[certbot] Configure certbot

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>

group_vars/certbot.yml

@@ -0,0 +1,9 @@
+---
+glob_certbot:
+  - dns_rfc2136_server: '172.16.42.103'
+    dns_rfc2136_name: certbot_challenge.
+    dns_rfc2136_secret: "{{ vault.certbot_dns_secret }}"
+    mail: ynerant@crans.org
+    certname: ynerant.fr
+    # domains: "*.ynerant.fr"
+    domains: "ynerant.fr, *.ynerant.fr, ens.kitchen, *.ens.kitchen, ananas.paris, *.ananas.paris, saperlistpopette.fr, *.saperlistpopette.fr"

hosts

@@ -1,6 +1,9 @@
 [archlinux:children]
 perso
 
+[certbot]
+proxy.adm.ynerant.fr
+
 [debian:children]
 server
 

plays/certbot.yml

@@ -0,0 +1,7 @@
+#!/usr/bin/env ansible-playbook
+---
+- hosts: certbot
+  vars:
+    certbot: "{{ glob_certbot | default(service_certbot | default(loc_certbot | default([]))) }}"
+  roles:
+    - certbot

roles/certbot/tasks/main.yml

@@ -0,0 +1,52 @@
+---
+- name: Install certbot and RFC2136 plugin
+  apt:
+    update_cache: true
+    name:
+      - certbot
+      - python3-certbot-dns-rfc2136
+    state: present
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded
+
+- name: Add DNS credentials
+  template:
+    src: letsencrypt/rfc2136.ini.j2
+    dest: "/etc/letsencrypt/rfc2136.{{ item.certname }}.ini"
+    mode: 0600
+    owner: root
+  loop: "{{ certbot }}"
+
+- name: Add dhparam
+  template:
+    src: "letsencrypt/dhparam.j2"
+    dest: "/etc/letsencrypt/dhparam"
+    mode: 0600
+
+- name: Create /etc/letsencrypt/conf.d
+  file:
+    path: /etc/letsencrypt/conf.d
+    state: directory
+
+- name: Add Certbot configuration
+  template:
+    src: "letsencrypt/conf.d/certname.ini.j2"
+    dest: "/etc/letsencrypt/conf.d/{{ item.certname }}.ini"
+    mode: 0644
+  loop: "{{ certbot }}"
+
+- name: Run certbot
+  command: certbot --non-interactive --config /etc/letsencrypt/conf.d/{{ item.certname }}.ini certonly
+  register: certbot_output
+  changed_when: not "Certificate not yet due for renewal" in certbot_output.stdout
+  loop: "{{ certbot }}"
+
+- name: Clean old files
+  file:
+    path: "{{ item }}"
+    state: absent
+  loop:
+    - "/etc/letsencrypt/options-ssl-nginx.conf"
+    - "/etc/letsencrypt/ssl-dhparams.pem"
+    - "/etc/letsencrypt/rfc2136.ini"

roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2

@@ -0,0 +1,28 @@
+{{ ansible_header | comment(decoration='# ') }}
+
+# To generate the certificate, please use the following command
+# certbot --config /etc/letsencrypt/conf.d/{{ item.certname }}.ini certonly
+
+# Use a 4096 bit RSA key instead of 2048
+rsa-key-size = 4096
+
+# Always use the staging/testing server
+# server = https://acme-staging.api.letsencrypt.org/directory
+
+# Uncomment and update to register with the specified e-mail address
+email = {{ item.mail }}
+
+# Uncomment to use a text interface instead of ncurses
+text = True
+
+# Yes I want to sell my soul and my guinea pig.
+agree-tos = True
+
+# Use DNS-01 challenge
+authenticator = dns-rfc2136
+dns-rfc2136-credentials = /etc/letsencrypt/rfc2136.{{ item.certname }}.ini
+dns-rfc2136-propagation-seconds = 30
+
+# Wildcard the domain
+cert-name = {{ item.certname }}
+domains = {{ item.domains }}

roles/certbot/templates/letsencrypt/dhparam.j2

@@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
+-----END DH PARAMETERS-----

roles/certbot/templates/letsencrypt/rfc2136.ini.j2

@@ -0,0 +1,7 @@
+{{ ansible_header | comment(decoration='# ') }}
+
+dns_rfc2136_server = {{ item.dns_rfc2136_server }}
+dns_rfc2136_port = 53
+dns_rfc2136_name = {{ item.dns_rfc2136_name }}
+dns_rfc2136_secret = {{ item.dns_rfc2136_secret }}
+dns_rfc2136_algorithm = HMAC-SHA512

vars_plugins/pass.ini

@@ -1,6 +1,6 @@
 [pass]
 # password_store_dir=/home/ynerant/.password-store
-# crans_password_store_submodule=crans
+crans_password_store_submodule=.
 
 [pass_become]
 all=templier