feat: dns challenge

README.md

@@ -7,14 +7,26 @@ Role Variables
 --------------
 
 ```yaml
+---
 # certbot settings
+certbot_dns_challenge: false                                                          # default use webserver, true to obtain certificate using dns challenge
+certbot_lego_version: "4.11.0"                                                        # version of LEGO client
+certbot_dns_provider: "designate"                                                     # list of available providers https://go-acme.github.io/lego/dns/
+dns_provider_auth_env_variables:                                                      # variables required to authenticate dns provider
+  OS_AUTH_URL: "https://openstack.example.org"
+  OS_REGION_NAME: "RegionOne"
+  OS_AUTH_TYP: "v3applicationcredential"                                              # default is to use application credential rather than password
+  OS_APPLICATION_CREDENTIAL_ID: "{{ vault_os_application_credential_id }}"
+  OS_APPLICATION_CREDENTIAL_SECRET: "{{ vault_os_application_credential_secret }}"
+
+
 certbot_fqdn:
   - example.de
 certbot_admin_email: "admin@example.de"
-# certbot_webroot: "/var/www/example"                          # if undefined use --standalone
+# certbot_webroot: "/var/www/example"                                                 # if undefined use --standalone
 
 # application settings
-# certbot_application: "example"                               # if defined copy certs to application dir and setup deploy hooks
+# certbot_application: "example"                                                      # if defined copy certs to application dir and setup deploy hooks
 certbot_application_dir: "/etc/{{ certbot_application }}"
 certbot_application_deploy_hook: |
   #!/bin/sh

defaults/main.yml

 ---
 # certbot settings
+certbot_dns_challenge: false                                                          # default use webserver, true to obtain certificate using dns challenge
+certbot_lego_version: "4.11.0"                                                        # lego version - Let's Encrypt client
+certbot_dns_provider: "designate"                                                     # list of available providers https://go-acme.github.io/lego/dns/
+dns_provider_auth_env_variables:                                                      # variables required to authenticate dns provider
+  OS_AUTH_URL: "https://openstack.example.org"
+  OS_REGION_NAME: "RegionOne"
+  OS_AUTH_TYP: "v3applicationcredential"                                              # default is to use application credential rather than password
+  OS_APPLICATION_CREDENTIAL_ID: "{{ vault_os_application_credential_id }}"
+  OS_APPLICATION_CREDENTIAL_SECRET: "{{ vault_os_application_credential_secret }}"
+
+
 certbot_fqdn:
   - example.de
 certbot_admin_email: "admin@example.de"
-# certbot_webroot: "/var/www/example"                          # if undefined use --standalone
+# certbot_webroot: "/var/www/example"                                                 # if undefined use --standalone
 
 # application settings
-# certbot_application: "example"                               # if defined copy certs to application dir and setup deploy hooks
+# certbot_application: "example"                                                      # if defined copy certs to application dir and setup deploy hooks
 certbot_application_dir: "/etc/{{ certbot_application }}"
 certbot_application_deploy_hook: |
   #!/bin/sh

tasks/dns-challenge.yml

+- name: Fetch Binary
+  ansible.builtin.get_url:
+    url: "https://github.com/go-acme/lego/releases/download/v{{ certbot_lego_version }}/lego_v{{ certbot_lego_version }}_linux_amd64.tar.gz"
+    dest: "/tmp/lego_v{{ certbot_lego_version }}_linux_amd64.tar.gz"
+    mode: "0644"
+
+- name: Unpack Archive
+  ansible.builtin.unarchive:
+    src: "/tmp/lego_v{{ certbot_lego_version }}_linux_amd64.tar.gz"
+    dest: "/tmp"
