wip

4443831a · Lukas Koenen · efd2c3e0 · 4443831a · 4443831a · 4443831a
Commit 4443831a authored 2 years ago by Lukas Koenen
--- a/README.md
+++ b/README.md
@@ -7,14 +7,25 @@ Role Variables
 --------------

 ```yaml
+---
 # certbot settings
+certbot_dns_challenge: false                                                          # default use webserver, true to obtain certificate using dns challenge
+certbot_dns_provider: "designate"                                                     # list of available providers https://go-acme.github.io/lego/dns/
+dns_provider_auth_env_variables:                                                      # variables required to authenticate dns provider
+  OS_AUTH_URL: "https://openstack.example.org"
+  OS_REGION_NAME: "RegionOne"
+  OS_AUTH_TYP: "v3applicationcredential"                                              # default is to use application credential rather than password
+  OS_APPLICATION_CREDENTIAL_ID: "{{ vault_os_application_credential_id }}"
+  OS_APPLICATION_CREDENTIAL_SECRET: "{{ vault_os_application_credential_secret }}"
+
+
 certbot_fqdn:
  - example.de
 certbot_admin_email: "admin@example.de"
-# certbot_webroot: "/var/www/example"                          # if undefined use --standalone
+# certbot_webroot: "/var/www/example"                                                 # if undefined use --standalone

 # application settings
-# certbot_application: "example"                               # if defined copy certs to application dir and setup deploy hooks
+# certbot_application: "example"                                                      # if defined copy certs to application dir and setup deploy hooks
 certbot_application_dir: "/etc/{{ certbot_application }}"
 certbot_application_deploy_hook: |
  #!/bin/sh

--- a/defaults/main.yml
+++ b/defaults/main.yml
 ---
 # certbot settings
+certbot_dns_challenge: false                                                          # default use webserver, true to obtain certificate using dns challenge
+certbot_lego_version: "4.11.0"                                                        # lego version - Let's Encrypt client
+certbot_dns_provider: "designate"                                                     # list of available providers https://go-acme.github.io/lego/dns/
+dns_provider_auth_env_variables:                                                      # variables required to authenticate dns provider
+  OS_AUTH_URL: "https://openstack.example.org"
+  OS_REGION_NAME: "RegionOne"
+  OS_AUTH_TYP: "v3applicationcredential"                                              # default is to use application credential rather than password
+  OS_APPLICATION_CREDENTIAL_ID: "{{ vault_os_application_credential_id }}"
+  OS_APPLICATION_CREDENTIAL_SECRET: "{{ vault_os_application_credential_secret }}"
+
+
 certbot_fqdn:
  - example.de
 certbot_admin_email: "admin@example.de"
-# certbot_webroot: "/var/www/example"                          # if undefined use --standalone
+# certbot_webroot: "/var/www/example"                                                 # if undefined use --standalone

 # application settings
-# certbot_application: "example"                               # if defined copy certs to application dir and setup deploy hooks
+# certbot_application: "example"                                                      # if defined copy certs to application dir and setup deploy hooks
 certbot_application_dir: "/etc/{{ certbot_application }}"
 certbot_application_deploy_hook: |
  #!/bin/sh

--- a/tasks/CentOS-packages.yml
+++ b/tasks/CentOS-packages.yml
--- a/tasks/CentOS-timer.yml
+++ b/tasks/CentOS-timer.yml
--- a/tasks/Debian-packages.yml
+++ b/tasks/Debian-packages.yml
--- a/tasks/Debian-timer.yml
+++ b/tasks/Debian-timer.yml
--- a/tasks/Fedora-packages.yml
+++ b/tasks/Fedora-packages.yml
--- a/tasks/Fedora-timer.yml
+++ b/tasks/Fedora-timer.yml
--- a/tasks/Ubuntu-packages.yml
+++ b/tasks/Ubuntu-packages.yml
--- a/tasks/Ubuntu-timer.yml
+++ b/tasks/Ubuntu-timer.yml
--- a/tasks/dns-challenge.yml
+++ b/tasks/dns-challenge.yml
+- name: Fetch Binary
+  ansible.builtin.get_url:
+    url: "https://github.com/go-acme/lego/releases/download/v{{ certbot_lego_version }}/lego_v{{ certbot_lego_version }}_linux_amd64.tar.gz"
