feat: add playbook for obtaining certificate for domains from letsencrypt using RFC2136

playbooks/ldap.yml

@@ -0,0 +1,109 @@
+---
+- name: Configure LDAP directory information tree
+  hosts: "{{ ldap_hosts | default('ldap') }}"
+  become: "{{ ldap_become | default(false) }}"
+  gather_facts: "{{ ldap_gather_facts | default(false) }}"
+  vars:
+    _state: "{{ ldap_state | default('present') }}"
+    _ldap_bind_info: &ldap_bind_info
+      server_uri: "{{ ldap_server_uri }}"
+      bind_dn: "{{ ldap_bind_dn }}"
+      bind_pw: "{{ ldap_bind_pw }}"
+  roles:
+    # Ensure all defaults from openldap role are in scope
+    - role: finallycoffee.base.openldap
+      when: false
+  tasks:
+    - name: Ensure org units in '{{ ldap_base_dn }}' are {{ _state }}
+      community.general.ldap_entry:
+        <<: *ldap_bind_info
+        dn: "ou={{ org_unit }},{{ ldap_base_dn }}"
+        objectClass: "organizationalUnit"
+        state: "{{ _state }}"
+      loop: "{{ ldap_org_units | default([], true) }}"
+      loop_control:
+        loop_var: org_unit
+
+    - name: Ensure admin user is {{ _state }}
+      community.general.ldap_entry:
+        <<: *ldap_bind_info
+        dn: "uid={{ ldap_admin_user_rdn }},{{ ldap_admin_user_base }}"
+        objectClass: "{{ ldap_admin_user_object_classes }}"
+        attributes: "{{ ldap_admin_user_attributes }}"
+        state: "{{ _state }}"
+      vars:
+        ldap_admin_user_base: >-2
+          {{ ldap_admin_user_base_dn | default(ldap_base_dn, true) }}
+      when: ldap_admin_user_rdn is defined
+
+    - name: Ensure admin user attributes are correct
+      community.general.ldap_attrs:
+        <<: *ldap_bind_info
+        dn: "uid={{ ldap_admin_user_rdn }},{{ ldap_admin_user_base }}"
+        attributes: "{{ ldap_admin_user_attributes }}"
+        state: "{{ _state }}"
+      vars:
+        ldap_admin_user_base: >-2
+          {{ ldap_admin_user_base_dn | default(ldap_base_dn, true) }}
+      when:
+        - ldap_admin_user_rdn is defined
+        - _state == 'present'
+
+    - name: Ensure ldap groups are {{ _state }}
+      community.general.ldap_entry:
+        <<: *ldap_bind_info
+        dn: "{{ _ldap_group_dn }}"
+        objectClass: "{{ _ldap_group_object_classes }}"
+        attributes: "{{ _ldap_group_attributes }}"
+        state: "{{ _state }}"
+      vars:
+        _ldap_group_dn: >-2
+          cn={{ _ldap_group.name }},{{ ldap_group_base_dn }}
+        _ldap_group_object_classes:
+          - "groupOfNames"
+        _ldap_group_attributes:
+          cn: "{{ _ldap_group.name }}"
+          member: >-2
+            {{ _ldap_group.members | default([]) }}
+      loop: "{{ ldap_groups | default([], true) }}"
+      loop_control:
+        loop_var: _ldap_group
+        label: "{{ _ldap_group.name }}"
+      when:
+        - ldap_groups is defined
+        - ldap_group_base_dn is defined
+
+    - name: Ensure service accounts are {{ _state }}
+      community.general.ldap_entry:
+        <<: *ldap_bind_info
+        dn: "{{ _ldap_service_account_dn }}"
+        objectClass: "{{ _ldap_service_account_object_classes }}"
+        attributes: "{{ _ldap_service_account_attributes }}"
+        state: "{{ _state }}"
+      loop: &ldap_service_account_loop "{{ ldap_service_accounts | default([]) }}"
+      loop_control: &ldap_service_account_loop_control
+        loop_var: "_ldap_service_account"
+        label: "{{ _ldap_service_account.name }}"
+      vars: &ldap_service_account_vars
+        _ldap_service_account_dn: >-2
+          uid={{ _ldap_service_account.name }},{{ ldap_service_account_base_dn }}
+        _ldap_service_account_object_classes:
+          - "account"
+          - "simpleSecurityObject"
+        _ldap_service_account_attributes:
+          uid: "{{ _ldap_service_account.name }}"
+          userPassword: "{{ _ldap_service_account.password }}"
+      when: &ldap_service_account_when
+        - ldap_service_accounts is defined
+        - ldap_service_account_base_dn is defined
+
+    - name: Ensure service accounts attributes are correct
+      community.general.ldap_attrs:
+        <<: *ldap_bind_info
+        dn: "{{ _ldap_service_account_dn }}"
+        attributes: "{{ _ldap_service_account_attributes }}"
+        state: exact
+      loop: *ldap_service_account_loop
+      loop_control: *ldap_service_account_loop_control
+      vars: *ldap_service_account_vars
+      when: *ldap_service_account_when

