feat(porkbun): switch to global variables for keys

- Introduce 2 global variables with API keys
- Remove redundant role that only installs one config file used by
  another role
- Use the said global variables within DDNS and Certbot roles
- Create the config file in the role that uses it (Certbot)

Signed-off-by: Matej Focko <me@mfocko.xyz>

defaults/main.yml

@@ -27,13 +27,10 @@ hashicorp_vault_address: None
 # Address of the Vaultwarden instance
 vaultwarden_address: None
 
-# Used for Certbot and DDNS
-# Certbot: used for DNS verification of the domain during renewal
-# DDNS: used to update the DNS records of the public IP
-cloudflare_token: None
-
-# Cloudflare zone, the domain
-cloudflare_zone: None
+# Porkbun ‹apikey› and ‹secretapikey› that are used by Certbot (SSL/TLS renewal)
+# and DDNS (updating DNS records)
+porkbun_apikey: None
+porkbun_secretapikey: None
 
 # Public ID tied to the Yubikey OTP
 yubikey_token_id: None

playbooks/bootstrap.yml

@@ -72,6 +72,11 @@
     - role: terminals/kitty
       tags: kitty
 
+    # Install Ptyxis terminal
+    - role: terminals/ptyxis
+      when: ansible_distribution != "Ubuntu"
+      tags: ptyxis
+
     # Install fonts
     - role: fonts
       tags: fonts

roles/base/desktop/tasks/scripts.yml

@@ -1,8 +1,8 @@
 ---
-- name: Install script for toolbox name retrieval
+- name: Install script for toolbox/distrobox name retrieval
   ansible.builtin.copy:
-    src: files/toolbox_name.sh
-    dest: ~/.local/bin/toolbox_name
+    src: files/boxname.sh
+    dest: ~/.local/bin/boxname
     mode: 0700
 
 - name: Install script for paste.sr.ht

roles/base/desktop/tasks/structure.yml

@@ -9,6 +9,7 @@
   loop:
     - ~/.local/bin
     - ~/.local/share
+    - ~/.local/share/applications
     - ~/.ssh
 
 - name: Create empty file for tokens

roles/certbot/defaults/main.yml

@@ -0,0 +1,13 @@
+---
+# List of domains to be certified by Certbot
+certbot_domains: []
+
+# Email to be used when requesting the Let's Encrypt certificate
+certbot_email: None
+
+# Defines the frequency of running the Certbot renewal, follow ‹OnCalendar› docs
+# in the systemd for syntax
+certbot_frequency: weekly
+
+# Delay for propagating of the TXT DNS records when renewing the certificates
+certbot_propagation_delay: 60

roles/certbot/tasks/install.yml

@@ -3,5 +3,4 @@
   ansible.builtin.package:
     name:
       - certbot
-      - python3-certbot-dns-cloudflare
     state: present

roles/certbot/tasks/main.yml

@@ -3,10 +3,39 @@
   ansible.builtin.include_tasks: install.yml
   tags: install
 
-- name: Install the Cloudflare secrets
+- name: Install the CLI configuration for Certbot
   ansible.builtin.template:
-    src: templates/cloudflare.ini
-    dest: /root/.secrets/cloudflare.ini
+    src: templates/cli.ini
+    dest: /etc/letsencrypt/cli.ini
     mode: 0600
     owner: root
     group: root
+
+- name: Create the file with Porkbun secrets
+  ansible.builtin.template:
+    src: templates/porkbun.ini
+    dest: /etc/porkbun.ini
+    mode: 0600
+
+- name: Install the Porkbun Certbot container definition (quadlet)
+  ansible.builtin.template:
+    src: templates/certbot.container
+    dest: /etc/containers/systemd/certbot.container
+    mode: 0644
+    owner: root
+    group: root
+
+- name: Install the timer for the Certbot quadlet
+  ansible.builtin.template:
+    src: templates/certbot.timer
+    dest: /etc/systemd/system/certbot.timer
+    mode: 0644
+    owner: root
+    group: root
+
+- name: Enable the timer
+  ansible.builtin.systemd_service:
+    daemon_reload: true
+    enabled: true
+    name: certbot.timer
+    state: "started"

