network/roles/certbot_dns/tasks/main.yml

55 lines
1.5 KiB
YAML

- name: Enable community package repo
lineinfile:
path: /etc/apk/repositories
regexp: '^# *(http.*/v[^/]*/community)'
line: '\1'
backrefs: yes
- name: Install packages
package:
name: bind-tools,certbot,krb5,py3-pexpect
- name: Configure kerberos
template:
dest: /etc/krb5.conf
src: krb5.conf.j2
- name: Copy DNS updater scripts for certbot
template:
dest: "/usr/local/bin/{{ item }}"
src: "{{ item }}.j2"
mode: 0700
with_items:
- certbot-auth
- certbot-cleanup
- name: Init kerberos keytab
expect:
command: ktutil
responses:
'.*:':
- 'add_entry -password -p {{ lookup("passwordstore", "hosts/"~inventory_hostname, subkey="ldap_user") }} -k 1 -e aes256-cts-hmac-sha1-96'
- '{{ lookup("passwordstore", "hosts/"~inventory_hostname, subkey="ldap_pass") }}'
- 'write_kt /etc/krb5.keytab'
- 'exit'
args:
creates: /etc/krb5.keytab
- name: Create LE account
command:
cmd: certbot register --agree-tos --register-unsafely-without-email
creates: /etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/*/meta.json
- name: Create LE certificate
command:
cmd: certbot certonly --quiet --manual --preferred-challenges=dns --manual-auth-hook certbot-auth --manual-cleanup-hook certbot-cleanup -d {{ fqdn }}
creates: "/etc/letsencrypt/renewal/{{ fqdn }}.conf"
- name: Enable certbot renewal
cron:
name: "certbot renew"
job: "certbot renew --quiet"
user: root
hour: "2,14"
minute: "38"