kris/homelab
kris/homelab
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Use DNS-01 on Cloudflare for wildcard LE certs

Browse Source
This commit is contained in:
Kris Lamoureux 2022-05-23 03:32:56 -04:00
parent acd2cefb1e
commit 9a4aece442
Signed by: kris
GPG Key ID: 3EDA9C3441EDA925
5 changed files with 79 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
dev/host_vars/proxy.yml
View File

@ -1,17 +1,28 @@
base_domain: vm.krislamo.org
# base # base
allow_reboot: false allow_reboot: false
manage_network: false manage_network: false
# proxy # proxy
proxy: proxy:
- name: bitwarden #production: true
domain: "{{ bitwarden_domain }}" dns_cloudflare:
proxy_pass: "http://127.0.0.1:8080" #email: realemail@example.com
production: false #api_token: CLOUDFLARE_DNS01_API_TOKEN
- name: gitea wildcard_domains:
domain: "{{ gitea_domain }}" - "{{ base_domain }}"
proxy_pass: "http://127.0.0.1:3080" servers:
production: false - domain: "{{ bitwarden_domain }}"
proxy_pass: "http://127.0.0.1:8080"
tls:
cert: /etc/letsencrypt/live/{{ base_domain }}/fullchain.pem
key: /etc/letsencrypt/live/{{ base_domain }}/privkey.pem
- domain: "{{ gitea_domain }}"
proxy_pass: "http://127.0.0.1:3080"
tls:
cert: /etc/letsencrypt/live/{{ base_domain }}/fullchain.pem
key: /etc/letsencrypt/live/{{ base_domain }}/privkey.pem
# docker # docker
docker_users: docker_users:
@ -19,14 +30,14 @@ docker_users:
# bitwarden # bitwarden
# Get Installation ID & Key at https://bitwarden.com/host/ # Get Installation ID & Key at https://bitwarden.com/host/
bitwarden_domain: vault.vm.krislamo.org bitwarden_domain: "vault.{{ base_domain }}"
bitwarden_dbpass: password bitwarden_dbpass: password
bitwarden_install_id: 4ea840a3-532e-4cb6-a472-abd900728b23 bitwarden_install_id: 4ea840a3-532e-4cb6-a472-abd900728b23
bitwarden_install_key: 1yB3Z2gRI0KnnH90C6p bitwarden_install_key: 1yB3Z2gRI0KnnH90C6p
#bitwarden_prodution: true #bitwarden_prodution: true
# gitea # gitea
gitea_domain: git.vm.krislamo.org gitea_domain: "git.{{ base_domain }}"
gitea_version: 1 gitea_version: 1
gitea_dbversion: latest gitea_dbversion: latest
gitea_dbpass: password gitea_dbpass: password

2
roles/proxy/files/restart-nginx.sh Normal file
View File

@ -0,0 +1,2 @@
#!/bin/bash
systemctl reload nginx

54
roles/proxy/tasks/main.yml
View File

@ -4,6 +4,12 @@
state: present state: present
update_cache: true update_cache: true
- name: Start nginx and enable on boot
service:
name: nginx
state: started
enabled: true
- name: Install nginx base configuration - name: Install nginx base configuration
template: template:
src: nginx.conf.j2 src: nginx.conf.j2
@ -14,9 +20,9 @@
- name: Install nginx sites configuration - name: Install nginx sites configuration
template: template:
src: server-nginx.conf.j2 src: server-nginx.conf.j2
dest: "/etc/nginx/conf.d/{{ item.name }}.conf" dest: "/etc/nginx/conf.d/{{ item.domain }}.conf"
mode: '0644' mode: '0644'
loop: "{{ proxy }}" loop: "{{ proxy.servers }}"
notify: reload_nginx notify: reload_nginx
- name: Generate self-signed certificate - name: Generate self-signed certificate
@ -26,10 +32,44 @@
-out /etc/ssl/certs/nginx-selfsigned.crt' -out /etc/ssl/certs/nginx-selfsigned.crt'
args: args:
creates: /etc/ssl/certs/nginx-selfsigned.crt creates: /etc/ssl/certs/nginx-selfsigned.crt
when: not proxy.production
notify: reload_nginx notify: reload_nginx
- name: Start nginx and enable on boot - name: Install LE's certbot
service: apt:
name: nginx name: ['certbot', 'python3-certbot-dns-cloudflare']
state: started state: present
enabled: true when: proxy.production
- name: Install Cloudflare API token
template:
src: cloudflare.ini.j2
dest: /root/.cloudflare.ini
mode: '0600'
when: proxy.production and proxy.dns_cloudflare is defined
- name: Create nginx post renewal hook directory
file:
path: /etc/letsencrypt/renewal-hooks/post
state: directory
- name: Install nginx post renewal hook
copy:
src: restart-nginx.sh
dest: /etc/letsencrypt/renewal-hooks/post/nginx.sh
mode: '0755'
when: proxy.production
- name: Run Cloudflare DNS-01 challenges on wildcard domains
shell: '/usr/bin/certbot certonly \
--non-interactive \
--agree-tos \
--email "{{ proxy.dns_cloudflare.email }}" \
--dns-cloudflare \
--dns-cloudflare-credentials /root/.cloudflare.ini \
-d "*.{{ item }}"'
args:
creates: "/etc/letsencrypt/live/{{ item }}/fullchain.pem"
loop: "{{ proxy.dns_cloudflare.wildcard_domains }}"
when: proxy.production and proxy.dns_cloudflare is defined
notify: reload_nginx

2
roles/proxy/templates/cloudflare.ini.j2 Normal file
View File

@ -0,0 +1,2 @@
# Cloudflare API token used by Certbot
dns_cloudflare_api_token = {{ proxy.dns_cloudflare.api_token }}

8
roles/proxy/templates/server-nginx.conf.j2
View File

@ -2,7 +2,13 @@ server {
listen 443 ssl; listen 443 ssl;
server_name {{ item.domain }}; server_name {{ item.domain }};
access_log /var/log/nginx/{{ item.domain }}.log main; access_log /var/log/nginx/{{ item.domain }}.log main;
{% if not item.production %} {% if proxy.production and item.tls.cert is not defined %}
ssl_certificate /etc/letsencrypt/live/{{ item.domain }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ item.domain }}/privkey.pem;
{% elif proxy.production and item.tls.cert is defined %}
ssl_certificate {{ item.tls.cert }};
ssl_certificate_key {{ item.tls.key }};
{% else %}
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt; ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key; ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
{% endif %} {% endif %}