Use DNS-01 on Cloudflare for wildcard LE certs

This commit is contained in:
Kris Lamoureux 2022-05-23 03:32:56 -04:00
parent acd2cefb1e
commit 9a4aece442
Signed by: kris
GPG Key ID: 3EDA9C3441EDA925
5 changed files with 79 additions and 18 deletions

View File

@ -1,17 +1,28 @@
base_domain: vm.krislamo.org
# base
allow_reboot: false
manage_network: false
# proxy
proxy:
- name: bitwarden
domain: "{{ bitwarden_domain }}"
proxy_pass: "http://127.0.0.1:8080"
production: false
- name: gitea
domain: "{{ gitea_domain }}"
proxy_pass: "http://127.0.0.1:3080"
production: false
#production: true
dns_cloudflare:
#email: realemail@example.com
#api_token: CLOUDFLARE_DNS01_API_TOKEN
wildcard_domains:
- "{{ base_domain }}"
servers:
- domain: "{{ bitwarden_domain }}"
proxy_pass: "http://127.0.0.1:8080"
tls:
cert: /etc/letsencrypt/live/{{ base_domain }}/fullchain.pem
key: /etc/letsencrypt/live/{{ base_domain }}/privkey.pem
- domain: "{{ gitea_domain }}"
proxy_pass: "http://127.0.0.1:3080"
tls:
cert: /etc/letsencrypt/live/{{ base_domain }}/fullchain.pem
key: /etc/letsencrypt/live/{{ base_domain }}/privkey.pem
# docker
docker_users:
@ -19,14 +30,14 @@ docker_users:
# bitwarden
# Get Installation ID & Key at https://bitwarden.com/host/
bitwarden_domain: vault.vm.krislamo.org
bitwarden_domain: "vault.{{ base_domain }}"
bitwarden_dbpass: password
bitwarden_install_id: 4ea840a3-532e-4cb6-a472-abd900728b23
bitwarden_install_key: 1yB3Z2gRI0KnnH90C6p
#bitwarden_prodution: true
# gitea
gitea_domain: git.vm.krislamo.org
gitea_domain: "git.{{ base_domain }}"
gitea_version: 1
gitea_dbversion: latest
gitea_dbpass: password

View File

@ -0,0 +1,2 @@
#!/bin/bash
systemctl reload nginx

View File

@ -4,6 +4,12 @@
state: present
update_cache: true
- name: Start nginx and enable on boot
service:
name: nginx
state: started
enabled: true
- name: Install nginx base configuration
template:
src: nginx.conf.j2
@ -14,9 +20,9 @@
- name: Install nginx sites configuration
template:
src: server-nginx.conf.j2
dest: "/etc/nginx/conf.d/{{ item.name }}.conf"
dest: "/etc/nginx/conf.d/{{ item.domain }}.conf"
mode: '0644'
loop: "{{ proxy }}"
loop: "{{ proxy.servers }}"
notify: reload_nginx
- name: Generate self-signed certificate
@ -26,10 +32,44 @@
-out /etc/ssl/certs/nginx-selfsigned.crt'
args:
creates: /etc/ssl/certs/nginx-selfsigned.crt
when: not proxy.production
notify: reload_nginx
- name: Start nginx and enable on boot
service:
name: nginx
state: started
enabled: true
- name: Install LE's certbot
apt:
name: ['certbot', 'python3-certbot-dns-cloudflare']
state: present
when: proxy.production
- name: Install Cloudflare API token
template:
src: cloudflare.ini.j2
dest: /root/.cloudflare.ini
mode: '0600'
when: proxy.production and proxy.dns_cloudflare is defined
- name: Create nginx post renewal hook directory
file:
path: /etc/letsencrypt/renewal-hooks/post
state: directory
- name: Install nginx post renewal hook
copy:
src: restart-nginx.sh
dest: /etc/letsencrypt/renewal-hooks/post/nginx.sh
mode: '0755'
when: proxy.production
- name: Run Cloudflare DNS-01 challenges on wildcard domains
shell: '/usr/bin/certbot certonly \
--non-interactive \
--agree-tos \
--email "{{ proxy.dns_cloudflare.email }}" \
--dns-cloudflare \
--dns-cloudflare-credentials /root/.cloudflare.ini \
-d "*.{{ item }}"'
args:
creates: "/etc/letsencrypt/live/{{ item }}/fullchain.pem"
loop: "{{ proxy.dns_cloudflare.wildcard_domains }}"
when: proxy.production and proxy.dns_cloudflare is defined
notify: reload_nginx

View File

@ -0,0 +1,2 @@
# Cloudflare API token used by Certbot
dns_cloudflare_api_token = {{ proxy.dns_cloudflare.api_token }}

View File

@ -2,7 +2,13 @@ server {
listen 443 ssl;
server_name {{ item.domain }};
access_log /var/log/nginx/{{ item.domain }}.log main;
{% if not item.production %}
{% if proxy.production and item.tls.cert is not defined %}
ssl_certificate /etc/letsencrypt/live/{{ item.domain }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ item.domain }}/privkey.pem;
{% elif proxy.production and item.tls.cert is defined %}
ssl_certificate {{ item.tls.cert }};
ssl_certificate_key {{ item.tls.key }};
{% else %}
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
{% endif %}