From f843c7eaa3c64393b46c54492f05e828e567025d Mon Sep 17 00:00:00 2001
From: = <=>
Date: Sat, 5 Apr 2025 02:12:24 -0400
Subject: [PATCH] certbot for dev

---
 .../host_vars/dev.balsillie.house/certbot.yaml  | 17 +++++++++++++++++
 ansible/playbooks/home.yml                      |  3 ++-
 ansible/roles/certbot/tasks/main.yaml           | 13 +++++++++++--
 .../roles/certbot/templates/cloudflare.conf.j2  |  1 +
 4 files changed, 31 insertions(+), 3 deletions(-)
 create mode 100644 ansible/inventory/host_vars/dev.balsillie.house/certbot.yaml
 create mode 100644 ansible/roles/certbot/templates/cloudflare.conf.j2

diff --git a/ansible/inventory/host_vars/dev.balsillie.house/certbot.yaml b/ansible/inventory/host_vars/dev.balsillie.house/certbot.yaml
new file mode 100644
index 0000000..552414f
--- /dev/null
+++ b/ansible/inventory/host_vars/dev.balsillie.house/certbot.yaml
@@ -0,0 +1,17 @@
+# code: language=ansible
+
+certbot_rfc2136_server: '10.208.240.1'
+certbot_rfc2136_key_name: 'rndc-house'
+certbot_rfc2136_key_algorithm: 'hmac-sha256'
+
+certbot_cloudflare_api_token: "{{ lookup('community.hashi_vault.vault_kv1_get', 'cloudflare/balsillie.house/dns').secret.api_token }}" # noqa yaml[line-length]
+
+certbot_dns_propagation_seconds: 15
+
+certbot_webserver_type: 'nginx' # 'nginx' or 'apache'
+certbot_dns_plugin: 'cloudflare'
+certbot_email: "certbot.dev@balsillie.email"
+certbot_acme_server: "acme-v02.api.letsencrypt.org"
+
+certbot_domains:
+  - repo.balsillie.house
diff --git a/ansible/playbooks/home.yml b/ansible/playbooks/home.yml
index 4b57144..0d4a46a 100644
--- a/ansible/playbooks/home.yml
+++ b/ansible/playbooks/home.yml
@@ -5,4 +5,5 @@
   become: true
   gather_facts: true
   roles:
-    - aur_repo_host
+    - certbot
+    # - aur_repo_host
diff --git a/ansible/roles/certbot/tasks/main.yaml b/ansible/roles/certbot/tasks/main.yaml
index 6d6d2b4..6fcadbc 100644
--- a/ansible/roles/certbot/tasks/main.yaml
+++ b/ansible/roles/certbot/tasks/main.yaml
@@ -26,6 +26,15 @@
     group: root
     mode: '0600'
 
+- name: Template out cloudflare credentials file
+  when: certbot_dns_plugin == 'cloudflare'
+  ansible.builtin.template:
+    src: "{{ certbot_dns_plugin }}.conf.j2"
+    dest: "/etc/letsencrypt/{{ certbot_dns_plugin }}.conf"
+    owner: root
+    group: root
+    mode: '0600'
+
 - name: Template out the certbot default config
   ansible.builtin.template:
     src: cli.ini.j2
@@ -43,8 +52,8 @@
       - --dns-{{ certbot_dns_plugin }}
       - --dns-{{ certbot_dns_plugin }}-credentials
       - /etc/letsencrypt/{{ certbot_dns_plugin }}.conf
-      - --dns-rfc2136-propagation-seconds
-      - "{{ certbot_rfc2136_propagation_seconds | default(5) }}"
+      - --dns-{{ certbot_dns_plugin }}-propagation-seconds
+      - "{{ certbot_dns_propagation_seconds | default(10) }}"
       - -d
       - "{{ item }}"
     creates: /etc/letsencrypt/live/{{ item }}/fullchain.pem
diff --git a/ansible/roles/certbot/templates/cloudflare.conf.j2 b/ansible/roles/certbot/templates/cloudflare.conf.j2
new file mode 100644
index 0000000..4ffe195
--- /dev/null
+++ b/ansible/roles/certbot/templates/cloudflare.conf.j2
@@ -0,0 +1 @@
+dns_cloudflare_api_token = {{ certbot_cloudflare_api_token }}
\ No newline at end of file