Use DNS-01 on Cloudflare for wildcard LE certs

2022-05-23 03:32:56 -04:00 · 2022-05-23 03:32:56 -04:00 · 9a4aece442
commit 9a4aece442
parent acd2cefb1e
5 changed files with 79 additions and 18 deletions
--- a/dev/host_vars/proxy.yml
+++ b/dev/host_vars/proxy.yml
@ -1,17 +1,28 @@
 base_domain: vm.krislamo.org
 # base
 allow_reboot: false
 manage_network: false
 # proxy
 proxy:
-  - name: bitwarden
+  #production: true
-    domain: "{{ bitwarden_domain }}"
+  dns_cloudflare:
    #email: realemail@example.com
    #api_token: CLOUDFLARE_DNS01_API_TOKEN
    wildcard_domains:
      - "{{ base_domain }}"
  servers:
    - domain: "{{ bitwarden_domain }}"
      proxy_pass: "http://127.0.0.1:8080"
-    production: false
+      tls:
-  - name: gitea
+        cert: /etc/letsencrypt/live/{{ base_domain }}/fullchain.pem
-    domain: "{{ gitea_domain }}"
+        key: /etc/letsencrypt/live/{{ base_domain }}/privkey.pem
    - domain: "{{ gitea_domain }}"
      proxy_pass: "http://127.0.0.1:3080"
-    production: false
+      tls:
        cert: /etc/letsencrypt/live/{{ base_domain }}/fullchain.pem
        key: /etc/letsencrypt/live/{{ base_domain }}/privkey.pem
 # docker
 docker_users:
@ -19,14 +30,14 @@ docker_users:
 # bitwarden
 # Get Installation ID & Key at https://bitwarden.com/host/
-bitwarden_domain: vault.vm.krislamo.org
+bitwarden_domain: "vault.{{ base_domain }}"
 bitwarden_dbpass: password
 bitwarden_install_id: 4ea840a3-532e-4cb6-a472-abd900728b23
 bitwarden_install_key: 1yB3Z2gRI0KnnH90C6p
 #bitwarden_prodution: true
 # gitea
-gitea_domain: git.vm.krislamo.org
+gitea_domain: "git.{{ base_domain }}"
 gitea_version: 1
 gitea_dbversion: latest
 gitea_dbpass: password
--- a/roles/proxy/files/restart-nginx.sh
+++ b/roles/proxy/files/restart-nginx.sh
@ -0,0 +1,2 @@
 #!/bin/bash
 systemctl reload nginx
--- a/roles/proxy/tasks/main.yml
+++ b/roles/proxy/tasks/main.yml
@ -4,6 +4,12 @@
    state: present
    update_cache: true
 - name: Start nginx and enable on boot
  service:
    name: nginx
    state: started
    enabled: true
 - name: Install nginx base configuration
  template:
    src: nginx.conf.j2
@ -14,9 +20,9 @@
 - name: Install nginx sites configuration
  template:
    src: server-nginx.conf.j2
-    dest: "/etc/nginx/conf.d/{{ item.name }}.conf"
+    dest: "/etc/nginx/conf.d/{{ item.domain }}.conf"
    mode: '0644'
-  loop: "{{ proxy }}"
+  loop: "{{ proxy.servers }}"
  notify: reload_nginx
 - name: Generate self-signed certificate
@ -26,10 +32,44 @@
          -out    /etc/ssl/certs/nginx-selfsigned.crt'
  args:
    creates: /etc/ssl/certs/nginx-selfsigned.crt
  when: not proxy.production
  notify: reload_nginx
- name: Start nginx and enable on boot
+- name: Install LE's certbot
-  service:
+  apt:
-    name: nginx
+    name: ['certbot', 'python3-certbot-dns-cloudflare']
-    state: started
+    state: present
-    enabled: true
+  when: proxy.production
 - name: Install Cloudflare API token
  template:
    src: cloudflare.ini.j2
    dest: /root/.cloudflare.ini
    mode: '0600'
  when: proxy.production and proxy.dns_cloudflare is defined
 - name: Create nginx post renewal hook directory
  file:
    path: /etc/letsencrypt/renewal-hooks/post
    state: directory
 - name: Install nginx post renewal hook
  copy:
    src: restart-nginx.sh
    dest: /etc/letsencrypt/renewal-hooks/post/nginx.sh
    mode: '0755'
  when: proxy.production
 - name: Run Cloudflare DNS-01 challenges on wildcard domains
  shell: '/usr/bin/certbot certonly \
            --non-interactive \
            --agree-tos \
            --email "{{ proxy.dns_cloudflare.email }}" \
            --dns-cloudflare \
            --dns-cloudflare-credentials /root/.cloudflare.ini \
            -d "*.{{ item }}"'
  args:
    creates: "/etc/letsencrypt/live/{{ item }}/fullchain.pem"
  loop: "{{ proxy.dns_cloudflare.wildcard_domains }}"
  when: proxy.production and proxy.dns_cloudflare is defined
  notify: reload_nginx
--- a/roles/proxy/templates/cloudflare.ini.j2
+++ b/roles/proxy/templates/cloudflare.ini.j2
@ -0,0 +1,2 @@
 # Cloudflare API token used by Certbot
 dns_cloudflare_api_token = {{ proxy.dns_cloudflare.api_token }}
--- a/roles/proxy/templates/server-nginx.conf.j2
+++ b/roles/proxy/templates/server-nginx.conf.j2
@ -2,7 +2,13 @@ server {
  listen              443 ssl;
  server_name         {{ item.domain }};
  access_log          /var/log/nginx/{{ item.domain }}.log main;
-{% if not item.production %}
+{% if proxy.production and item.tls.cert is not defined %}
  ssl_certificate     /etc/letsencrypt/live/{{ item.domain }}/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/{{ item.domain }}/privkey.pem;
 {% elif proxy.production and item.tls.cert is defined %}
  ssl_certificate     {{ item.tls.cert }};
  ssl_certificate_key {{ item.tls.key }};
 {% else %}
  ssl_certificate     /etc/ssl/certs/nginx-selfsigned.crt;
  ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
 {% endif %}
		`@ -0,0 +1,2 @@`
							`# Cloudflare API token used by Certbot`
							`dns_cloudflare_api_token = {{ proxy.dns_cloudflare.api_token }}`