diff --git a/roles/certbot/defaults/main.yml b/roles/certbot/defaults/main.yml new file mode 100644 index 0000000..55e9a80 --- /dev/null +++ b/roles/certbot/defaults/main.yml @@ -0,0 +1,13 @@ +--- +# List of domains to be certified by Certbot +certbot_domains: [] + +# Email to be used when requesting the Let's Encrypt certificate +certbot_email: None + +# Defines the frequency of running the Certbot renewal, follow ‹OnCalendar› docs +# in the systemd for syntax +certbot_frequency: weekly + +# Delay for propagating of the TXT DNS records when renewing the certificates +certbot_propagation_delay: 60 diff --git a/roles/certbot/tasks/install.yml b/roles/certbot/tasks/install.yml index 11e70d9..006995c 100644 --- a/roles/certbot/tasks/install.yml +++ b/roles/certbot/tasks/install.yml @@ -3,5 +3,4 @@ ansible.builtin.package: name: - certbot - - python3-certbot-dns-cloudflare state: present diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml index cebff69..f15563f 100644 --- a/roles/certbot/tasks/main.yml +++ b/roles/certbot/tasks/main.yml @@ -3,10 +3,33 @@ ansible.builtin.include_tasks: install.yml tags: install -- name: Install the Cloudflare secrets +- name: Install the CLI configuration for Certbot ansible.builtin.template: - src: templates/cloudflare.ini - dest: /root/.secrets/cloudflare.ini + src: templates/cli.ini + dest: /etc/letsencrypt/cli.ini mode: 0600 owner: root group: root + +- name: Install the Porkbun Certbot container definition (quadlet) + ansible.builtin.template: + src: templates/certbot.container + dest: /etc/containers/systemd/certbot.container + mode: 0644 + owner: root + group: root + +- name: Install the timer for the Certbot quadlet + ansible.builtin.template: + src: templates/certbot.timer + dest: /etc/systemd/system/certbot.timer + mode: 0644 + owner: root + group: root + +- name: Enable the timer + ansible.builtin.systemd_service: + daemon_reload: true + enabled: true + name: certbot.timer + state: "started" diff --git a/roles/certbot/templates/certbot.container b/roles/certbot/templates/certbot.container new file mode 100644 index 0000000..90d03de --- /dev/null +++ b/roles/certbot/templates/certbot.container @@ -0,0 +1,12 @@ +[Unit] +Description=Certbot renewal + +[Container] +Image=docker.io/infinityofspace/certbot_dns_porkbun:latest +Volume=/etc/letsencrypt:/etc/letsencrypt:z +Volume=/var/log/letsencrypt:/var/log/letsencrypt:z +Volume=/etc/porkbun.ini:/conf/porkbun.ini:z +Exec=certonly -d "{{ ','.join(certbot_domains) }}" + +[Service] +Restart=on-failure diff --git a/roles/certbot/templates/certbot.timer b/roles/certbot/templates/certbot.timer new file mode 100644 index 0000000..2e7f6c7 --- /dev/null +++ b/roles/certbot/templates/certbot.timer @@ -0,0 +1,11 @@ +[Unit] +Description=Run certbot once a week + +[Timer] +OnCalendar={{ certbot_frequency }} +AccuracySec=1h +Persistent=true +RandomizedDelaySec=100min + +[Install] +WantedBy=timers.target diff --git a/roles/certbot/templates/cli.ini b/roles/certbot/templates/cli.ini new file mode 100644 index 0000000..53037c3 --- /dev/null +++ b/roles/certbot/templates/cli.ini @@ -0,0 +1,10 @@ +email = {{ certbot_email }} + +agree-tos = true +non-interactive = true + +preferred-challenges = dns +authenticator = dns-porkbun + +dns-porkbun-credentials = /conf/porkbun.ini +dns-porkbun-propagation-seconds = {{ certbot_propagation_delay }} diff --git a/roles/certbot/templates/cloudflare.ini b/roles/certbot/templates/cloudflare.ini deleted file mode 100644 index 9b069ee..0000000 --- a/roles/certbot/templates/cloudflare.ini +++ /dev/null @@ -1 +0,0 @@ -dns_cloudflare_api_token = {{ cloudflare_token }}