diff options
Diffstat (limited to 'roles/certbot')
| -rw-r--r-- | roles/certbot/README.md | 3 | ||||
| -rw-r--r-- | roles/certbot/tasks/main.yml | 105 | ||||
| -rw-r--r-- | roles/certbot/templates/renewal-hook.sh.j2 | 6 | ||||
| -rw-r--r-- | roles/certbot/vars/main/main.yml | 6 | ||||
| -rw-r--r-- | roles/certbot/vars/main/vault.yml | 9 |
5 files changed, 0 insertions, 129 deletions
diff --git a/roles/certbot/README.md b/roles/certbot/README.md deleted file mode 100644 index b9d3e36..0000000 --- a/roles/certbot/README.md +++ /dev/null @@ -1,3 +0,0 @@ -# Role "certbot" - -Installs certbot and the Cloudflare DNS plugin for certbot to provision and deploy TLS certificates for web properties. diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml deleted file mode 100644 index 2cf859c..0000000 --- a/roles/certbot/tasks/main.yml +++ /dev/null @@ -1,105 +0,0 @@ ---- -- name: Install certbot and certbot Cloudflare plugin - when: inventory_hostname == ansible_play_hosts_all[0] - package: - name: - - python3-certbot - - python3-certbot-dns-cloudflare - state: present - tags: - - role::certbot - -- name: Install rsync on certbot hosts - package: - name: rsync - state: present - tags: - - role::certbot - -- name: Generate Cloudflare credentials file on designated leader - when: inventory_hostname == ansible_play_hosts_all[0] - copy: - content: | - # This file is managed by Ansible - dns_cloudflare_api_token = {{ certbot_cloudflare_token }} - dest: /etc/letsencrypt/cloudflare.ini - owner: root - group: root - mode: "0400" - tags: - - role::certbot - -- name: Generate SSH key for certificate distribution - when: inventory_hostname == ansible_play_hosts_all[0] - community.crypto.openssh_keypair: - path: /root/.ssh/cert_{{ item }}_key_ed25519 - type: ed25519 - state: present - comment: certificate distribution key for {{ item }} - with_items: - - "{{ ansible_play_hosts | reject('in', [inventory_hostname]) }}" - tags: - - role::certbot - register: generated_keys - -- name: Create certificate directories on replica certificate hosts - when: inventory_hostname != ansible_play_hosts[0] - file: - path: /etc/letsencrypt/live - recurse: true - state: directory - owner: root - group: root - mode: "0700" - tags: - - role::certbot - -- name: Install certificate distribution keys to other NGINX nodes - when: inventory_hostname != ansible_play_hosts[0] - ansible.posix.authorized_key: - user: root - state: present - key: | - {{ hostvars[ansible_play_hosts_all[0]]['generated_keys']['results'] - | selectattr('item', 'equalto', inventory_hostname) - | map(attribute='public_key') - | first }} - comment: "certificate distribution key" - key_options: 'from="{{ hostvars[ansible_play_hosts_all[0]]["wireguard_subnet"] }}",restrict,command="/opt/cert_rsync.sh"' - tags: - - role::certbot - -- name: Ensure renewal-hooks deploy directory exists - file: - path: /etc/letsencrypt/renewal-hooks/deploy - recurse: true - state: directory - -- name: Create renewal hook to synchronize certificates - when: inventory_hostname == ansible_play_hosts_all[0] - template: - src: renewal-hook.sh.j2 - dest: /etc/letsencrypt/renewal-hooks/deploy/distribute-certs - owner: root - group: root - mode: "0700" - tags: - - role::certbot - -- name: Request certificates for configured domains - when: inventory_hostname == ansible_play_hosts_all[0] - command: | - certbot certonly - --agree-tos - --non-interactive - --email {{ certbot_email }} - --dns-cloudflare - --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini - --deploy-hook /etc/letsencrypt/renewal-hooks/deploy/distribute-certs - -d {{ item }} -d *.{{ item }} -d cloud.native.is.fun.and.easy.pydis.wtf - args: - creates: "/etc/letsencrypt/live/{{ item }}/fullchain.pem" - with_items: - - "{{ certbot_domains }}" - tags: - - role::certbot diff --git a/roles/certbot/templates/renewal-hook.sh.j2 b/roles/certbot/templates/renewal-hook.sh.j2 deleted file mode 100644 index 7fa7252..0000000 --- a/roles/certbot/templates/renewal-hook.sh.j2 +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/sh -set -ex - -{% for host in ansible_play_hosts if host != inventory_hostname %} -rsync --copy-links --delete --recursive -e "ssh -i /root/.ssh/cert_{{ host }}_key_ed25519 -o StrictHostKeyChecking=accept-new" /etc/letsencrypt/live/* root@{{ hostvars[host]['wireguard_subnet'] | split("/") | first }}:/etc/letsencrypt/live -{% endfor %} diff --git a/roles/certbot/vars/main/main.yml b/roles/certbot/vars/main/main.yml deleted file mode 100644 index fdfc7b1..0000000 --- a/roles/certbot/vars/main/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -certbot_cloudflare_token: "{{ encrypted_cloudflare_token }}" -certbot_email: "[email protected]" -certbot_domains: - - pydis.wtf - - pythondiscord.com diff --git a/roles/certbot/vars/main/vault.yml b/roles/certbot/vars/main/vault.yml deleted file mode 100644 index c669b69..0000000 --- a/roles/certbot/vars/main/vault.yml +++ /dev/null @@ -1,9 +0,0 @@ -$ANSIBLE_VAULT;1.1;AES256 -66336535306366333038666137306135663438346366643735383962623339636236343438633766 -6565343931306531623330373936313730353539303264390a333031363634663236636232386461 -34353239643364653464373531653236383963303137326438343239313136376537336636326162 -3537383737323732310a623836363138646434636165643130366362656661393937346534313632 -37663966613031363036623838326666636231313462363831396366363837343632646131303863 -35363032386463346164623733656463633735376161653361343231326166313466643236623762 -31343562323362353238663666303435353138643463656531373466336639316464376632623731 -32646464393438656134 |