init

.ansible-lint-ignore

@@ -0,0 +1 @@
+roles/certbot_rfc2136/tasks/main.yml no-changed-when

roles/certbot_rfc2136/tasks/main.yml

@@ -0,0 +1,71 @@
+- name: Check preconditions
+  block:
+    - name: Fail if certbot_update_hour is not provided
+      ansible.builtin.fail:
+        msg: The variable certbot_update_hour was not provided
+      when: not ((certbot_update_hour is defined) and (certbot_update_hour|length > 0))
+
+    - name: Fail if certbot_get_cert_for_domain is not provided
+      ansible.builtin.fail:
+        msg: The variable certbot_get_cert_for_domain was not provided
+      when: not ((certbot_get_cert_for_domain is defined) and (certbot_get_cert_for_domain|length > 0))
+
+    - name: Fail if certbot_tsig_key is not provided
+      ansible.builtin.fail:
+        msg: The variable certbot_tsig_key was not provided
+      when: not ((certbot_tsig_key is defined) and (certbot_tsig_key|length > 0))
+
+    - name: Check/root/certbot_post_update.sh
+      ansible.builtin.stat:
+        path: /root/certbot_post_update.sh
+      register: stat_result
+
+    - name: Fail if /root/certbot_post_update.sh does not exist
+      ansible.builtin.fail:
+        msg: The file /root/certbot_post_update.sh must contain bash to run after certs are updated
+      when: not stat_result.stat.exists
+
+- name: Install deps
+  ansible.builtin.apt:
+    lock_timeout: 120
+    update_cache: true
+    pkg:
+      - python3-pip
+      - python3.11-venv
+      - cron
+
+- name: Install certbot
+  ansible.builtin.pip:
+    name:
+      - certbot==2.11.0
+      - certbot-dns-rfc2136==2.11.0
+    virtualenv: /root/certbot_venv
+    virtualenv_command: python3 -m venv
+
+- name: Certbot script
+  ansible.builtin.template:
+    src: certbot.sh.j2
+    dest: /root/certbot.sh
+    mode: "700"
+
+- name: Template tsig.ini
+  ansible.builtin.template:
+    src: tsig.ini.j2
+    dest: /root/tsig.ini
+    mode: "700"
+
+- name: Get cert
+  ansible.builtin.command:
+    cmd: /root/certbot.sh
+
+- name: Crontab
+  ansible.builtin.template:
+    src: certbot_update_cert.j2
+    dest: /etc/cron.d/certbot_update_cert
+    mode: "700"
+
+- name: Restart and enable cron service
+  ansible.builtin.service:
+    name: cron
+    state: restarted
+    enabled: true

roles/certbot_rfc2136/templates/certbot.sh.j2

@@ -0,0 +1,24 @@
+# Managed by ansible
+
+certbot_domain="{{ certbot_get_cert_for_domain }}"
+
+/root/certbot_venv/bin/certbot certonly \
+  --dns-rfc2136 \
+  --dns-rfc2136-credentials /root/tsig.ini \
+  --non-interactive \
+  --agree-tos \
+  -m {{ certbot_email_username | default('jameso') }}@nycmesh.net \
+  -d $certbot_domain
+
+full_chain_path="/etc/letsencrypt/live/$certbot_domain/fullchain.pem"
+priv_key_path="/etc/letsencrypt/live/$certbot_domain/privkey.pem"
+
+if [ ! -f "$full_chain_path" ] || [ ! -f "$priv_key_path" ]; then
+  exit 1
+fi
+
+post_update_script="/root/certbot_post_update.sh"
+if [ -f "$post_update_script" ]; then
+  chmod +x "$post_update_script"
+  bash "$post_update_script"
+fi

roles/certbot_rfc2136/templates/certbot_update_cert.j2

@@ -0,0 +1,2 @@
+# Managed by ansible
+53 {{ certbot_update_hour }} * * 1   root    bash /root/certbot.sh 2>&1 > /dev/null

roles/certbot_rfc2136/templates/tsig.ini.j2

@@ -0,0 +1,11 @@
+# Managed by ansible
+# Target DNS server
+dns_rfc2136_server = {{ certbot_main_auth_dns_server | default('199.170.132.47') }}
+# Target DNS port
+dns_rfc2136_port = 53
+# TSIG key name
+dns_rfc2136_name = {{ certbot_get_cert_for_domain }}
+# TSIG key secret
+dns_rfc2136_secret = {{ certbot_tsig_key }}
+# TSIG key algorithm
+dns_rfc2136_algorithm = HMAC-SHA512