- name: Enable community package repo lineinfile: path: /etc/apk/repositories regexp: '^# *(http.*/v[^/]*/community)' line: '\1' backrefs: yes - name: Install packages package: name: bind-tools,certbot,krb5,py3-pexpect - name: Configure kerberos template: dest: /etc/krb5.conf src: krb5.conf.j2 - name: Copy DNS updater scripts for certbot template: dest: "/usr/local/bin/{{ item }}" src: "{{ item }}.j2" mode: 0700 with_items: - certbot-auth - certbot-cleanup - name: Init kerberos keytab expect: command: ktutil responses: '.*:': - 'add_entry -password -p {{ lookup("passwordstore", "vm/"~inventory_hostname, subkey="ldap_user") }} -k 1 -e aes256-cts-hmac-sha1-96' - '{{ lookup("passwordstore", "vm/"~inventory_hostname, subkey="ldap_pass") }}' - 'write_kt /etc/krb5.keytab' - 'exit' args: creates: /etc/krb5.keytab - name: Create LE account command: cmd: certbot register --agree-tos --register-unsafely-without-email creates: /etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/*/meta.json - name: Create LE certificate command: cmd: certbot certonly --quiet --manual --preferred-challenges=dns --manual-auth-hook certbot-auth --manual-cleanup-hook certbot-cleanup -d {{ fqdn }} creates: "/etc/letsencrypt/renewal/{{ fqdn }}.conf" - name: Enable certbot renewal cron: name: "certbot renew" job: "certbot renew --quiet" user: root hour: "2,14" minute: "38"