55 lines
1.5 KiB
YAML
55 lines
1.5 KiB
YAML
- name: Enable community package repo
|
|
lineinfile:
|
|
path: /etc/apk/repositories
|
|
regexp: '^# *(http.*/v[^/]*/community)'
|
|
line: '\1'
|
|
backrefs: yes
|
|
|
|
- name: Install packages
|
|
package:
|
|
name: bind-tools,certbot,krb5,py3-pexpect
|
|
|
|
- name: Configure kerberos
|
|
template:
|
|
dest: /etc/krb5.conf
|
|
src: krb5.conf.j2
|
|
|
|
- name: Copy DNS updater scripts for certbot
|
|
template:
|
|
dest: "/usr/local/bin/{{ item }}"
|
|
src: "{{ item }}.j2"
|
|
mode: 0700
|
|
with_items:
|
|
- certbot-auth
|
|
- certbot-cleanup
|
|
|
|
- name: Init kerberos keytab
|
|
expect:
|
|
command: ktutil
|
|
responses:
|
|
'.*:':
|
|
- 'add_entry -password -p {{ lookup("passwordstore", "vm/"~inventory_hostname, subkey="ldap_user") }} -k 1 -e aes256-cts-hmac-sha1-96'
|
|
- '{{ lookup("passwordstore", "vm/"~inventory_hostname, subkey="ldap_pass") }}'
|
|
- 'write_kt /etc/krb5.keytab'
|
|
- 'exit'
|
|
args:
|
|
creates: /etc/krb5.keytab
|
|
|
|
- name: Create LE account
|
|
command:
|
|
cmd: certbot register --agree-tos --register-unsafely-without-email
|
|
creates: /etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/*/meta.json
|
|
|
|
- name: Create LE certificate
|
|
command:
|
|
cmd: certbot certonly --quiet --manual --preferred-challenges=dns --manual-auth-hook certbot-auth --manual-cleanup-hook certbot-cleanup -d {{ fqdn }}
|
|
creates: "/etc/letsencrypt/renewal/{{ fqdn }}.conf"
|
|
|
|
- name: Enable certbot renewal
|
|
cron:
|
|
name: "certbot renew"
|
|
job: "certbot renew --quiet"
|
|
user: root
|
|
hour: "2,14"
|
|
minute: "38"
|