playbooks/lego_certificate.yml

@@ -0,0 +1,74 @@
+---
+- name: Populate DNS, acquire TSIG key and obtain certificate
+  hosts: "{{ target_hosts | default('all') }}"
+  become: "{{ target_become | default(true) }}"
+  pre_tasks:
+    - name: Build target dns records
+      ansible.builtin.set_fact:
+        target_dns_records: "{{ target_dns_records + [ _dns_record ] }}"
+      vars:
+        _dns_record:
+          type: "CNAME"
+          name: "_acme-challenge.{{ _domain }}"
+          content: "{{ target_tsig_key_name }}.{{ target_acme_zone }}." 
+      loop: "{{ target_domains }}"
+      loop_control:
+        loop_var: "_domain"
+  roles:
+    - role: finallycoffee.base.dns
+      vars:
+        dns_records: "{{ target_dns_records }}"
+    - role: finallycoffee.base.powerdns_tsig_key
+      vars:
+        powerdns_tsig_key_algo: "{{ target_powerdns_tsig_key_algo }}"
+        powerdns_tsig_key_name: "{{ target_tsig_key_name }}"
+        powerdns_tsig_key_path: "{{ target_tsig_key_path }}"
+        powerdns_tsig_key_path_owner: "{{ target_acme_user }}"
+        powerdns_tsig_key_path_group: "{{ target_acme_group }}"
+    - role: finallycoffee.base.lego
+      vars:
+        lego_instance: "{{ target_lego_instance }}"
+        lego_instance_base_path: "{{ target_lego_instance_base_path }}"
+        lego_environment: "{{ target_lego_environment }}"
+        lego_cert_domains: "{{ target_lego_domains }}"
+        lego_acme_account_email: "{{ target_acme_account_email }}"
+        lego_acme_challenge_type: "{{ target_lego_acme_challenge_type }}"
+        lego_acme_challenge_provider: "{{ target_lego_acme_challenge_provider }}"
+        lego_acme_server_url: "{{ target_lego_acme_server_url }}"
+  vars:
+    target_domains: []
+    target_acme_zone: ~
+    target_acme_account_email: ~
+    target_dns_server: ~
+    target_lego_instance: "{{ target_domains | first }}"
+    target_lego_instance_base_path: "/opt/acme"
+    target_lego_domains: "{{ target_domains }}"
+    target_lego_acme_challenge_type: "dns"
+    target_lego_acme_challenge_provider: "rfc2136"
+    target_lego_acme_server_url: >-2
+      {{ lego_letsencrypt_server_urls.prod }}
+    target_lego_environment:
+      RFC2136_TSIG_KEY: "{{ target_tsig_key_name }}"
+      RFC2136_TSIG_SECRET_FILE: "{{ target_tsig_key_path }}"
+      RFC2136_TSIG_ALGORITHM: "{{ target_powerdns_tsig_key_algo }}"
+      RFC2136_NAMESERVER: "{{ target_dns_server }}"
+      RFC2136_DNS_TIMEOUT: 15
+      RFC2136_TTL: 60
+      RFC2136_SEQUENCE_INTERVAL: 5
+      RFC2136_POLLING_INTERVAL: 10
+      RFC2136_PROPAGATION_TIMEOUT: >-2
+        {{ (target_lego_domains | length * 120) | int }}
+      LEGO_EXPERIMENTAL_CNAME_SUPPORT: "true"
+    target_tsig_key_name: "{{ target_lego_instance | hash('sha1') }}"
+    target_tsig_key_path: >-2
+      {{ target_lego_instance_base_path }}/{{ target_lego_instance }}/secrets/rfc2136_tsig.key
+    target_tsig_key_path_owner:
+    target_tsig_key_path_group:
+    target_acme_user: "acme-{{ target_lego_instance }}"
+    target_acme_user_id: >-2
+      {{ powerdns_tsig_key_path_owner_info.uid }}
+    target_acme_group: "acme-{{ target_lego_instance }}"
+    target_acme_group_id: >-2
+      {{ powerdns_tsig_key_path_owner_info.gid }}
+    target_powerdns_tsig_key_algo: "hmac-sha256"
+    target_dns_records: []

roles/lego/defaults/main.yml

@@ -1,6 +1,6 @@
 ---
 lego_user: "lego"
-lego_version: "4.23.0"
+lego_version: "4.25.1"
 lego_instance: default
 lego_base_path: "/opt/lego"
 lego_cert_user: "acme-{{ lego_instance }}"

roles/minio/defaults/main/container.yml

@@ -1,7 +1,7 @@
 ---
 minio_container_name: minio
 minio_container_image_name: "docker.io/minio/minio"
-minio_container_image_tag: "RELEASE.2025-04-22T22-12-26Z"
+minio_container_image_tag: "RELEASE.2025-07-18T21-56-31Z"
 minio_container_image: "{{ minio_container_image_name }}:{{ minio_container_image_tag }}"
 minio_container_networks: []
 minio_container_ports: []

roles/nginx/defaults/main.yml

@@ -1,5 +1,5 @@
 ---
-nginx_version: "1.28.0"
+nginx_version: "1.29.0"
 nginx_flavour: alpine
 nginx_base_path: /opt/nginx
 nginx_config_file: "{{ nginx_base_path }}/nginx.conf"

roles/openldap/defaults/main/openldap.yml

@@ -26,11 +26,13 @@ openldap_additional_schemas: []
 openldap_schemas: >-2
   {{ openldap_enabled_schemas + openldap_additional_schemas }}
 
-openldap_config_db: "cn=config"
+openldap_config_dn: "cn=config"
-openldap_config_db_olc_access: >-2
+openldap_config_db_dn: "olcDatabase={0}config,cn=config"
-  to *
+openldap_config_db_olc_access:
-    by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
+  - '{0} to *
-    by * none
+      by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
+      by * none'
+openldap_config_attributes: {}
 openldap_config_db_attributes:
   olcAccess: "{{ openldap_config_db_olc_access }}"
 
@@ -49,7 +51,7 @@ openldap_default_database_directory: >-2
 openldap_default_database_indices: >-2
   {{ openldap_default_indices + openldap_indices }}
 openldap_default_database_config: >-2
-  olcDatabase={1}{{ openldap_default_database_name }},{{ openldap_config_db }}
+  olcDatabase={1}{{ openldap_default_database_name }},{{ openldap_config_dn }}
 openldap_default_database:
   name: "{{ openldap_default_database_name }}"
   object_class: "{{ openldap_default_database_object_class }}"
@@ -58,5 +60,6 @@ openldap_default_database:
   root_pw: "{{ openldap_default_database_root_pw }}"
   directory: "{{ openldap_default_database_directory }}"
   indices: "{{ openldap_default_database_indices }}"
+openldap_default_database_olc_access: "{{ openldap_config_db_olc_access }}"
 openldap_databases:
   - "{{ openldap_default_database }}" 

roles/openldap/tasks/configure.yml

@@ -1,9 +1,31 @@
 ---
-- name: Ensure ACLs are configured
+- name: Ensure config attributes are configured
+  community.general.ldap_attrs:
+    dn: "{{ openldap_config_dn }}"
+    attributes: "{{ { entry.key : entry.value } }}"
+    state: exact
+    server_uri: "{{ openldap_socket_url }}"
+  loop: "{{ openldap_config_attributes | dict2items }}"
+  loop_control:
+    loop_var: "entry"
+    label: "{{ entry.key }}"
+
+- name: Ensure config db attributes are configured
+  community.general.ldap_attrs:
+    dn: "{{ openldap_config_db_dn }}"
+    attributes: "{{ { entry.key : entry.value } }}"
+    state: exact
+    server_uri: "{{ openldap_socket_url }}"
+  loop: "{{ openldap_config_db_attributes | dict2items }}"
+  loop_control:
+    loop_var: "entry"
+    label: "{{ entry.key }}"
+
+- name: Ensure ACLs for default database are configured
   community.general.ldap_attrs:
     dn: "{{ openldap_default_database_config }}"
     attributes:
-      olcAccess: "{{ openldap_config_db_olc_access }}"
+      olcAccess: "{{ openldap_default_database_olc_access }}"
     state: "exact"
     server_uri: "{{ openldap_socket_url }}"
   retries: 3