From d25eb9382f815697d6b46b812b70c46915b92666 Mon Sep 17 00:00:00 2001
From: shirenn <shirenn@crans.org>
Date: Tue, 16 Nov 2021 23:24:23 +0100
Subject: [PATCH] [certbot] Much things
---
group_vars/certbot.yml | 23 ++++++++++---
group_vars/radius.yml | 5 +--
group_vars/reverseproxy.yml | 32 ++++++++++++++++---
host_vars/gitzly.adm.crans.org.yml | 30 +++++++++++------
host_vars/redisdead.adm.crans.org.yml | 23 +++++++++++++
host_vars/rodauh.cachan-adm.crans.org.yml | 5 +--
host_vars/sputnik.adm.crans.org.yml | 29 ++++++++++++-----
hosts | 1 +
plays/certbot.yml | 6 ++--
roles/certbot/tasks/main.yml | 18 -----------
.../letsencrypt/conf.d/certname.ini.j2 | 8 +++--
.../templates/letsencrypt/rfc2136.ini.j2 | 7 ----
12 files changed, 123 insertions(+), 64 deletions(-)
delete mode 100644 roles/certbot/templates/letsencrypt/rfc2136.ini.j2
diff --git a/group_vars/certbot.yml b/group_vars/certbot.yml
index 7540ee94..2ec065c3 100644
--- a/group_vars/certbot.yml
+++ b/group_vars/certbot.yml
@@ -1,8 +1,23 @@
---
glob_certbot:
- - dns_rfc2136_server: '172.16.10.147'
- dns_rfc2136_name: certbot_challenge.
- dns_rfc2136_secret: "{{ vault.certbot_dns_secret }}"
- mail: root@crans.org
+ - mail: root@crans.org
certname: crans.org
domains: "*.crans.org"
+
+glob_service_certbot:
+ name: certbot
+ install_dir: /var/local/services/certbot
+ dependencies:
+ - python3-dnspython
+ git:
+ remote: https://gitlab.adm.crans.org/nounous/certbot
+ version: main
+ config:
+ "crans.org":
+ zone: _acme-challenge.crans.org
+ server: 172.16.10.147
+ port: 53
+ key:
+ name: certbot_challenge.
+ secret: "{{ vault.certbot_dns_secret }}"
+ algorithm: HMAC-SHA512
diff --git a/group_vars/radius.yml b/group_vars/radius.yml
index b68111f2..e2add971 100644
--- a/group_vars/radius.yml
+++ b/group_vars/radius.yml
@@ -19,9 +19,6 @@ glob_freeradius:
server: radius-wifi
loc_certbot:
- - dns_rfc2136_server: '172.16.10.147'
- dns_rfc2136_name: certbot_challenge.
- dns_rfc2136_secret: "{{ vault.certbot_dns_secret }}"
- mail: root@crans.org
+ - mail: root@crans.org
certname: crans.org
domains: "crans.org"
diff --git a/group_vars/reverseproxy.yml b/group_vars/reverseproxy.yml
index 1ab0f6ed..1a9c85d5 100644
--- a/group_vars/reverseproxy.yml
+++ b/group_vars/reverseproxy.yml
@@ -1,11 +1,35 @@
loc_certbot:
- - dns_rfc2136_server: '172.16.10.147'
- dns_rfc2136_name: certbot_challenge.
- dns_rfc2136_secret: "{{ vault.certbot_dns_secret }}"
- mail: root@crans.org
+ - mail: root@crans.org
certname: crans.org
domains: "crans.org, *.crans.org, crans.fr, *.crans.fr, crans.eu, *.crans.eu"
+loc_service_certbot:
+ config:
+ "crans.org":
+ zone: _acme-challenge.crans.org
+ server: 172.16.10.147
+ port: 53
+ key:
+ name: certbot_challenge.
+ secret: "{{ vault.certbot_dns_secret }}"
+ algorithm: HMAC-SHA512
+ "crans.eu":
+ zone: _acme-challenge.crans.org
+ server: 172.16.10.147
+ port: 53
+ key:
+ name: certbot_challenge.
+ secret: "{{ vault.certbot_dns_secret }}"
+ algorithm: HMAC-SHA512
+ "crans.fr":
+ zone: _acme-challenge.crans.org
+ server: 172.16.10.147
+ port: 53
+ key:
+ name: certbot_challenge.
