fix(certbot): migrate from Cloudflare to Porkbun
Signed-off-by: Matej Focko <me@mfocko.xyz>
This commit is contained in:
parent
45a41d7c99
commit
f6428b2406
8 changed files with 72 additions and 13 deletions
|
@ -27,14 +27,6 @@ hashicorp_vault_address: None
|
||||||
# Address of the Vaultwarden instance
|
# Address of the Vaultwarden instance
|
||||||
vaultwarden_address: None
|
vaultwarden_address: None
|
||||||
|
|
||||||
# Used for Certbot and DDNS
|
|
||||||
# Certbot: used for DNS verification of the domain during renewal
|
|
||||||
# DDNS: used to update the DNS records of the public IP
|
|
||||||
cloudflare_token: None
|
|
||||||
|
|
||||||
# Cloudflare zone, the domain
|
|
||||||
cloudflare_zone: None
|
|
||||||
|
|
||||||
# Public ID tied to the Yubikey OTP
|
# Public ID tied to the Yubikey OTP
|
||||||
yubikey_token_id: None
|
yubikey_token_id: None
|
||||||
|
|
||||||
|
|
13
roles/certbot/defaults/main.yml
Normal file
13
roles/certbot/defaults/main.yml
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
---
|
||||||
|
# List of domains to be certified by Certbot
|
||||||
|
certbot_domains: []
|
||||||
|
|
||||||
|
# Email to be used when requesting the Let's Encrypt certificate
|
||||||
|
certbot_email: None
|
||||||
|
|
||||||
|
# Defines the frequency of running the Certbot renewal, follow ‹OnCalendar› docs
|
||||||
|
# in the systemd for syntax
|
||||||
|
certbot_frequency: weekly
|
||||||
|
|
||||||
|
# Delay for propagating of the TXT DNS records when renewing the certificates
|
||||||
|
certbot_propagation_delay: 60
|
|
@ -3,5 +3,4 @@
|
||||||
ansible.builtin.package:
|
ansible.builtin.package:
|
||||||
name:
|
name:
|
||||||
- certbot
|
- certbot
|
||||||
- python3-certbot-dns-cloudflare
|
|
||||||
state: present
|
state: present
|
||||||
|
|
|
@ -3,10 +3,33 @@
|
||||||
ansible.builtin.include_tasks: install.yml
|
ansible.builtin.include_tasks: install.yml
|
||||||
tags: install
|
tags: install
|
||||||
|
|
||||||
- name: Install the Cloudflare secrets
|
- name: Install the CLI configuration for Certbot
|
||||||
ansible.builtin.template:
|
ansible.builtin.template:
|
||||||
src: templates/cloudflare.ini
|
src: templates/cli.ini
|
||||||
dest: /root/.secrets/cloudflare.ini
|
dest: /etc/letsencrypt/cli.ini
|
||||||
mode: 0600
|
mode: 0600
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
|
|
||||||
|
- name: Install the Porkbun Certbot container definition (quadlet)
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: templates/certbot.container
|
||||||
|
dest: /etc/containers/systemd/certbot.container
|
||||||
|
mode: 0644
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
|
||||||
|
- name: Install the timer for the Certbot quadlet
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: templates/certbot.timer
|
||||||
|
dest: /etc/systemd/system/certbot.timer
|
||||||
|
mode: 0644
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
|
||||||
|
- name: Enable the timer
|
||||||
|
ansible.builtin.systemd_service:
|
||||||
|
daemon_reload: true
|
||||||
|
enabled: true
|
||||||
|
name: certbot.timer
|
||||||
|
state: "started"
|
||||||
|
|
12
roles/certbot/templates/certbot.container
Normal file
12
roles/certbot/templates/certbot.container
Normal file
|
@ -0,0 +1,12 @@
|
||||||
|
[Unit]
|
||||||
|
Description=Certbot renewal
|
||||||
|
|
||||||
|
[Container]
|
||||||
|
Image=docker.io/infinityofspace/certbot_dns_porkbun:latest
|
||||||
|
Volume=/etc/letsencrypt:/etc/letsencrypt:z
|
||||||
|
Volume=/var/log/letsencrypt:/var/log/letsencrypt:z
|
||||||
|
Volume=/etc/porkbun.ini:/conf/porkbun.ini:z
|
||||||
|
Exec=certonly -d "{{ ','.join(certbot_domains) }}"
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Restart=on-failure
|
11
roles/certbot/templates/certbot.timer
Normal file
11
roles/certbot/templates/certbot.timer
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
[Unit]
|
||||||
|
Description=Run certbot once a week
|
||||||
|
|
||||||
|
[Timer]
|
||||||
|
OnCalendar={{ certbot_frequency }}
|
||||||
|
AccuracySec=1h
|
||||||
|
Persistent=true
|
||||||
|
RandomizedDelaySec=100min
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=timers.target
|
10
roles/certbot/templates/cli.ini
Normal file
10
roles/certbot/templates/cli.ini
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
email = {{ certbot_email }}
|
||||||
|
|
||||||
|
agree-tos = true
|
||||||
|
non-interactive = true
|
||||||
|
|
||||||
|
preferred-challenges = dns
|
||||||
|
authenticator = dns-porkbun
|
||||||
|
|
||||||
|
dns-porkbun-credentials = /conf/porkbun.ini
|
||||||
|
dns-porkbun-propagation-seconds = {{ certbot_propagation_delay }}
|
|
@ -1 +0,0 @@
|
||||||
dns_cloudflare_api_token = {{ cloudflare_token }}
|
|
Loading…
Reference in a new issue