Add certbot roles

Add a certbot role that generates a certificate on the first host in the
NGINX group and then deploys it to all other NGINX hosts. As of now we
generate wildcard certs for pythondiscord.com and pydis.wtf.

A unique SSH key is generated for each replica host which is restricted
for security purposes. A deploy hook is installed to push renewals to
other hosts.

1 files changed, 99 insertions, 0 deletions

diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml
new file mode 100644
index 0000000..19d5e1e
--- /dev/null
+++ b/roles/certbot/tasks/main.yml
@@ -0,0 +1,99 @@
+---
+- name: Install certbot and certbot Cloudflare plugin
+  when: inventory_hostname == ansible_play_hosts_all[0]
+  package:
+    name:
+      - python3-certbot
+      - python3-certbot-dns-cloudflare
+    state: present
+  tags:
+    - role::certbot
+
+- name: Install rsync on certbot hosts
+  package:
+    name: rsync
+    state: present
+  tags:
+    - role::certbot
+
+- name: Generate Cloudflare credentials file on designated leader
+  when: inventory_hostname == ansible_play_hosts_all[0]
+  copy:
+    content: |
+      # This file is managed by Ansible
+      dns_cloudflare_api_token = {{ certbot_cloudflare_token }}
+    dest: /etc/letsencrypt/cloudflare.ini
+    owner: root
+    group: root
+    mode: 0400
+  tags:
+    - role::certbot
+
+- name: Generate SSH key for certificate distribution
+  when: inventory_hostname == ansible_play_hosts_all[0]
+  community.crypto.openssh_keypair:
+    path: /root/.ssh/cert_{{ item }}_key_ed25519
+    type: ed25519
+    state: present
+    comment: certificate distribution key for {{ item }}
+  with_items:
+    - "{{ ansible_play_hosts | reject('in', [inventory_hostname]) }}"
+  tags:
+    - role::certbot
+  register: generated_keys
+
+- name: Create certificate directories on replica certificate hosts
+  when: inventory_hostname != ansible_play_hosts[0]
+  file:
+    path: /etc/letsencrypt/live
+    recurse: true
+    state: directory
+    owner: root
+    group: root
+    mode: 0700
+  tags:
+    - role::certbot
+
+- name: Install certificate distribution keys to other NGINX nodes
+  when: inventory_hostname != ansible_play_hosts[0]
+  ansible.posix.authorized_key:
+    user: root
+    state: present
+    key: |
+      {{ hostvars[ansible_play_hosts_all[0]]['generated_keys']['results']
+      | selectattr('item', 'equalto', inventory_hostname)
+      | map(attribute='public_key')
+      | first }}
+    comment: "certificate distribution key"
+    key_options: 'from="{{ hostvars[ansible_play_hosts_all[0]]["wireguard_subnet"] }}",restrict,command="/usr/bin/rrsync -wo /etc/letsencrypt/live"'
+  tags:
+    - role::certbot
+
+- name: Create renewal hook to synchronize certificates
+  when: inventory_hostname == ansible_play_hosts_all[0]
+  template:
+    src: renewal-hook.sh.j2
+    dest: /etc/letsencrypt/renewal-hooks/deploy/distribute-certs
+    owner: root
+    group: root
+    mode: 0500
+  tags:
+    - role::certbot
+
+- name: Request certificates for configured domains
+  when: inventory_hostname == ansible_play_hosts_all[0]
+  command: |
+    certbot certonly
+    --agree-tos
+    --non-interactive
+    --email {{ certbot_email }}
+    --dns-cloudflare
+    --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini
+    --deploy-hook /etc/letsencrypt/renewal-hooks/deploy/distribute-certs
+    -d {{ item }} -d *.{{ item }} -d there.was.no.christmas.party.pydis.wtf
+  args:
+    creates: "/etc/letsencrypt/live/{{ item }}/fullchain.pem"
+  with_items:
+    - "{{ certbot_domains }}"
+  tags:
+    - role::certbot