diff --git a/.ansible-lint-ignore b/.ansible-lint-ignore new file mode 100644 index 0000000..d302538 --- /dev/null +++ b/.ansible-lint-ignore @@ -0,0 +1 @@ +roles/certbot_rfc2136/tasks/main.yml no-changed-when diff --git a/roles/certbot_rfc2136/tasks/main.yml b/roles/certbot_rfc2136/tasks/main.yml new file mode 100644 index 0000000..91b3b94 --- /dev/null +++ b/roles/certbot_rfc2136/tasks/main.yml @@ -0,0 +1,71 @@ +- name: Check preconditions + block: + - name: Fail if certbot_update_hour is not provided + ansible.builtin.fail: + msg: The variable certbot_update_hour was not provided + when: not ((certbot_update_hour is defined) and (certbot_update_hour|length > 0)) + + - name: Fail if certbot_get_cert_for_domain is not provided + ansible.builtin.fail: + msg: The variable certbot_get_cert_for_domain was not provided + when: not ((certbot_get_cert_for_domain is defined) and (certbot_get_cert_for_domain|length > 0)) + + - name: Fail if certbot_tsig_key is not provided + ansible.builtin.fail: + msg: The variable certbot_tsig_key was not provided + when: not ((certbot_tsig_key is defined) and (certbot_tsig_key|length > 0)) + + - name: Check/root/certbot_post_update.sh + ansible.builtin.stat: + path: /root/certbot_post_update.sh + register: stat_result + + - name: Fail if /root/certbot_post_update.sh does not exist + ansible.builtin.fail: + msg: The file /root/certbot_post_update.sh must contain bash to run after certs are updated + when: not stat_result.stat.exists + +- name: Install deps + ansible.builtin.apt: + lock_timeout: 120 + update_cache: true + pkg: + - python3-pip + - python3.11-venv + - cron + +- name: Install certbot + ansible.builtin.pip: + name: + - certbot==2.11.0 + - certbot-dns-rfc2136==2.11.0 + virtualenv: /root/certbot_venv + virtualenv_command: python3 -m venv + +- name: Certbot script + ansible.builtin.template: + src: certbot.sh.j2 + dest: /root/certbot.sh + mode: "700" + +- name: Template tsig.ini + ansible.builtin.template: + src: tsig.ini.j2 + dest: /root/tsig.ini + mode: "700" + +- name: Get cert + ansible.builtin.command: + cmd: /root/certbot.sh + +- name: Crontab + ansible.builtin.template: + src: certbot_update_cert.j2 + dest: /etc/cron.d/certbot_update_cert + mode: "700" + +- name: Restart and enable cron service + ansible.builtin.service: + name: cron + state: restarted + enabled: true diff --git a/roles/certbot_rfc2136/templates/certbot.sh.j2 b/roles/certbot_rfc2136/templates/certbot.sh.j2 new file mode 100644 index 0000000..c6d9af1 --- /dev/null +++ b/roles/certbot_rfc2136/templates/certbot.sh.j2 @@ -0,0 +1,24 @@ +# Managed by ansible + +certbot_domain="{{ certbot_get_cert_for_domain }}" + +/root/certbot_venv/bin/certbot certonly \ + --dns-rfc2136 \ + --dns-rfc2136-credentials /root/tsig.ini \ + --non-interactive \ + --agree-tos \ + -m {{ certbot_email_username | default('jameso') }}@nycmesh.net \ + -d $certbot_domain + +full_chain_path="/etc/letsencrypt/live/$certbot_domain/fullchain.pem" +priv_key_path="/etc/letsencrypt/live/$certbot_domain/privkey.pem" + +if [ ! -f "$full_chain_path" ] || [ ! -f "$priv_key_path" ]; then + exit 1 +fi + +post_update_script="/root/certbot_post_update.sh" +if [ -f "$post_update_script" ]; then + chmod +x "$post_update_script" + bash "$post_update_script" +fi diff --git a/roles/certbot_rfc2136/templates/certbot_update_cert.j2 b/roles/certbot_rfc2136/templates/certbot_update_cert.j2 new file mode 100644 index 0000000..c42d90e --- /dev/null +++ b/roles/certbot_rfc2136/templates/certbot_update_cert.j2 @@ -0,0 +1,2 @@ +# Managed by ansible +53 {{ certbot_update_hour }} * * 1 root bash /root/certbot.sh 2>&1 > /dev/null diff --git a/roles/certbot_rfc2136/templates/tsig.ini.j2 b/roles/certbot_rfc2136/templates/tsig.ini.j2 new file mode 100644 index 0000000..6b4d5c1 --- /dev/null +++ b/roles/certbot_rfc2136/templates/tsig.ini.j2 @@ -0,0 +1,11 @@ +# Managed by ansible +# Target DNS server +dns_rfc2136_server = {{ certbot_main_auth_dns_server | default('199.170.132.47') }} +# Target DNS port +dns_rfc2136_port = 53 +# TSIG key name +dns_rfc2136_name = {{ certbot_get_cert_for_domain }} +# TSIG key secret +dns_rfc2136_secret = {{ certbot_tsig_key }} +# TSIG key algorithm +dns_rfc2136_algorithm = HMAC-SHA512