fix(certbot): migrate from Cloudflare to Porkbun

Signed-off-by: Matej Focko <me@mfocko.xyz>
This commit is contained in:
Matej Focko 2024-11-11 17:03:53 +01:00
parent 45a41d7c99
commit f6428b2406
Signed by: mfocko
SSH key fingerprint: SHA256:icm0fIOSJUpy5+1x23sfr+hLtF9UhY8VpMC7H4WFJP8
8 changed files with 72 additions and 13 deletions

View file

@ -27,14 +27,6 @@ hashicorp_vault_address: None
# Address of the Vaultwarden instance # Address of the Vaultwarden instance
vaultwarden_address: None vaultwarden_address: None
# Used for Certbot and DDNS
# Certbot: used for DNS verification of the domain during renewal
# DDNS: used to update the DNS records of the public IP
cloudflare_token: None
# Cloudflare zone, the domain
cloudflare_zone: None
# Public ID tied to the Yubikey OTP # Public ID tied to the Yubikey OTP
yubikey_token_id: None yubikey_token_id: None

View file

@ -0,0 +1,13 @@
---
# List of domains to be certified by Certbot
certbot_domains: []
# Email to be used when requesting the Let's Encrypt certificate
certbot_email: None
# Defines the frequency of running the Certbot renewal, follow OnCalendar docs
# in the systemd for syntax
certbot_frequency: weekly
# Delay for propagating of the TXT DNS records when renewing the certificates
certbot_propagation_delay: 60

View file

@ -3,5 +3,4 @@
ansible.builtin.package: ansible.builtin.package:
name: name:
- certbot - certbot
- python3-certbot-dns-cloudflare
state: present state: present

View file

@ -3,10 +3,33 @@
ansible.builtin.include_tasks: install.yml ansible.builtin.include_tasks: install.yml
tags: install tags: install
- name: Install the Cloudflare secrets - name: Install the CLI configuration for Certbot
ansible.builtin.template: ansible.builtin.template:
src: templates/cloudflare.ini src: templates/cli.ini
dest: /root/.secrets/cloudflare.ini dest: /etc/letsencrypt/cli.ini
mode: 0600 mode: 0600
owner: root owner: root
group: root group: root
- name: Install the Porkbun Certbot container definition (quadlet)
ansible.builtin.template:
src: templates/certbot.container
dest: /etc/containers/systemd/certbot.container
mode: 0644
owner: root
group: root
- name: Install the timer for the Certbot quadlet
ansible.builtin.template:
src: templates/certbot.timer
dest: /etc/systemd/system/certbot.timer
mode: 0644
owner: root
group: root
- name: Enable the timer
ansible.builtin.systemd_service:
daemon_reload: true
enabled: true
name: certbot.timer
state: "started"

View file

@ -0,0 +1,12 @@
[Unit]
Description=Certbot renewal
[Container]
Image=docker.io/infinityofspace/certbot_dns_porkbun:latest
Volume=/etc/letsencrypt:/etc/letsencrypt:z
Volume=/var/log/letsencrypt:/var/log/letsencrypt:z
Volume=/etc/porkbun.ini:/conf/porkbun.ini:z
Exec=certonly -d "{{ ','.join(certbot_domains) }}"
[Service]
Restart=on-failure

View file

@ -0,0 +1,11 @@
[Unit]
Description=Run certbot once a week
[Timer]
OnCalendar={{ certbot_frequency }}
AccuracySec=1h
Persistent=true
RandomizedDelaySec=100min
[Install]
WantedBy=timers.target

View file

@ -0,0 +1,10 @@
email = {{ certbot_email }}
agree-tos = true
non-interactive = true
preferred-challenges = dns
authenticator = dns-porkbun
dns-porkbun-credentials = /conf/porkbun.ini
dns-porkbun-propagation-seconds = {{ certbot_propagation_delay }}

View file

@ -1 +0,0 @@
dns_cloudflare_api_token = {{ cloudflare_token }}