+    remote_src: true
+
+- name: Copy Binary
+  ansible.builtin.copy:
+    src: /tmp/lego
+    dest: /usr/bin/lego
+    owner: root
+    group: root
+    mode: '0755'
+    remote_src: true
+  become: true
+
+- name: Check Whether Cert Exists
+  ansible.builtin.stat:
+    path: "{{ certbot_live_dir }}/fullchain.pem"
+  register: lecert
+  become: true
+
+- name: Ensure Deploy Hook Dir Exists
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    mode: "0755"
+    owner: root
+    group: root
+  loop:
+    - /etc/letsencrypt/renewal-hooks
+    - /etc/letsencrypt/renewal-hooks/deploy
+  become: true
+
+- name: Request Cert If Necessary - DNS Challenge
+  block:
+    - name: Request Cert
+      ansible.builtin.command: >-
+        lego -a --dns {{ certbot_dns_provider }}
+        --email {{ certbot_admin_email }} -d {{ lego_dflag }}
+        --path {{ certbot_live_dir }}
+        run
+      environment: "{{ dns_provider_auth_env_variables }}"
+      register: lego
+      changed_when: lego.rc == 0
+
+    - name: Mirror Letsencrypt Structure
+      ansible.builtin.copy:
+        src: "{{ item.src }}"
+        dest: "{{ item.dest }}"
+        owner: root
+        group: root
+        mode: '0600'
+        remote_src: true
+      loop:
+        - { src: "{{ certbot_live_dir }}/certificates/{{ certbot_fqdn_first }}.crt", dest: "{{ certbot_live_dir }}/fullchain.pem" }
+        - { src: "{{ certbot_live_dir }}/certificates/{{ certbot_fqdn_first }}.key", dest: "{{ certbot_live_dir }}/privkey.pem" }
+
+  when: not lecert.stat.exists
+  become: true
+
+- name: Render Systemd Files
+  block:
+    - name: Render Systemd Environment File
+      ansible.builtin.template:
+        src: templates/dns-challenge.env.j2
+        dest: /etc/default/dns-challenge.env
+        mode: "0644"
+
+    - name: Render Systemd Service File
+      ansible.builtin.template:
+        src: templates/dns-challenge.service.j2
+        dest: /lib/systemd/system/dns-challenge.service
+        mode: "0644"
+
+    - name: Render Systemd Timer File
+      ansible.builtin.template:
+        src: templates/dns-challenge.timer.j2
+        dest: /lib/systemd/system/dns-challenge.timer
+        mode: "0644"
+  
+  become: true
+
+- name: Setup Certbot With Application
+  ansible.builtin.include_tasks: "application.yml"
+  when: certbot_application is defined
+
+- name: Enable LEGO Renew Timer
+  ansible.builtin.systemd:
+    name: dns-challenge.timer
+    state: started
+    enabled: true
+  become: true

tasks/main.yml

 ---
-# TODO:
-#   - dns challenge
+- name: Obtain Cert Using Web Server
+  ansible.builtin.include_tasks: "webserver.yml"
+  when: not certbot_dns_challenge
 
-- name: Install Packages Based On Distribution
-  ansible.builtin.include_tasks: "{{ ansible_facts.distribution }}-packages.yml"
-
-- name: Check Whether Cert Exists
-  ansible.builtin.stat:
-    path: "{{ certbot_live_dir }}/cert.pem"
-  register: lecert
-  become: true
-
-- name: Ensure Deploy Hook Dir Exists
-  ansible.builtin.file:
-    path: "{{ item }}"
-    state: directory
-    mode: "0755"
-    owner: root
-    group: root
-  loop:
-    - /etc/letsencrypt/renewal-hooks
-    - /etc/letsencrypt/renewal-hooks/deploy
-  become: true
-
-- name: Request Cert If Necessary - Standalone
-  ansible.builtin.command: >-
-    certbot certonly --standalone --noninteractive --agree-tos
-    --email {{ certbot_admin_email }} -d {{ certbot_dflag }}
-  when: not lecert.stat.exists and not certbot_webroot is defined
-  register: cbstandalone
-  changed_when: cbstandalone.rc == 0
-  become: true
-
-- name: Ensure Webroot Path Exists
-  ansible.builtin.file:
-    path: "{{ certbot_webroot }}"
-    state: directory
-    mode: "0755"
-    owner: root
-    group: root
-  when: not lecert.stat.exists and certbot_webroot is defined
-
-- name: Request Cert If Necessary - Webroot
-  ansible.builtin.command: >-
-    certbot certonly --webroot --webroot-path {{ certbot_webroot }} --noninteractive --agree-tos
