From c7a20e14a1d1608a6e8fa823fd1cb0259f166822 Mon Sep 17 00:00:00 2001 From: Thomas Kleinendorst Date: Fri, 12 Apr 2024 11:49:45 +0200 Subject: [PATCH] Add certbot installation with root cert renew --- roles/reverse-proxy/handlers/main.yml | 5 ++ roles/reverse-proxy/tasks/main.yml | 47 +++++++++++++++++++ .../reverse-proxy/templates/cloudflare.ini.j2 | 2 + .../templates/register_certbot_domain.sh.j2 | 6 +++ roles/reverse-proxy/vars/main/defaults.yml | 1 + roles/reverse-proxy/vars/main/vault.yml | 9 ++++ roles/snapcraft/tasks/main.yml | 11 +++++ roles/user/tasks/main.yml | 6 ++- vault.yml | 28 ++++++----- 9 files changed, 101 insertions(+), 14 deletions(-) create mode 100644 roles/reverse-proxy/handlers/main.yml create mode 100644 roles/reverse-proxy/templates/cloudflare.ini.j2 create mode 100644 roles/reverse-proxy/templates/register_certbot_domain.sh.j2 create mode 100644 roles/reverse-proxy/vars/main/vault.yml create mode 100644 roles/snapcraft/tasks/main.yml diff --git a/roles/reverse-proxy/handlers/main.yml b/roles/reverse-proxy/handlers/main.yml new file mode 100644 index 0000000..9e0275e --- /dev/null +++ b/roles/reverse-proxy/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Confirm Certbot plugin containment level + become: true + ansible.builtin.command: + cmd: snap set certbot trust-plugin-with-root=ok diff --git a/roles/reverse-proxy/tasks/main.yml b/roles/reverse-proxy/tasks/main.yml index f531371..7f4f479 100644 --- a/roles/reverse-proxy/tasks/main.yml +++ b/roles/reverse-proxy/tasks/main.yml @@ -19,6 +19,53 @@ ansible.builtin.apt: name: nginx # Creates the "nginx" user as well state: present +# TODO: Remove the default configuration here, we'll keep it for now as an example... +# TODO: Setup Certbot as it's part of the installation... +# ---------- CERTBOT INSTALLATION ---------- # +# See the installation instructions here: https://certbot.eff.org/instructions?ws=nginx&os=debianbuster&tab=wildcard +- name: Install Certbot + become: true + community.general.snap: + name: certbot + classic: true + state: present + notify: Confirm Certbot plugin containment level +- name: Flush handlers # Makes sure that the handler runs + ansible.builtin.meta: flush_handlers +- name: Install Certbot DNS Cloudflare plugin + become: true + community.general.snap: + name: certbot-dns-cloudflare + classic: true + state: present +- name: Set cloudflare variable + ansible.builtin.set_fact: + cloudflare_credential_dir_path: "/root/.secrets/certbot" + cloudflare_credential_filename: cloudflare.ini +- name: Create Certbot credential directory + become: true + ansible.builtin.file: + path: "{{ cloudflare_credential_dir_path }}" + state: directory + mode: '0700' +- name: Place cloudflare credential in certbot user's file + become: true + ansible.builtin.template: + src: cloudflare.ini.j2 + dest: "{{ cloudflare_credential_dir_path }}/{{ cloudflare_credential_filename }}" + mode: '0400' +- name: Install the certificate script + become: true + ansible.builtin.template: + src: register_certbot_domain.sh.j2 + dest: /usr/local/bin/register_certbot_domain.sh + mode: '0500' +- name: Create the root certificate for my domain + become: true + ansible.builtin.command: + cmd: register_certbot_domain.sh kleinendorst.info + creates: /etc/letsencrypt/live/kleinendorst.info # The certificate directory +# END ------ CERTBOT INSTALLATION ------ END # - name: Start Nginx become: true ansible.builtin.systemd: diff --git a/roles/reverse-proxy/templates/cloudflare.ini.j2 b/roles/reverse-proxy/templates/cloudflare.ini.j2 new file mode 100644 index 0000000..1f5e507 --- /dev/null +++ b/roles/reverse-proxy/templates/cloudflare.ini.j2 @@ -0,0 +1,2 @@ +# Cloudflare API token used by Certbot +dns_cloudflare_api_token = {{ dns_cloudflare_api_token }} diff --git a/roles/reverse-proxy/templates/register_certbot_domain.sh.j2 b/roles/reverse-proxy/templates/register_certbot_domain.sh.j2 new file mode 100644 index 0000000..3d962d2 --- /dev/null +++ b/roles/reverse-proxy/templates/register_certbot_domain.sh.j2 @@ -0,0 +1,6 @@ +#!/bin/bash +/snap/bin/certbot certonly \ + --dns-cloudflare \ + --dns-cloudflare-credentials '{{ cloudflare_credential_dir_path }}/{{ cloudflare_credential_filename }}' \ + --agree-tos --test-cert -m {{ administration_email }} \ + -d $1 diff --git a/roles/reverse-proxy/vars/main/defaults.yml b/roles/reverse-proxy/vars/main/defaults.yml index 073e393..2d12bc5 100644 --- a/roles/reverse-proxy/vars/main/defaults.yml +++ b/roles/reverse-proxy/vars/main/defaults.yml @@ -1,2 +1,3 @@ --- nginx_user: nginx # Created automatically by the apt installation +certbot_user: certbot diff --git a/roles/reverse-proxy/vars/main/vault.yml b/roles/reverse-proxy/vars/main/vault.yml new file mode 100644 index 0000000..d1c0a19 --- /dev/null +++ b/roles/reverse-proxy/vars/main/vault.yml @@ -0,0 +1,9 @@ +$ANSIBLE_VAULT;1.1;AES256 +35613135623165306639373939396435656431326134336466636666393637333532623036303831 +6534646334633731313838323138303261663536376330640a376538653563353365336634346338 +34663031643265623838396239383164303865346332366361313839386533363530336361373930 +6438313861353563630a343738383365656531313137613361323636653635393232343738633433 +63356634323264623134313565386362663131313963373433306636383661373930323262353663 +64393433393639346166666433396363313465373032343239633939343830303465633564353130 +37333437643064346233633863346632393266633435396433396563653737386233346231303061 +37623138386233303764 diff --git a/roles/snapcraft/tasks/main.yml b/roles/snapcraft/tasks/main.yml new file mode 100644 index 0000000..e6476a8 --- /dev/null +++ b/roles/snapcraft/tasks/main.yml @@ -0,0 +1,11 @@ +--- +- name: Install Snapcraft + become: true + ansible.builtin.apt: + name: snapd + state: present +- name: Install Snap Core + become: true + community.general.snap: + name: core + state: present diff --git a/roles/user/tasks/main.yml b/roles/user/tasks/main.yml index 74aae3d..84b1add 100644 --- a/roles/user/tasks/main.yml +++ b/roles/user/tasks/main.yml @@ -63,12 +63,16 @@ regexp: '^plugins=\((.*)(?