roles/certbot/templates/certbot.container

@@ -0,0 +1,12 @@
+[Unit]
+Description=Certbot renewal
+
+[Container]
+Image=docker.io/infinityofspace/certbot_dns_porkbun:latest
+Volume=/etc/letsencrypt:/etc/letsencrypt:z
+Volume=/var/log/letsencrypt:/var/log/letsencrypt:z
+Volume=/etc/porkbun.ini:/conf/porkbun.ini:z
+Exec=certonly -d "{{ ','.join(certbot_domains) }}"
+
+[Service]
+Restart=on-failure

roles/certbot/templates/certbot.timer

@@ -0,0 +1,11 @@
+[Unit]
+Description=Run certbot once a week
+
+[Timer]
+OnCalendar={{ certbot_frequency }}
+AccuracySec=1h
+Persistent=true
+RandomizedDelaySec=100min
+
+[Install]
+WantedBy=timers.target

roles/certbot/templates/cli.ini

@@ -0,0 +1,10 @@
+email = {{ certbot_email }}
+
+agree-tos = true
+non-interactive = true
+
+preferred-challenges = dns
+authenticator = dns-porkbun
+
+dns-porkbun-credentials = /conf/porkbun.ini
+dns-porkbun-propagation-seconds = {{ certbot_propagation_delay }}

roles/certbot/templates/cloudflare.ini

@@ -1 +0,0 @@
-dns_cloudflare_api_token = {{ cloudflare_token }}

roles/certbot/templates/porkbun.ini

@@ -0,0 +1,2 @@
+dns_porkbun_key={{ porkbun_apikey }}
+dns_porkbun_secret={{ porkbun_secretapikey }}

roles/cups/tasks/main.yml

@@ -15,6 +15,7 @@
     immediate: true
     permanent: true
     state: enabled
+  when: ansible_facts.services['firewalld'] is defined
   tags: firewall
 
 - name: Enable cups

roles/ddns/defaults/main.yml

@@ -0,0 +1,6 @@
+---
+# Domain for which the DDNS manages DDNS entries
+ddns_domain: None
+
+# List of all subdomains on the said domain for which the IP should be set
+ddns_subdomains: []

roles/ddns/files/ddns.service

@@ -1,7 +0,0 @@
-[Unit]
-Description=Run inadyn in a container to update DNS
-After=network.target
-
-[Service]
-Type=oneshot
-ExecStart=podman run --rm -v "/etc/inadyn.conf:/etc/inadyn.conf" -v "/var/cache/inadyn:/var/cache/inadyn" docker.io/troglobit/inadyn:latest -1 --cache-dir=/var/cache/inadyn

roles/ddns/files/ddns.timer

@@ -1,10 +0,0 @@
-[Unit]
-Description=Run inadyn every 15 minutes
-
-[Timer]
-OnCalendar=*:00,15,30,45:00
-RandomizedDelaySec=1h
-Persistent=true
-
-[Install]
-WantedBy=timers.target

roles/ddns/tasks/main.yml

@@ -1,34 +1,23 @@
 ---
-- name: Install the config file
+- name: Install the config file for DDNS
   ansible.builtin.template:
-    src: templates/inadyn.conf
-    dest: /etc/inadyn.conf
+    src: templates/ddns.ini
+    dest: /etc/ddns.ini
     mode: 0600
     owner: root
     group: root
 
-- name: Create the cache directory
-  ansible.builtin.file:
-    path: /var/cache/inadyn
-    state: directory
-    mode: 0700
-    owner: root
-    group: root
-
-- name: Install the unit files
-  ansible.builtin.copy:
-    src: files/{{ item }}
-    dest: /etc/systemd/system/{{ item }}
+- name: Install the DDNS quadlet
+  ansible.builtin.template:
+    src: templates/ddns.container
+    dest: /etc/containers/systemd/ddns.container
     mode: 0644
     owner: root
     group: root
-  loop:
-    - ddns.service
-    - ddns.timer
 