-    --email {{ certbot_admin_email }} -d {{ certbot_dflag }}
-  when: not lecert.stat.exists and certbot_webroot is defined
-  register: cbwebroot
-  changed_when: cbwebroot.rc == 0
-  become: true
-
-- name: Setup Certbot With Application
-  ansible.builtin.include_tasks: "application.yml"
-  when: certbot_application is defined
-
-- name: Enable Letsencrypt Renew Timer Based On Distribution
-  ansible.builtin.include_tasks: "{{ ansible_facts.distribution }}-timer.yml"
+- name: Obtain Cert DNS Challenge
+  ansible.builtin.include_tasks: "dns-challenge.yml"
+  when: certbot_dns_challenge

tasks/webserver.yml

+- name: Install Packages Based On Distribution
+  ansible.builtin.include_tasks: "{{ ansible_facts.distribution }}-packages-webserver.yml"
+
+- name: Check Whether Cert Exists
+  ansible.builtin.stat:
+    path: "{{ certbot_live_dir }}/cert.pem"
+  register: lecert
+  become: true
+
+- name: Ensure Deploy Hook Dir Exists
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    mode: "0755"
+    owner: root
+    group: root
+  loop:
+    - /etc/letsencrypt/renewal-hooks
+    - /etc/letsencrypt/renewal-hooks/deploy
+  become: true
+
+- name: Request Cert If Necessary - Standalone
+  ansible.builtin.command: >-
+    certbot certonly --standalone --noninteractive --agree-tos
+    --email {{ certbot_admin_email }} -d {{ certbot_dflag }}
+  when: not lecert.stat.exists and not certbot_webroot is defined
+  register: cbstandalone
+  changed_when: cbstandalone.rc == 0
+  become: true
+
+- name: Ensure Webroot Path Exists
+  ansible.builtin.file:
+    path: "{{ certbot_webroot }}"
+    state: directory
+    mode: "0755"
+    owner: root
+    group: root
+  when: not lecert.stat.exists and certbot_webroot is defined
+
+- name: Request Cert If Necessary - Webroot
+  ansible.builtin.command: >-
+    certbot certonly --webroot --webroot-path {{ certbot_webroot }} --noninteractive --agree-tos
+    --email {{ certbot_admin_email }} -d {{ certbot_dflag }}
+  when: not lecert.stat.exists and certbot_webroot is defined
+  register: cbwebroot
+  changed_when: cbwebroot.rc == 0
+  become: true
+
+- name: Setup Certbot With Application
+  ansible.builtin.include_tasks: "application.yml"
+  when: certbot_application is defined
+
+- name: Enable Letsencrypt Renew Timer Based On Distribution
+  ansible.builtin.include_tasks: "{{ ansible_facts.distribution }}-timer-webserver.yml"

templates/dns-challenge.env.j2

+# {{ ansible_managed }}
+
+{% for var, val in dns_provider_auth_env_variables.items() %}
+{{ var }}={{ val }}
+{% endfor %}

templates/dns-challenge.service.j2

+# {{ ansible_managed }}
+
+[Unit]
+Description=LEGO DNS challenge
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/lego -a --dns {{ certbot_dns_provider }} --email {{ certbot_admin_email }} -d {{ lego_dflag }} --path {{ certbot_live_dir }} renew
+ExecStartPost=cp {{ certbot_live_dir }}/certificates/{{ certbot_fqdn_first }}.crt {{ certbot_live_dir }}/fullchain.pem
+ExecStartPost=cp {{ certbot_live_dir }}/certificates/{{ certbot_fqdn_first }}.key {{ certbot_live_dir }}/privkey.pem
+{{ "ExecStartPost=/etc/letsencrypt/renewal-hooks/deploy/" + certbot_application if certbot_application is defined else "" }}
+EnvironmentFile=/etc/default/dns-challenge.env

templates/dns-challenge.timer.j2

+# {{ ansible_managed }}
+
+[Unit]
+Description=Run LEGO DNS challenge twice every day
+
+[Timer]
+OnCalendar=*-*-* 00,12:00:00
+RandomizedDelaySec=43200
+Persistent=true
+Unit=dns-challenge.service
+
+[Install]
+WantedBy=timers.target

vars/main.yml

 ---
-certbot_live_dir: >-
-  /etc/letsencrypt/live/{{
+certbot_fqdn_first: >-
+  {{
     certbot_fqdn
     | first
     | replace("*.", "")
     | trim(".")
   }}
+certbot_live_dir: "/etc/letsencrypt/live/{{ certbot_fqdn_first }}"
 certbot_dflag: "{{ certbot_fqdn | map('trim', '.') | join(',') }}"
+lego_dflag : "{{ certbot_fqdn | map('trim', '.') | join(' -d ') }}"