diff --git a/Ansible/playbooks/pki.yml b/Ansible/playbooks/pki.yml new file mode 100644 index 0000000..e1b17ad --- /dev/null +++ b/Ansible/playbooks/pki.yml @@ -0,0 +1,47 @@ +--- +- name: Public Key Infrastructure + hosts: debian_servers + remote_user: bhays + become: true + become_user: root + vars_files: + - ../homelab-vault/secrets.yml + vars: + certbot_auto_renew: true + certbot_auto_renew_user: root + certbot_email: "ben@benhays.org" + certbot_cloudflare_api_token: "{{ CF_API_TOKEN }}" + roles: + - geerlingguy.certbot + pre_tasks: + - name: Update apt cache if needed. + ansible.builtin.apt: + update_cache: true + cache_valid_time: 3600 + tasks: + - name: Update/install Certbot + ansible.builtin.apt: + name: + - python3-certbot-dns-cloudflare + state: latest + - name: Create Certbot folder - /etc/letsencrypt + ansible.builtin.file: + path: /etc/letsencrypt + state: directory + owner: root + group: root + mode: "0700" + - name: Certbot Template + ansible.builtin.template: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + owner: root + group: root + mode: "0600" + with_items: + - { src: '../templates/dnscloudflare.ini.j2', dest: '/etc/letsencrypt/dnscloudflare.ini' } + - name: Generate Certificate + # yamllint disable rule:line-length + ansible.builtin.command: certbot certonly --non-interactive --agree-tos --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/dnscloudflare.ini --dns-cloudflare-propagation-seconds 60 -m {{ certbot_email }} -d {{ ansible_host }} + args: + creates: /etc/letsencrypt/renewal/{{ ansible_host }}.conf diff --git a/Ansible/templates/dnscloudflare.ini.j2 b/Ansible/templates/dnscloudflare.ini.j2 new file mode 100644 index 0000000..e22fb33 --- /dev/null +++ b/Ansible/templates/dnscloudflare.ini.j2 @@ -0,0 +1 @@ +dns_cloudflare_api_token = {{certbot_cloudflare_api_token}} \ No newline at end of file