+ secret: "{{ vault.certbot_dns_secret }}"
+ algorithm: HMAC-SHA512
+
loc_nginx:
servers: []
ssl:
diff --git a/host_vars/gitzly.adm.crans.org.yml b/host_vars/gitzly.adm.crans.org.yml
index ef63b728..b7a62d71 100644
--- a/host_vars/gitzly.adm.crans.org.yml
+++ b/host_vars/gitzly.adm.crans.org.yml
@@ -4,20 +4,32 @@ interfaces:
srv: ens19
loc_certbot:
- - dns_rfc2136_server: '172.16.10.147'
- dns_rfc2136_name: certbot_challenge.
- dns_rfc2136_secret: "{{ vault.certbot_dns_secret }}"
- mail: root@crans.org
+ - mail: root@crans.org
certname: crans.org
domains: "*.crans.org"
-
- - dns_rfc2136_server: '172.16.10.147'
- dns_rfc2136_name: certbot_adm_challenge.
- dns_rfc2136_secret: "{{ vault.certbot_adm_dns_secret }}"
- mail: root@crans.org
+ - mail: root@crans.org
certname: adm.crans.org
domains: "*.adm.crans.org"
+loc_service_certbot:
+ config:
+ "crans.org":
+ zone: _acme-challenge.crans.org
+ server: 172.16.10.147
+ port: 53
+ key:
+ name: certbot_challenge.
+ secret: "{{ vault.certbot_dns_secret }}"
+ algorithm: HMAC-SHA512
+ "adm.crans.org":
+ zone: _acme-challenge.adm.crans.org
+ server: 172.16.10.147
+ port: 53
+ key:
+ name: certbot_adm_challenge.
+ secret: "{{ vault.certbot_adm_dns_secret }}"
+ algorithm: HMAC-SHA512
+
loc_nginx:
ssl:
- name: adm.crans.org
diff --git a/host_vars/redisdead.adm.crans.org.yml b/host_vars/redisdead.adm.crans.org.yml
index 1674deb2..ffb8ec04 100644
--- a/host_vars/redisdead.adm.crans.org.yml
+++ b/host_vars/redisdead.adm.crans.org.yml
@@ -10,3 +10,26 @@ postfix:
dkim: true
titanic: false
+loc_certbot:
+ - mail: root@crans.org
+ certname: crans.org
+ domains: "*.adm.crans.org, *.crans.org"
+
+loc_service_certbot:
+ config:
+ "crans.org":
+ zone: _acme-challenge.crans.org
+ server: 172.16.10.147
+ port: 53
+ key:
+ name: certbot_challenge.
+ secret: "{{ vault.certbot_dns_secret }}"
+ algorithm: HMAC-SHA512
+ "adm.crans.org":
+ zone: _acme-challenge.adm.crans.org
+ server: 172.16.10.147
+ port: 53
+ key:
+ name: certbot_adm_challenge.
+ secret: "{{ vault.certbot_adm_dns_secret }}"
+ algorithm: HMAC-SHA512
diff --git a/host_vars/rodauh.cachan-adm.crans.org.yml b/host_vars/rodauh.cachan-adm.crans.org.yml
index 9d8fb425..5bcdded4 100644
--- a/host_vars/rodauh.cachan-adm.crans.org.yml
+++ b/host_vars/rodauh.cachan-adm.crans.org.yml
@@ -4,10 +4,7 @@ interfaces:
cachan_srv: ens19
loc_certbot:
- - dns_rfc2136_server: '185.230.79.9'
- dns_rfc2136_name: certbot_challenge.
- dns_rfc2136_secret: "{{ vault.certbot_dns_secret }}"
- mail: root@crans.org
+ - mail: root@crans.org
certname: crans.org
domains: "crans.org, *.crans.org, crans.fr, *.crans.fr, crans.eu, *.crans.eu"
diff --git a/host_vars/sputnik.adm.crans.org.yml b/host_vars/sputnik.adm.crans.org.yml
index fecb1cc3..06a65091 100644
--- a/host_vars/sputnik.adm.crans.org.yml
+++ b/host_vars/sputnik.adm.crans.org.yml
@@ -33,19 +33,32 @@ loc_moinmoin:
main: false
loc_certbot:
- - dns_rfc2136_server: '172.16.10.147'
- dns_rfc2136_name: certbot_adm_challenge.
- dns_rfc2136_secret: "{{ vault.certbot_adm_dns_secret }}"
- mail: root@crans.org
+ - mail: root@crans.org
certname: adm.crans.org
domains: "*.adm.crans.org"
- - dns_rfc2136_server: '172.16.10.147'
- dns_rfc2136_name: certbot_challenge.