+    dest: "/tmp/lego_v{{ certbot_lego_version }}_linux_amd64.tar.gz"
+    mode: "0644"
+
+- name: Unpack Archive
+  ansible.builtin.unarchive:
+    src: "/tmp/lego_v{{ certbot_lego_version }}_linux_amd64.tar.gz"
+    dest: "/tmp"
+    remote_src: true
+
+- name: Copy Binary
+  ansible.builtin.copy:
+    src: /tmp/lego
+    dest: /usr/bin/lego
+    owner: root
+    group: root
+    mode: '0755'
+    remote_src: true
+  become: true
+
+- name: Check Whether Cert Exists
+  ansible.builtin.stat:
+    path: "{{ certbot_live_dir }}/fullchain.pem"
+  register: lecert
+  become: true
+
+- name: Ensure Deploy Hook Dir Exists
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    mode: "0755"
+    owner: root
+    group: root
+  loop:
+    - /etc/letsencrypt/renewal-hooks
+    - /etc/letsencrypt/renewal-hooks/deploy
+  become: true
+
+- name: Request Cert If Necessary - DNS Challenge
+  block:
+    - name: Request Cert
+      ansible.builtin.command: >-
+        lego -a --dns {{ certbot_dns_provider }}
+        --email {{ certbot_admin_email }} -d {{ lego_dflag }}
+        --path {{ certbot_live_dir }}
+        run
+      environment: "{{ dns_provider_auth_env_variables }}"
+      register: lego
+      changed_when: lego.rc == 0
+
+    - name: Mirror Letsencrypt Structure
+      ansible.builtin.copy:
+        src: "{{ item.src }}"
+        dest: "{{ item.dest }}"
+        owner: root
+        group: root
+        mode: '0600'
+        remote_src: true
+      loop:
+        - { src: "{{ certbot_live_dir }}/certificates/{{ certbot_fqdn_first }}.crt", dest: "{{ certbot_live_dir }}/fullchain.pem" }
+        - { src: "{{ certbot_live_dir }}/certificates/{{ certbot_fqdn_first }}.key", dest: "{{ certbot_live_dir }}/privkey.pem" }
+
+  when: not lecert.stat.exists
+  become: true
+
+- name: Render Systemd Files
+  block:
+    - name: Render Systemd Environment File
+      ansible.builtin.template:
+        src: templates/dns-challenge.env.j2
+        dest: /etc/default/dns-challenge.env
+        mode: "0644"
+
+    - name: Render Systemd Service File
+      ansible.builtin.template:
+        src: templates/dns-challenge.service.j2
+        dest: /lib/systemd/system/dns-challenge.service
+        mode: "0644"
+
+    - name: Render Systemd Timer File
+      ansible.builtin.template:
+        src: templates/dns-challenge.timer.j2
+        dest: /lib/systemd/system/dns-challenge.timer
+        mode: "0644"
+  
+  become: true
+
+- name: Setup Certbot With Application
+  ansible.builtin.include_tasks: "application.yml"
+  when: certbot_application is defined
+
+- name: Enable LEGO Renew Timer
+  ansible.builtin.systemd:
+    name: dns-challenge.timer
+    state: started
+    enabled: true
+  become: true
--- a/tasks/main.yml
+++ b/tasks/main.yml
 ---
-# TODO:
-#   - dns challenge
+- name: Obtain Cert Using Web Server
+  ansible.builtin.include_tasks: "webserver.yml"
+  when: not certbot_dns_challenge

- name: Install Packages Based On Distribution
-  ansible.builtin.include_tasks: "{{ ansible_facts.distribution }}-packages.yml"
-
- name: Check Whether Cert Exists
-  ansible.builtin.stat:
-    path: "{{ certbot_live_dir }}/cert.pem"
-  register: lecert
-  become: true
-
- name: Ensure Deploy Hook Dir Exists
-  ansible.builtin.file:
-    path: "{{ item }}"
-    state: directory
-    mode: "0755"
-    owner: root
-    group: root
-  loop:
-    - /etc/letsencrypt/renewal-hooks
-    - /etc/letsencrypt/renewal-hooks/deploy
-  become: true
-
- name: Request Cert If Necessary - Standalone
-  ansible.builtin.command: >-
-    certbot certonly --standalone --noninteractive --agree-tos
-    --email {{ certbot_admin_email }} -d {{ certbot_dflag }}
-  when: not lecert.stat.exists and not certbot_webroot is defined
-  register: cbstandalone
-  changed_when: cbstandalone.rc == 0
-  become: true
-
- name: Ensure Webroot Path Exists
-  ansible.builtin.file:
-    path: "{{ certbot_webroot }}"
-    state: directory
-    mode: "0755"
-    owner: root
-    group: root
-  when: not lecert.stat.exists and certbot_webroot is defined
-
- name: Request Cert If Necessary - Webroot
-  ansible.builtin.command: >-