-- name: Enable the timer
+- name: Enable the DDNS quadlet
   ansible.builtin.systemd_service:
     daemon_reload: true
     enabled: true
-    name: ddns.timer
+    name: ddns.service
     state: "started"

roles/ddns/templates/ddns.container

@@ -0,0 +1,12 @@
+[Unit]
+Description=DDNS Update
+
+[Container]
+Image=docker.io/mietzen/porkbun-ddns:latest
+EnvironmentFile=/etc/ddns.ini
+
+[Service]
+Restart=always
+
+[Install]
+WantedBy=multi-user.target

roles/ddns/templates/ddns.ini

@@ -0,0 +1,4 @@
+DOMAIN={{ ddns_domain }}
+SUBDOMAINS={{ ','.join(ddns_subdomains) }}
+APIKEY={{ porkbun_apikey }}
+SECRETAPIKEY={{ porkbun_secretapikey }}

roles/ddns/templates/inadyn.conf

@@ -1,15 +0,0 @@
-period     = 300
-allow-ipv6 = true
-
-provider cloudflare.com:1 {
-    username = {{ cloudflare_zone }}
-    password = {{ cloudflare_token }}
-    hostname = {{ host_fqdn }}
-}
-
-provider cloudflare.com:2 {
-    username = {{ cloudflare_zone }}
-    password = {{ cloudflare_token }}
-    hostname = {{ host_fqdn }}
-    wildcard = true
-}

roles/editors/helix/tasks/install_Archlinux.yml

@@ -0,0 +1 @@
+install_generic.yml

roles/editors/helix/tasks/install_fedora-family.yml

@@ -3,6 +3,7 @@
   community.general.copr:
     name: varlad/helix
     state: enabled
+  when: ansible_distribution not in ("AlmaLinux")
   become: true
 
 - name: Install the Helix

roles/editors/helix/tasks/install_openSUSE Tumbleweed.yml

@@ -1 +1 @@
-install_suse.yml
+install_generic.yml

roles/editors/vscode/tasks/main.yml

@@ -38,4 +38,5 @@
     cmd: bash /home/{{ target_user }}/.local/bin/code-update.sh
     creates: /opt/VSCode-linux-x64
   become: true
+  when: false
   tags: install

roles/fail2ban/tasks/main.yml

@@ -1,3 +0,0 @@
----
-# TODO
-# Consider moving it to the firewall…

roles/flatpak/tasks/install.yml

@@ -0,0 +1,6 @@
+---
+- name: Install the required packages
+  ansible.builtin.package:
+    name: flatpak
+    state: present
+  become: true

roles/flatpak/tasks/main.yml

@@ -1,4 +1,8 @@
 ---
+- name: Packages
+  ansible.builtin.include_tasks: install.yml
+  tags: install
+
 - name: Enable Flathub
   community.general.flatpak_remote:
     name: flathub

roles/lang/rust/tasks/main.yml

@@ -1,2 +0,0 @@
----
-# TODO

roles/nginx/tasks/main.yml

@@ -80,6 +80,7 @@
   loop:
     - http
     - https
+  when: ansible_facts.services['firewalld'] is defined
   tags: firewall
 
 - name: Enable nginx

roles/os/el/files/google-chrome.repo

@@ -0,0 +1,6 @@
+[google-chrome]
+name=google-chrome
+baseurl=http://dl.google.com/linux/chrome/rpm/stable/x86_64
+enabled=1
+gpgcheck=1
+gpgkey=https://dl.google.com/linux/linux_signing_key.pub

