55 lines
1.4 KiB
YAML
55 lines
1.4 KiB
YAML
|
- name: Enable community package repo
|
||
|
lineinfile:
|
||
|
path: /etc/apk/repositories
|
||
|
regexp: '^# *(http.*/v[^/]*/community)'
|
||
|
line: '\1'
|
||
|
backrefs: yes
|
||
|
|
||
|
- name: Install packages
|
||
|
package:
|
||
|
name: bind-tools,certbot,krb5,py3-pexpect
|
||
|
|
||
|
- name: Configure kerberos
|
||
|
template:
|
||
|
dest: /etc/krb5.conf
|
||
|
src: krb5.conf.j2
|
||
|
|
||
|
- name: Copy DNS updater scripts for certbot
|
||
|
template:
|
||
|
dest: "/usr/local/bin/{{ item }}"
|
||
|
src: "{{ item }}.j2"
|
||
|
mode: 0700
|
||
|
with_items:
|
||
|
- certbot-auth
|
||
|
- certbot-cleanup
|
||
|
|
||
|
- name: Init kerberos keytab
|
||
|
expect:
|
||
|
command: ktutil
|
||
|
responses:
|
||
|
".*:":
|
||
|
- "add_entry -password -p {{ ldap_user }} -k 1 -e aes256-cts-hmac-sha1-96"
|
||
|
- "{{ ldap_pass }}"
|
||
|
- "write_kt /etc/krb5.keytab"
|
||
|
- "exit"
|
||
|
args:
|
||
|
creates: /etc/krb5.keytab
|
||
|
|
||
|
- name: Create LE account
|
||
|
command:
|
||
|
cmd: certbot register --agree-tos --register-unsafely-without-email
|
||
|
creates: /etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/*/meta.json
|
||
|
|
||
|
- name: Create LE certificate
|
||
|
command:
|
||
|
cmd: certbot certonly --quiet --manual --preferred-challenges=dns --manual-auth-hook certbot-auth --manual-cleanup-hook certbot-cleanup -d {{ fqdn }}
|
||
|
creates: "/etc/letsencrypt/renewal/{{ fqdn }}.conf"
|
||
|
|
||
|
- name: Enable certbot renewal
|
||
|
cron:
|
||
|
name: "certbot renew"
|
||
|
job: "certbot renew --quiet"
|
||
|
user: root
|
||
|
hour: "2,14"
|
||
|
minute: "38"
|