fix(certbot): migrate from Cloudflare to Porkbun

Signed-off-by: Matej Focko <me@mfocko.xyz>

defaults/main.yml

@@ -27,14 +27,6 @@ hashicorp_vault_address: None
 # Address of the Vaultwarden instance
 vaultwarden_address: None
 
-# Used for Certbot and DDNS
-# Certbot: used for DNS verification of the domain during renewal
-# DDNS: used to update the DNS records of the public IP
-cloudflare_token: None
-
-# Cloudflare zone, the domain
-cloudflare_zone: None
-
 # Public ID tied to the Yubikey OTP
 yubikey_token_id: None
 

roles/certbot/defaults/main.yml

@@ -0,0 +1,13 @@
+---
+# List of domains to be certified by Certbot
+certbot_domains: []
+
+# Email to be used when requesting the Let's Encrypt certificate
+certbot_email: None
+
+# Defines the frequency of running the Certbot renewal, follow ‹OnCalendar› docs
+# in the systemd for syntax
+certbot_frequency: weekly
+
+# Delay for propagating of the TXT DNS records when renewing the certificates
+certbot_propagation_delay: 60

roles/certbot/tasks/install.yml

@@ -3,5 +3,4 @@
   ansible.builtin.package:
     name:
       - certbot
-      - python3-certbot-dns-cloudflare
     state: present

roles/certbot/tasks/main.yml

@@ -3,10 +3,33 @@
   ansible.builtin.include_tasks: install.yml
   tags: install
 
-- name: Install the Cloudflare secrets
+- name: Install the CLI configuration for Certbot
   ansible.builtin.template:
-    src: templates/cloudflare.ini
+    src: templates/cli.ini
-    dest: /root/.secrets/cloudflare.ini
+    dest: /etc/letsencrypt/cli.ini
     mode: 0600
     owner: root
     group: root
+
+- name: Install the Porkbun Certbot container definition (quadlet)
+  ansible.builtin.template:
+    src: templates/certbot.container
+    dest: /etc/containers/systemd/certbot.container
+    mode: 0644
+    owner: root
+    group: root
+
+- name: Install the timer for the Certbot quadlet
+  ansible.builtin.template:
+    src: templates/certbot.timer
+    dest: /etc/systemd/system/certbot.timer
+    mode: 0644
+    owner: root
+    group: root
+
+- name: Enable the timer
+  ansible.builtin.systemd_service:
+    daemon_reload: true
+    enabled: true
+    name: certbot.timer
+    state: "started"

roles/certbot/templates/certbot.container

@@ -0,0 +1,12 @@
+[Unit]
+Description=Certbot renewal
+
+[Container]
+Image=docker.io/infinityofspace/certbot_dns_porkbun:latest
+Volume=/etc/letsencrypt:/etc/letsencrypt:z
+Volume=/var/log/letsencrypt:/var/log/letsencrypt:z
+Volume=/etc/porkbun.ini:/conf/porkbun.ini:z
+Exec=certonly -d "{{ ','.join(certbot_domains) }}"
+
+[Service]
+Restart=on-failure

roles/certbot/templates/certbot.timer

@@ -0,0 +1,11 @@
+[Unit]
+Description=Run certbot once a week
+
+[Timer]
+OnCalendar={{ certbot_frequency }}
+AccuracySec=1h
+Persistent=true
+RandomizedDelaySec=100min
+
+[Install]
+WantedBy=timers.target

roles/certbot/templates/cli.ini

@@ -0,0 +1,10 @@
+email = {{ certbot_email }}
+
+agree-tos = true
+non-interactive = true
+
+preferred-challenges = dns
+authenticator = dns-porkbun
+
+dns-porkbun-credentials = /conf/porkbun.ini
+dns-porkbun-propagation-seconds = {{ certbot_propagation_delay }}

roles/certbot/templates/cloudflare.ini

@@ -1 +0,0 @@
-dns_cloudflare_api_token = {{ cloudflare_token }}