roles/os/el/tasks/main.yml

@@ -29,5 +29,23 @@
   community.general.copr:
     name: mfocko/mfocko
     state: enabled
-    chroot: "epel-9-{{ ansible_architecture }}"
+    chroot: "epel-{{ ansible_distribution_major_version }}-{{ ansible_architecture }}"
   become: true
+
+- name: Install RPMFusion RPMs with GPG keys
+  ansible.builtin.dnf:
+    name:
+      - "https://mirrors.rpmfusion.org/free/el/rpmfusion-free-release-{{ ansible_distribution_major_version }}.noarch.rpm"
+      - "https://mirrors.rpmfusion.org/nonfree/el/rpmfusion-nonfree-release-{{ ansible_distribution_major_version }}.noarch.rpm"
+    disable_gpg_check: true
+    state: present
+  tags: os-el-rpmfusion
+
+- name: Install Google Chrome repository
+  ansible.builtin.copy:
+    src: files/google-chrome.repo
+    dest: /etc/yum.repos.d/google-chrome.repo
+    mode: 0640
+    owner: root
+    group: root
+  tags: os-el-chrome

roles/postgresql/tasks/main.yml

@@ -1,2 +0,0 @@
----
-# TODO

roles/shell/zsh/files/starship.toml

@@ -38,18 +38,11 @@ style = "cyan"
 [git_status]
 format = "[[(*$conflicted$untracked$modified$staged$renamed$deleted)](218) ($ahead_behind$stashed)]($style) "
 style = "cyan"
-conflicted = "​"
-untracked = "​"
-modified = "​"
-staged = "​"
-renamed = "​"
-deleted = "​"
-stashed = "≡"
 
 [custom.toolbox]
 when = "ls /run/.containerenv"
-symbol = " "
-command = "~/.local/bin/toolbox_name.sh"
+symbol = "󰡨  "
+command = "~/.local/bin/boxname"
 format = "in [$symbol($output )]($style)"
 style = "bold purple"
 

roles/sshd/tasks/install.yml

@@ -1,13 +1,18 @@
 ---
+- name: SSH family packages for co-Ubuntu
+  ansible.builtin.set_fact:
+    ssh_packages: [openssh, openssh-clients, openssh-server]
+  when: ansible_distribution not in ("Ubuntu", "Archlinux")
+
 - name: SSH family packages for Ubuntu
   ansible.builtin.set_fact:
     ssh_packages: [openssh-client, openssh-server]
   when: ansible_distribution == "Ubuntu"
 
-- name: SSH family packages for co-Ubuntu
+- name: SSH family package for archLinux
   ansible.builtin.set_fact:
-    ssh_packages: [openssh, openssh-clients, openssh-server]
-  when: ansible_distribution != "Ubuntu"
+    ssh_packages: [openssh]
+  when: ansible_distribution == "Archlinux"
 
 - name: Install the SSH family
   ansible.builtin.package:

roles/sshd/tasks/main.yml

@@ -41,6 +41,7 @@
     immediate: true
     permanent: true
     state: enabled
+  when: ansible_facts.services['firewalld'] is defined
   notify: "Restart SSH server"
   tags: firewall
 
@@ -49,6 +50,7 @@
     service: ssh
     permanent: true
     state: disabled
+  when: ansible_facts.services['firewalld'] is defined
   tags: firewall
 
 - name: Set trusted CA

roles/terminals/ptyxis/tasks/main.yml

@@ -0,0 +1,6 @@
+---
+- name: Install Ptyxis
+  community.general.flatpak:
+    name: "https://nightly.gnome.org/repo/appstream/org.gnome.Ptyxis.Devel.flatpakref"
+    state: present
+  become: true

roles/wg/tasks/main.yml

@@ -41,7 +41,7 @@
     gateway: "{{ wg_gateway }}"
     peers: "{{ wg_peers }}"
   ansible.builtin.template:
-    src: "{{ wg_ifname }}.conf"
+    src: "templates/wg.conf"
     dest: "/etc/wireguard/{{ wg_ifname }}.conf"
     owner: root
     group: root
@@ -49,7 +49,7 @@
 
 - name: Set up the DNS on AlmaLinux
   ansible.builtin.include_tasks: "dns_{{ ansible_distribution }}.yml"
-  when: domain and ansible_distribution == "AlmaLinux"
+  when: wg_domain and ansible_distribution == "AlmaLinux"
 
 - name: Enable and start the wireguard connection
   ansible.builtin.service: