forked from jonashackt/gitlab-ci-stack
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathobtain-letsencrypt-certs-dehydrated-lexicon.yml
74 lines (63 loc) · 2.88 KB
/
obtain-letsencrypt-certs-dehydrated-lexicon.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
---
# This playbook should work for servers, that aren´t accessable from the internet (like our local Vagrant setup here)
# Be sure to use a real/purchased domain!
# The playbook automates all the steps mentioned here https://blog.thesparktree.com/generating-intranet-and-private-network-ssl
- name: Update apt
apt:
update_cache: yes
- name: Install openssl, curl, sed, grep, mktemp, git
apt:
name:
- openssl
- curl
- sed
- grep
- mktemp
- git
state: latest
# install this neat tool https://github.com/lukas2511/dehydrated
- name: Install dehydrated
git:
repo: 'https://github.com/lukas2511/dehydrated.git'
dest: /srv/dehydrated
- name: Make dehydrated executable
file:
path: /srv/dehydrated/dehydrated
mode: "+x"
- name: Specify our internal domain
shell: "echo '{{ gitlab_domain }}' > /srv/dehydrated/domains.txt"
- name: Install build-essential, python-dev, libffi-dev, python3-pip
apt:
name:
- build-essential
- python-dev
- libffi-dev
- libssl-dev
- python3-pip
state: latest
- name: Install requests[security]
pip:
name: "requests[security]"
# install this neat tool https://github.com/AnalogJ/lexicon
- name: Install dns-lexicon with correct provider (dns-lexicon[providernamehere])
pip:
name: "dns-lexicon[{{providername|lower}}]"
- name: Configure lexicon with Dehydrated hook for dns-01 challenge
get_url:
url: https://raw.githubusercontent.com/AnalogJ/lexicon/master/examples/dehydrated.default.sh
dest: /srv/dehydrated/dehydrated.default.sh
mode: "+x"
# be sure to check https://github.com/AnalogJ/lexicon#providers
# the env variables are constructed with LEXICON_{DNS Provider Name}_{Auth Type}
# since, the dynamic key name like LEXICON_{DNS Provider Name}_{Auth Type}, we can´t use the standard approach (http://docs.ansible.com/ansible/latest/user_guide/playbooks_environment.html)
# because our Environment variable key names are dynamic based on the Provider name. Therefor we use the hint in https://stackoverflow.com/a/44570290/4964553
# and construct the variables with "{'dynamic environment variable key name inkl. {{ vars }}':'{{ dynamic environment variable value}}'}"
# If everything went fine, this should place the new Let´s Encrypt Certificates into /srv/dehydrated/certs/{{ gitlab_domain }}
- name: Generate Certificates
shell: "/srv/dehydrated/dehydrated --cron --hook /srv/dehydrated/dehydrated.default.sh --challenge dns-01 --accept-terms"
environment:
- PROVIDER: "{{providername|lower}}"
- "{'LEXICON_{{providername|upper}}_USERNAME':'{{providerusername}}'}"
- "{'LEXICON_{{providername|upper}}_TOKEN':'{{providertoken}}'}"
ignore_errors: true
# cron config, see https://github.com/AnalogJ/lexicon/blob/master/Dockerfile