From d45fff917662a0d0ac50137ffbf0100504eb0dd9 Mon Sep 17 00:00:00 2001
From: Maxime Bombar <bombar@crans.org>
Date: Mon, 12 Oct 2020 18:33:29 +0200
Subject: [PATCH] [Certbot] Praise new infra
---
group_vars/certbot.yml | 8 ++++++++
host_vars/gitzly.adm.crans.org.yml | 10 ++++++++++
hosts | 7 +++++++
plays/certbot.yml | 9 +++++++++
plays/freeradius.yml | 2 ++
radius.yml | 7 +------
roles/certbot/templates/letsencrypt/rfc2136.ini.j2 | 2 +-
7 files changed, 38 insertions(+), 7 deletions(-)
create mode 100644 group_vars/certbot.yml
create mode 100644 host_vars/gitzly.adm.crans.org.yml
create mode 100755 plays/certbot.yml
diff --git a/group_vars/certbot.yml b/group_vars/certbot.yml
new file mode 100644
index 00000000..3dd13db9
--- /dev/null
+++ b/group_vars/certbot.yml
@@ -0,0 +1,8 @@
+---
+glob_certbot:
+ dns_rfc2136_server: '172.16.10.147'
+ dns_rfc2136_name: certbot_challenge.
+ dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
+ mail: root@crans.org
+ certname: crans.org
+ domains: "crans.org"
diff --git a/host_vars/gitzly.adm.crans.org.yml b/host_vars/gitzly.adm.crans.org.yml
new file mode 100644
index 00000000..f7105157
--- /dev/null
+++ b/host_vars/gitzly.adm.crans.org.yml
@@ -0,0 +1,10 @@
+---
+interfaces:
+ adm: ens18
+ srv: ens19
+
+loc_certbot:
+ dns_rfc2136_name: certbot_adm_challenge.
+ dns_rfc2136_secret: "{{ vault_certbot_adm_dns_secret }}"
+ certname: adm.crans.org
+ domains: "*.adm.crans.org"
diff --git a/hosts b/hosts
index 5b02b4d4..3d884340 100644
--- a/hosts
+++ b/hosts
@@ -23,6 +23,12 @@
# [test_vm]
# re2o-test.adm.crans.org
+[certbot]
+gitzly.adm.crans.org
+
+[certbot:children]
+radius # We use certbot to manage LE certificates
+
[nginx_rtmp]
fluxx.adm.crans.org
@@ -88,6 +94,7 @@ routeur-daniel.adm.crans.org
belenios # on changera plus tard
re2o-ldap.adm.crans.org
gitlab-ci.adm.crans.org
+gitzly.adm.crans.org
hodaur.adm.crans.org
monitoring.adm.crans.org
boeing.adm.crans.org
diff --git a/plays/certbot.yml b/plays/certbot.yml
new file mode 100755
index 00000000..025db3ce
--- /dev/null
+++ b/plays/certbot.yml
@@ -0,0 +1,9 @@
+#!/usr/bin/env ansible-playbook
+---
+# Deploy certbot for LE certificates
+- hosts: certbot
+ vars:
+ certbot: '{{ glob_certbot | default({}) | combine(loc_certbot | default({})) }}'
+ mirror: '{{ glob_mirror }}'
+ roles:
+ - certbot
diff --git a/plays/freeradius.yml b/plays/freeradius.yml
index f2c4e3d7..37296a21 100755
--- a/plays/freeradius.yml
+++ b/plays/freeradius.yml
@@ -3,7 +3,9 @@
# Deploy radius server
- hosts: radius
vars:
+ certbot: '{{ glob_certbot | default({}) | combine(loc_certbot | default({})) }}'
freeradius: '{{ glob_freeradius | default({}) | combine(loc_freeradius | default({})) }}'
mirror: '{{ glob_mirror }}'
roles:
+ - certbot
- freeradius
diff --git a/radius.yml b/radius.yml
index 2727fa78..a26e3549 100755
--- a/radius.yml
+++ b/radius.yml
@@ -2,12 +2,7 @@
---
- hosts: eap.adm.crans.org, odlyd.adm.crans.org, radius.adm.crans.org
vars:
- certbot:
- dns_rfc2136_name: certbot_challenge.
- dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
- mail: root@crans.org
- certname: crans.org
- domains: "crans.org"
+ certbot: '{{ glob_certbot | default({}) | combine(loc_certbot | default({})) }}'
bind:
masters: "{{ lookup('re2oapi', 'get_role', 'dns-authoritary-master')[0] }}"
roles:
diff --git a/roles/certbot/templates/letsencrypt/rfc2136.ini.j2 b/roles/certbot/templates/letsencrypt/rfc2136.ini.j2
index a41a547d..140283cb 100644
--- a/roles/certbot/templates/letsencrypt/rfc2136.ini.j2
+++ b/roles/certbot/templates/letsencrypt/rfc2136.ini.j2
@@ -1,6 +1,6 @@
{{ ansible_header | comment(decoration='# ') }}
-dns_rfc2136_server = {{ dns_masters_ipv4 | first }}
+dns_rfc2136_server = {{ certbot.dns_rfc2136_server }}
dns_rfc2136_port = 53
dns_rfc2136_name = {{ certbot.dns_rfc2136_name }}
dns_rfc2136_secret = {{ certbot.dns_rfc2136_secret }}
--
GitLab