certbot and nginx working

2024-04-22 01:37:46 +12:00
parent 3d9241b475
commit c05f3a845b
12 changed files with 225 additions and 24 deletions
--- a/ansible/roles/certbot/handlers/main.yaml
+++ b/ansible/roles/certbot/handlers/main.yaml
@ -0,0 +1,6 @@
+---
+
+- name: Restart nginx
+  ansible.builtin.service:
+    name: nginx.service
+    state: restarted
--- a/ansible/roles/certbot/tasks/main.yaml
+++ b/ansible/roles/certbot/tasks/main.yaml
@ -17,7 +17,7 @@
    state: present
    update_cache: true

- name: Template out the dns config file
+- name: Template out the rfc2136 credentials file
  when: certbot_dns_plugin == 'rfc2136'
  ansible.builtin.template:
    src: "{{ certbot_dns_plugin }}.conf.j2"
@ -26,24 +26,30 @@
    group: root
    mode: '0600'

- name: Register certbot account
-  ansible.builtin.command:
-    argv:
-      - "certbot register"
-      - "--agree-tos"
-      - "--email {{ certbot_email }}"
-      - "--no-eff-email"
-    creates: /etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/{{ certbot_email }}
+- name: Template out the certbot default config
+  ansible.builtin.template:
+    src: cli.ini.j2
+    dest: /etc/letsencrypt/cli.ini
+    owner: root
+    group: root
+    mode: '0644'

 - name: Request and install certificates
  ansible.builtin.command:
    argv:
-      - "certbot --nginx run -n"
-      - "--dns-{{ certbot_dns_plugin }}"
-      - "--dns-{{ certbot_dns_plugin }}-credentials /etc/letsencrypt/{{ certbot_dns_plugin }}.conf"
-      - "-d {{ item }}"
+      - certbot
+      - certonly
+      - -n
+      - --dns-{{ certbot_dns_plugin }}
+      - --dns-{{ certbot_dns_plugin }}-credentials
+      - /etc/letsencrypt/{{ certbot_dns_plugin }}.conf
+      - --dns-rfc2136-propagation-seconds
+      - "{{ certbot_rfc2136_propagation_seconds | default(5) }}"
+      - -d
+      - "{{ item }}"
    creates: /etc/letsencrypt/live/{{ item }}/fullchain.pem
  loop: "{{ certbot_domains }}"
+  notify: "{{ certbot_notify }}"

 - name: Enable certbot renewal
  ansible.builtin.service:
--- a/ansible/roles/certbot/templates/cli.ini.j2
+++ b/ansible/roles/certbot/templates/cli.ini.j2
@ -0,0 +1,3 @@
+rsa-key-size = 4096
+email = {{ certbot_email }}
+agree-tos = true
--- a/ansible/roles/certbot/templates/rfc2136.conf.j2
+++ b/ansible/roles/certbot/templates/rfc2136.conf.j2
@ -1,4 +1,6 @@
 dns_rfc2136_server = {{ certbot_rfc2136_server }}
+dns_rfc2136_port = {{ certbot_rfc2136_port | default(53) }}
 dns_rfc2136_name = {{ certbot_rfc2136_key_name }}
 dns_rfc2136_secret = {{ certbot_rfc2136_key_secret }}
-dns_rfc2136_algorithm = {{ certbot_rfc2136_key_algorithm }}
+dns_rfc2136_algorithm = {{ certbot_rfc2136_key_algorithm | upper }}
+dns_rfc2136_sign_query = true