DNS-01 challenge
authenticator = dns-rfc2136
-dns-rfc2136-credentials = /etc/letsencrypt/rfc2136.ini
+dns-rfc2136-credentials = /etc/letsencrypt/rfc2136.{{ item.certname }}.ini
dns-rfc2136-propagation-seconds = 30
# Wildcard the domain
-cert-name = {{ certbot.certname }}
-domains = {{ certbot.domains }}
+cert-name = {{ item.certname }}
+domains = {{ item.domains }}
diff --git a/roles/certbot/templates/letsencrypt/dhparam.j2 b/roles/certbot/templates/letsencrypt/dhparam.j2
new file mode 100644
index 00000000..9b182b72
--- /dev/null
+++ b/roles/certbot/templates/letsencrypt/dhparam.j2
@@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
+-----END DH PARAMETERS-----
diff --git a/roles/certbot/templates/letsencrypt/rfc2136.ini.j2 b/roles/certbot/templates/letsencrypt/rfc2136.ini.j2
index 140283cb..0fb2a8d9 100644
--- a/roles/certbot/templates/letsencrypt/rfc2136.ini.j2
+++ b/roles/certbot/templates/letsencrypt/rfc2136.ini.j2
@@ -1,7 +1,7 @@
{{ ansible_header | comment(decoration='# ') }}
-dns_rfc2136_server = {{ certbot.dns_rfc2136_server }}
+dns_rfc2136_server = {{ item.dns_rfc2136_server }}
dns_rfc2136_port = 53
-dns_rfc2136_name = {{ certbot.dns_rfc2136_name }}
-dns_rfc2136_secret = {{ certbot.dns_rfc2136_secret }}
+dns_rfc2136_name = {{ item.dns_rfc2136_name }}
+dns_rfc2136_secret = {{ item.dns_rfc2136_secret }}
dns_rfc2136_algorithm = HMAC-SHA512
--
GitLab