add certbot

deploy.yml

@@ -5,3 +5,6 @@
 
 - name: Docker setup
   ansible.builtin.import_playbook: playbooks/deploy-docker.yml
+
+- name: Certbot certificate cloudflare setup
+  ansible.builtin.import_playbook: playbooks/deploy-certbot.yml

group_vars/certbot.yml

@@ -0,0 +1,5 @@
+---
+
+cloudflare_credentials_destination: /root/.cloudflare-dns-api-key.ini
+certbot_post_hook_dir: /etc/letsencrypt/renewal-hooks/post
+certbot_live_dir: /etc/letsencrypt/live

group_vars/host_domains.yml

@@ -0,0 +1,7 @@
+---
+
+host_domains:
+  fern.hatecomputers.club:
+    - fern.hatecomputers.club
+    - auth.hatecomputers.club
+    - vpn.hatecomputers.club

inventory

@@ -1,2 +1,11 @@
 [docker]
 fern.hatecomputers.club  ansible_user=root ansible_connection=ssh
+
+[host_domains]
+fern.hatecomputers.club  ansible_user=root ansible_connection=ssh
+
+[certbot]
+fern.hatecomputers.club  ansible_user=root ansible_connection=ssh
+
+[kanidm]
+fern.hatecomputers.club  ansible_user=root ansible_connection=ssh

playbooks/deploy-certbot.yml

@@ -0,0 +1,6 @@
+---
+
+- name: Certbot setup
+  hosts: certbot
+  roles:
+    - certbot

playbooks/roles/certbot/files/renewal_post_upgrade.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+/usr/sbin/service nginx restart

playbooks/roles/certbot/tasks/main.yml

@@ -0,0 +1,64 @@
+---
+
+- name: Install certbot deps
+  ansible.builtin.apt:
+    name:
+      - python3-certbot
+      - python3-certbot-dns-cloudflare
+    state: present
+
+- name: Install
+  ansible.builtin.template:
+    src: cloudflare-credentials.ini.j2
+    dest: "{{ cloudflare_credentials_destination }}"
+    mode: o=rw
+
+- name: Ensure existance of {{ certbot_post_hook_dir }}
+  ansible.builtin.file:
+    path: "{{ certbot_post_hook_dir }}"
+    state: directory
+    mode: o=rw,g=r,a+x
+
+- name: Add renewal_post_upgrade hook
+  ansible.builtin.copy:
+    src: renewal_post_upgrade.sh
+    dest: "{{ certbot_post_hook_dir }}/renewal_post_upgrade.sh"
+    mode: a+x
+    owner: root
+    group: root
+
+- name: Check for existence of certificates
+  ansible.builtin.stat:
+    path: "{{ certbot_live_dir }}/{{ item }}/fullchain.pem"
+  loop: "{{ host_domains[inventory_hostname] }}"
+  register: cert_check
+- name: Construct domains needing ACME requests list
+  ansible.builtin.set_fact:
+    domain_request_list: >
+      {% for domain in host_domains[inventory_hostname] %}
+      {% set domain_index = loop.index0 %}
+      {% if not cert_check.results[domain_index].stat.exists %}
+      {{ domain }}
+      {% endif %}
+      {% endfor %}
+
+- name: Request acmedns challenges if there are such domains that need certs
+  ansible.builtin.shell: >
+    certbot certonly --dns-cloudflare \
+      --dns-cloudflare-credentials {{ cloudflare_credentials_destination }} \
+      --non-interactive \
+      --manual-public-ip-logging-ok \
+      --agree-tos -m {{ certbot_email }} \
+      --preferred-challenges dns --debug-challenges \
+      --dns-cloudflare-propagation-seconds 20 \
+      -d {{ item }}
+  loop: "{{ domain_request_list.split() }}"
+  changed_when: domain_request_list | trim != ''
+
+- name: Certbot daily renewal cron job
+  ansible.builtin.cron:
+    name: "letsencrypt_daily_renewal"
+    special_time: "daily"
+    job: "certbot renew --non-interactive"
+    cron_file: "certbot_renewal"
+    user: root

playbooks/roles/certbot/templates/cloudflare-credentials.ini.j2

@@ -0,0 +1 @@
+dns_cloudflare_api_token = {{ cloudflare_api_token }}

secrets.txt

@@ -1 +1,2 @@
 cloudflare_api_token
+certbot_email