fix(certbot): migrate from Cloudflare to Porkbun

Signed-off-by: Matej Focko <me@mfocko.xyz>
This commit is contained in:
Matej Focko 2024-11-11 17:03:53 +01:00
parent 45a41d7c99
commit 62c7d2d4c0
Signed by: mfocko
SSH key fingerprint: SHA256:icm0fIOSJUpy5+1x23sfr+hLtF9UhY8VpMC7H4WFJP8
7 changed files with 72 additions and 5 deletions

View file

@ -0,0 +1,13 @@
---
# List of domains to be certified by Certbot
certbot_domains: []
# Email to be used when requesting the Let's Encrypt certificate
certbot_email: None
# Defines the frequency of running the Certbot renewal, follow OnCalendar docs
# in the systemd for syntax
certbot_frequency: weekly
# Delay for propagating of the TXT DNS records when renewing the certificates
certbot_propagation_delay: 60

View file

@ -3,5 +3,4 @@
ansible.builtin.package: ansible.builtin.package:
name: name:
- certbot - certbot
- python3-certbot-dns-cloudflare
state: present state: present

View file

@ -3,10 +3,33 @@
ansible.builtin.include_tasks: install.yml ansible.builtin.include_tasks: install.yml
tags: install tags: install
- name: Install the Cloudflare secrets - name: Install the CLI configuration for Certbot
ansible.builtin.template: ansible.builtin.template:
src: templates/cloudflare.ini src: templates/cli.ini
dest: /root/.secrets/cloudflare.ini dest: /etc/letsencrypt/cli.ini
mode: 0600 mode: 0600
owner: root owner: root
group: root group: root
- name: Install the Porkbun Certbot container definition (quadlet)
ansible.builtin.template:
src: templates/certbot.container
dest: /etc/containers/systemd/certbot.container
mode: 0644
owner: root
group: root
- name: Install the timer for the Certbot quadlet
ansible.builtin.template:
src: templates/certbot.timer
dest: /etc/systemd/system/certbot.timer
mode: 0644
owner: root
group: root
- name: Enable the timer
ansible.builtin.systemd_service:
daemon_reload: true
enabled: true
name: certbot.timer
state: "started"

View file

@ -0,0 +1,12 @@
[Unit]
Description=Certbot renewal
[Container]
Image=docker.io/infinityofspace/certbot_dns_porkbun:latest
Volume=/etc/letsencrypt:/etc/letsencrypt:z
Volume=/var/log/letsencrypt:/var/log/letsencrypt:z
Volume=/etc/porkbun.ini:/conf/porkbun.ini:z
Exec=certonly -d "{{ ','.join(certbot_domains) }}"
[Service]
Restart=on-failure

View file

@ -0,0 +1,11 @@
[Unit]
Description=Run certbot once a week
[Timer]
OnCalendar={{ certbot_frequency }}
AccuracySec=1h
Persistent=true
RandomizedDelaySec=100min
[Install]
WantedBy=timers.target

View file

@ -0,0 +1,10 @@
email = {{ certbot_email }}
agree-tos = true
non-interactive = true
preferred-challenges = dns
authenticator = dns-porkbun
dns-porkbun-credentials = /conf/porkbun.ini
dns-porkbun-propagation-seconds = {{ certbot_propagation_delay }}

View file

@ -1 +0,0 @@
dns_cloudflare_api_token = {{ cloudflare_token }}