-    certbot certonly --webroot --webroot-path {{ certbot_webroot }} --noninteractive --agree-tos
-    --email {{ certbot_admin_email }} -d {{ certbot_dflag }}
-  when: not lecert.stat.exists and certbot_webroot is defined
-  register: cbwebroot
-  changed_when: cbwebroot.rc == 0
-  become: true
-
- name: Setup Certbot With Application
-  ansible.builtin.include_tasks: "application.yml"
-  when: certbot_application is defined
-
- name: Enable Letsencrypt Renew Timer Based On Distribution
-  ansible.builtin.include_tasks: "{{ ansible_facts.distribution }}-timer.yml"
+- name: Obtain Cert DNS Challenge
+  ansible.builtin.include_tasks: "dns-challenge.yml"
+  when: certbot_dns_challenge
--- a/tasks/webserver.yml
+++ b/tasks/webserver.yml
+- name: Install Packages Based On Distribution
+  ansible.builtin.include_tasks: "{{ ansible_facts.distribution }}-packages-webserver.yml"
+
+- name: Check Whether Cert Exists
+  ansible.builtin.stat:
+    path: "{{ certbot_live_dir }}/cert.pem"
+  register: lecert
+  become: true
+
+- name: Ensure Deploy Hook Dir Exists
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    mode: "0755"
+    owner: root
+    group: root
+  loop:
+    - /etc/letsencrypt/renewal-hooks
+    - /etc/letsencrypt/renewal-hooks/deploy
+  become: true
+
+- name: Request Cert If Necessary - Standalone
+  ansible.builtin.command: >-
+    certbot certonly --standalone --noninteractive --agree-tos
+    --email {{ certbot_admin_email }} -d {{ certbot_dflag }}
+  when: not lecert.stat.exists and not certbot_webroot is defined
+  register: cbstandalone
+  changed_when: cbstandalone.rc == 0
+  become: true
+
+- name: Ensure Webroot Path Exists
+  ansible.builtin.file:
+    path: "{{ certbot_webroot }}"
+    state: directory
+    mode: "0755"
+    owner: root
+    group: root
+  when: not lecert.stat.exists and certbot_webroot is defined
+
+- name: Request Cert If Necessary - Webroot
+  ansible.builtin.command: >-
+    certbot certonly --webroot --webroot-path {{ certbot_webroot }} --noninteractive --agree-tos
+    --email {{ certbot_admin_email }} -d {{ certbot_dflag }}
+  when: not lecert.stat.exists and certbot_webroot is defined
+  register: cbwebroot
+  changed_when: cbwebroot.rc == 0
+  become: true
+
+- name: Setup Certbot With Application
+  ansible.builtin.include_tasks: "application.yml"
+  when: certbot_application is defined
+
+- name: Enable Letsencrypt Renew Timer Based On Distribution
+  ansible.builtin.include_tasks: "{{ ansible_facts.distribution }}-timer-webserver.yml"
--- a/templates/dns-challenge.env.j2
+++ b/templates/dns-challenge.env.j2
+# {{ ansible_managed }}
+
+{% for var, val in dns_provider_auth_env_variables.items() %}
+{{ var }}={{ val }}
+{% endfor %}
--- a/templates/dns-challenge.service.j2
+++ b/templates/dns-challenge.service.j2
+# {{ ansible_managed }}
+
+[Unit]
+Description=LEGO DNS challenge
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/lego -a --dns {{ certbot_dns_provider }} --email {{ certbot_admin_email }} -d {{ lego_dflag }} --path {{ certbot_live_dir }} renew
+ExecStartPost=cp {{ certbot_live_dir }}/certificates/{{ certbot_fqdn_first }}.crt {{ certbot_live_dir }}/fullchain.pem
+ExecStartPost=cp {{ certbot_live_dir }}/certificates/{{ certbot_fqdn_first }}.key {{ certbot_live_dir }}/privkey.pem
+{{ "ExecStartPost=/etc/letsencrypt/renewal-hooks/deploy/" + certbot_application if certbot_application is defined else "" }}
+EnvironmentFile=/etc/default/dns-challenge.env
--- a/templates/dns-challenge.timer.j2
+++ b/templates/dns-challenge.timer.j2
+# {{ ansible_managed }}
+
+[Unit]
+Description=Run LEGO DNS challenge twice every day
+
+[Timer]
+OnCalendar=*-*-* 00,12:00:00
+RandomizedDelaySec=43200
+Persistent=true
+Unit=dns-challenge.service
+
+[Install]
+WantedBy=timers.target
--- a/vars/main.yml
+++ b/vars/main.yml
 ---
-certbot_live_dir: >-
-  /etc/letsencrypt/live/{{
+certbot_fqdn_first: >-
+  {{
    certbot_fqdn
    | first
    | replace("*.", "")
    | trim(".")
  }}
+certbot_live_dir: "/etc/letsencrypt/live/{{ certbot_fqdn_first }}"
 certbot_dflag: "{{ certbot_fqdn | map('trim', '.') | join(',') }}"
+lego_dflag : "{{ certbot_fqdn | map('trim', '.') | join(' -d ') }}"