- dns_rfc2136_secret: "{{ vault.certbot_dns_secret }}"
- mail: root@crans.org
+ - mail: root@crans.org
certname: crans.org
domains: "*.crans.org"
+loc_service_certbot:
+ config:
+ "crans.org":
+ zone: _acme-challenge.crans.org
+ server: 172.16.10.147
+ port: 53
+ key:
+ name: certbot_challenge.
+ secret: "{{ vault.certbot_dns_secret }}"
+ algorithm: HMAC-SHA512
+ "adm.crans.org":
+ zone: _acme-challenge.adm.crans.org
+ server: 172.16.10.147
+ port: 53
+ key:
+ name: certbot_adm_challenge.
+ secret: "{{ vault.certbot_adm_dns_secret }}"
+ algorithm: HMAC-SHA512
+
loc_nginx:
service_name: wiki
ssl:
diff --git a/hosts b/hosts
index 79952599..e33a34ee 100644
--- a/hosts
+++ b/hosts
@@ -38,6 +38,7 @@ galene
gitlab
jitsi
mailman
+postfix
radius # We use certbot to manage LE certificates
reverseproxy
thelounge
diff --git a/plays/certbot.yml b/plays/certbot.yml
index 76bb969a..f6b4de37 100755
--- a/plays/certbot.yml
+++ b/plays/certbot.yml
@@ -1,9 +1,9 @@
#!/usr/bin/env ansible-playbook
---
-# Deploy certbot for LE certificates
-- hosts: certbot
+- hosts: certbot !zamok.adm.crans.org
vars:
+ service: "{{ glob_service_certbot | default({}) | combine(loc_service_certbot | default({})) }}"
certbot: '{{ loc_certbot | default(glob_certbot | default([])) }}'
- mirror: '{{ glob_mirror.name }}'
roles:
+ - service
- certbot
diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml
index eb50fc02..e764ee44 100644
--- a/roles/certbot/tasks/main.yml
+++ b/roles/certbot/tasks/main.yml
@@ -4,20 +4,11 @@
update_cache: true
name:
- certbot
- - python3-certbot-dns-rfc2136
state: present
register: apt_result
retries: 3
until: apt_result is succeeded
-- name: Add DNS credentials
- template:
- src: letsencrypt/rfc2136.ini.j2
- dest: "/etc/letsencrypt/rfc2136.{{ item.certname }}.ini"
- mode: 0600
- owner: root
- loop: "{{ certbot }}"
-
- name: Add dhparam
template:
src: "letsencrypt/dhparam.j2"
@@ -41,12 +32,3 @@
register: certbot_output
changed_when: not "Certificate not yet due for renewal" in certbot_output.stdout
loop: "{{ certbot }}"
-
-- name: Clean old files
- file:
- path: "{{ item }}"
- state: absent
- loop:
- - "/etc/letsencrypt/options-ssl-nginx.conf"
- - "/etc/letsencrypt/ssl-dhparams.pem"
- - "/etc/letsencrypt/rfc2136.ini"
diff --git a/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2 b/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2
index 1fc1a19b..66104e1c 100644
--- a/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2
+++ b/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2
@@ -19,9 +19,11 @@ text = True
agree-tos = True
# Use DNS-01 challenge
-authenticator = dns-rfc2136
-dns-rfc2136-credentials = /etc/letsencrypt/rfc2136.{{ item.certname }}.ini
-dns-rfc2136-propagation-seconds = 30
+authenticator = manual
+manual-auth-hook = /var/local/services/certbot/authenticator.py
+manual-cleanup-hook = /var/local/services/certbot/cleanup.py
+preferred-challenges = dns-01,
+manual-public-ip-logging-ok = True
# Wildcard the domain
cert-name = {{ item.certname }}
diff --git a/roles/certbot/templates/letsencrypt/rfc2136.ini.j2 b/roles/certbot/templates/letsencrypt/rfc2136.ini.j2
deleted file mode 100644
index 0fb2a8d9..00000000
--- a/roles/certbot/templates/letsencrypt/rfc2136.ini.j2
+++ /dev/null
@@ -1,7 +0,0 @@
-{{ ansible_header | comment(decoration='# ') }}
-
-dns_rfc2136_server = {{ item.dns_rfc2136_server }}
-dns_rfc2136_port = 53
-dns_rfc2136_name = {{ item.dns_rfc2136_name }}
-dns_rfc2136_secret = {{ item.dns_rfc2136_secret }}
-dns_rfc2136_algorithm = HMAC-SHA512
--
GitLab