Initial commit, squashed

roles/certbot_dns/tasks/main.yml

@@ -0,0 +1,54 @@
+- name: Enable community package repo
+  lineinfile:
+    path: /etc/apk/repositories
+    regexp: '^# *(http.*/v[^/]*/community)'
+    line: '\1'
+    backrefs: yes
+
+- name: Install packages
+  package:
+    name: bind-tools,certbot,krb5,py3-pexpect
+
+- name: Configure kerberos
+  template:
+    dest: /etc/krb5.conf
+    src: krb5.conf.j2
+
+- name: Copy DNS updater scripts for certbot
+  template:
+    dest: "/usr/local/bin/{{ item }}"
+    src: "{{ item }}.j2"
+    mode: 0700
+  with_items:
+    - certbot-auth
+    - certbot-cleanup
+
+- name: Init kerberos keytab
+  expect:
+    command: ktutil
+    responses:
+      ".*:":
+        - "add_entry -password -p {{ ldap_user }} -k 1 -e aes256-cts-hmac-sha1-96"
+        - "{{ ldap_pass }}"
+        - "write_kt /etc/krb5.keytab"
+        - "exit"
+  args:
+    creates: /etc/krb5.keytab
+
+- name: Create LE account
+  command:
+    cmd: certbot register --agree-tos --register-unsafely-without-email
+    creates: /etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/*/meta.json
+
+- name: Create LE certificate
+  command:
+    cmd: certbot certonly --quiet --manual --preferred-challenges=dns --manual-auth-hook certbot-auth --manual-cleanup-hook certbot-cleanup -d {{ fqdn }}
+    creates: "/etc/letsencrypt/renewal/{{ fqdn }}.conf"
+
+- name: Enable certbot renewal
+  cron:
+    name: "certbot renew"
+    job: "certbot renew --quiet"
+    user: root
+    hour: "2,14"
+    minute: "38"

roles/certbot_dns/templates/certbot-auth.j2

@@ -0,0 +1,13 @@
+#!/bin/sh
+
+dns={{ dns[0] }}
+ldap_user={{ ldap_user }}
+ttl=10
+
+kinit -k -t /etc/krb5.keytab "${ldap_user}"
+nsupdate -g <<EOF
+server ${dns}
+update add _acme-challenge.${CERTBOT_DOMAIN} ${ttl} TXT ${CERTBOT_VALIDATION}
+send
+EOF
+sleep $(( ttl + 5 ))

roles/certbot_dns/templates/certbot-cleanup.j2

@@ -0,0 +1,11 @@
+#!/bin/sh
+
+dns={{ dns[0] }}
+ldap_user={{ ldap_user }}
+
+kinit -k -t /etc/krb5.keytab "${ldap_user}"
+nsupdate -g <<EOF
+server ${dns}
+update delete _acme-challenge.${CERTBOT_DOMAIN} TXT
+send
+EOF

roles/certbot_dns/templates/krb5.conf.j2

@@ -0,0 +1,18 @@
+[libdefaults]
+dns_lookup_realm = false
+ticket_lifetime = 24h
+renew_lifetime = 7d
+#forwardable = true
+rdns = false
+default_realm = {{ domain | upper }}
+
+[realms]
+{{ domain | upper }} = {
+{% for server in dns %}
+  kdc = {{ server }}
+{% endfor %}
+}
+
+[domain_realm]
+.fri1.uni-lj.si = {{ domain | upper }}
+fri1.uni-lj.si = {{ domain | upper }}