From 0084b4ea191b23179566f6c590d14cc31af5f7dd Mon Sep 17 00:00:00 2001 From: DarkFeather Date: Tue, 13 Jan 2026 02:10:33 -0600 Subject: [PATCH] Moving LetsEncrypt to ClouDNS API validation -- some LetsEncrypt queries come from non-US origins. --- roles/SSL/files/certbot.service | 12 -------- roles/SSL/tasks/main.yml | 41 +++++++++++++++++++++----- roles/SSL/templates/certbot.conf.j2 | 2 ++ roles/SSL/templates/certbot.service.j2 | 12 ++++++++ 4 files changed, 47 insertions(+), 20 deletions(-) delete mode 100755 roles/SSL/files/certbot.service create mode 100644 roles/SSL/templates/certbot.conf.j2 create mode 100755 roles/SSL/templates/certbot.service.j2 diff --git a/roles/SSL/files/certbot.service b/roles/SSL/files/certbot.service deleted file mode 100755 index f3a6f89..0000000 --- a/roles/SSL/files/certbot.service +++ /dev/null @@ -1,12 +0,0 @@ -[Unit] -Description=Certbot - -[Service] -ExecStart=certbot renew -w /var/lib/letsencrypt/ --preferred-chain "ISRG Root X1" -ExecStartPost=-/usr/bin/systemctl reload nginx -ExecStartPost=-/usr/bin/systemctl reload inspircd -KillMode=process -Type=oneshot -RemainAfterExit=no -User=root -Group=root diff --git a/roles/SSL/tasks/main.yml b/roles/SSL/tasks/main.yml index 3a5fd5f..9258267 100644 --- a/roles/SSL/tasks/main.yml +++ b/roles/SSL/tasks/main.yml @@ -7,26 +7,51 @@ - certbot - openssl - - name: LetsEncrypt directory + - name: LetsEncrypt directories become: yes file: - path: /etc/letsencrypt + path: "{{ item }}" owner: root group: ssl mode: 0750 + loop: + - /etc/letsencrypt + - /etc/certbot - - name: Services + - name: Service timer become: yes register: services copy: - src: "{{ item }}" - dest: /usr/lib/systemd/system + src: "certbot.timer" + dest: /usr/lib/systemd/system/certbot.timer owner: root group: root mode: 0644 - loop: - - "certbot.service" - - "certbot.timer" + + # per https://www.cloudns.net/wiki/article/448/ + - name: ClouDNS configuration + become: yes + template: + src: "certbot.conf.j2" + dest: /etc/certbot/certbot.conf + owner: root + group: root + mode: 0600 + + - name: Create virtual environment and install package + become: yes + command: + cmd: "python3 -m venv /etc/certbot/venv && /etc/certbot/venv/bin/pip3 install certbot-dns-cloudns" + creates: /etc/certbot/venv + + - name: Service + become: yes + template: + src: "certbot.service.j2" + dest: /usr/lib/systemd/system/certbot.service + owner: root + group: root + mode: 0600 - name: Enable timer when: services.changed diff --git a/roles/SSL/templates/certbot.conf.j2 b/roles/SSL/templates/certbot.conf.j2 new file mode 100644 index 0000000..ccf6b86 --- /dev/null +++ b/roles/SSL/templates/certbot.conf.j2 @@ -0,0 +1,2 @@ +dns_cloudns_auth_id={{ secrets.certbot.authid }} +dns_cloudns_auth_password={{ secrets.certbot.passphrase }} diff --git a/roles/SSL/templates/certbot.service.j2 b/roles/SSL/templates/certbot.service.j2 new file mode 100755 index 0000000..2cf0813 --- /dev/null +++ b/roles/SSL/templates/certbot.service.j2 @@ -0,0 +1,12 @@ +[Unit] +Description=Certbot + +[Service] +ExecStart=/bin/bash -c "source /etc/certbot/venv/bin/activate; certbot renew --authenticator dns-cloudns --dns-cloudns-credentials /etc/certbot/certbot.conf --dns-cloudns-nameserver {{ secrets.certbot.nameserver }}" +ExecStartPost=-/usr/bin/systemctl reload nginx +ExecStartPost=-/usr/bin/systemctl reload inspircd +KillMode=process +Type=oneshot +RemainAfterExit=no +User=root +Group=root