proxmox: support certificate renewals with ACME

Certificates must still be requested manually, this just sets the
domain and opens up port 80/tcp. Nothing listens there except for
certbot during renewals so that’s OK.

roles/proxmox/tasks/main.yml

@@ -50,6 +50,13 @@
     dest: /etc/sysctl.d/local.conf
     src: sysctl.conf
 
+- name: Set domain for ACME certificate renewals
+  command:
+    cmd: 'pvenode config set --acme domains={{ interfaces | selectattr("name", "==", "lo")
+             | map(attribute="ip_addresses") | flatten | map(attribute="dns_name")
+             | sort | unique | join(";") }}'
+  changed_when: false # maybe write a proper check if certificate requests are ever ansibled
+
 - include_tasks: firewall.yml
 
 - include_tasks: user.yml

roles/proxmox/templates/cluster.fw.j2

@@ -6,8 +6,11 @@ enable: 1
 
 IN Ping(ACCEPT) -log nolog # don’t be rude
 IN SSH(ACCEPT) -i mgmt # for ansible etc.
+IN HTTP(ACCEPT) # allow HTTP connections for renewing certificates with ACME
+
 IN ACCEPT -source {{ nodes | map('device_address') | flatten | selectattr('family.value', '==', 4) | map(attribute='address') | join(',') }} # my cluster
 IN ACCEPT -source {{ nodes | map('device_address') | flatten | selectattr('family.value', '==', 6) | map(attribute='address') | join(',') }} # my cluster
+
 {% for service in cluster_services %}
 {% set prefixes = service | allowed_prefixes %}
 {% set ports = service.ports | compact_numlist(range_delimiter=':') %}