certbot for dev

ansible/inventory/host_vars/dev.balsillie.house/certbot.yaml

@@ -0,0 +1,17 @@
+# code: language=ansible
+
+certbot_rfc2136_server: '10.208.240.1'
+certbot_rfc2136_key_name: 'rndc-house'
+certbot_rfc2136_key_algorithm: 'hmac-sha256'
+
+certbot_cloudflare_api_token: "{{ lookup('community.hashi_vault.vault_kv1_get', 'cloudflare/balsillie.house/dns').secret.api_token }}" # noqa yaml[line-length]
+
+certbot_dns_propagation_seconds: 15
+
+certbot_webserver_type: 'nginx' # 'nginx' or 'apache'
+certbot_dns_plugin: 'cloudflare'
+certbot_email: "certbot.dev@balsillie.email"
+certbot_acme_server: "acme-v02.api.letsencrypt.org"
+
+certbot_domains:
+  - repo.balsillie.house

ansible/playbooks/home.yml

@@ -5,4 +5,5 @@
   become: true
   gather_facts: true
   roles:
-    - aur_repo_host
+    - certbot
+    # - aur_repo_host

ansible/roles/certbot/tasks/main.yaml

@@ -26,6 +26,15 @@
     group: root
     mode: '0600'
 
+- name: Template out cloudflare credentials file
+  when: certbot_dns_plugin == 'cloudflare'
+  ansible.builtin.template:
+    src: "{{ certbot_dns_plugin }}.conf.j2"
+    dest: "/etc/letsencrypt/{{ certbot_dns_plugin }}.conf"
+    owner: root
+    group: root
+    mode: '0600'
+
 - name: Template out the certbot default config
   ansible.builtin.template:
     src: cli.ini.j2
@@ -43,8 +52,8 @@
       - --dns-{{ certbot_dns_plugin }}
       - --dns-{{ certbot_dns_plugin }}-credentials
       - /etc/letsencrypt/{{ certbot_dns_plugin }}.conf
-      - --dns-rfc2136-propagation-seconds
+      - --dns-{{ certbot_dns_plugin }}-propagation-seconds
-      - "{{ certbot_rfc2136_propagation_seconds | default(5) }}"
+      - "{{ certbot_dns_propagation_seconds | default(10) }}"
       - -d
       - "{{ item }}"
     creates: /etc/letsencrypt/live/{{ item }}/fullchain.pem

ansible/roles/certbot/templates/cloudflare.conf.j2

@@ -0,0 +1 @@
+dns_cloudflare_api_token = {{ certbot_cloudflare_api_token }}