1
0
forked from finallycoffee/base
finallycoffee.base/roles/lego
2024-11-21 18:39:34 +01:00
..
defaults update(lego): bump version to 4.20.4 2024-11-21 18:39:34 +01:00
files feat(lego): Ensure certificates have correct mode and owner 2024-09-11 17:47:49 +02:00
handlers feat: add finallycoffee.base.lego role 2024-05-19 20:40:43 +02:00
tasks feat(lego): allow setting capabilites on lego binary for net_bind_service 2024-08-01 19:42:36 +02:00
templates feat(lego): Add cap_net_bind capabilities to systemd unit 2024-09-09 13:14:35 +02:00
vars feat: add finallycoffee.base.lego role 2024-05-19 20:40:43 +02:00
README.md feat(lego): allow setting capabilites on lego binary for net_bind_service 2024-08-01 19:42:36 +02:00

finallycoffee.base.lego ansible role

This role can be used to retrieve ACME certificates on the target host. It uses lego for that, and with systemd template units provides an easy way to configure and monitor the status for each certificate.

Requirements

  • systemd
  • write access to /tmp to unpack the lego release tarball during installation
  • write access to /opt/lego (or whatever lego_base_path is set to) for configuration and certificate data
  • become privileges of the ansible_user on the target

Usage

Required configuration

  • lego_instance - used for allowing multiple lego jobs to run with systemd template units. recommended to be set to the CN / first SAN of the certificate.
  • lego_cert_domains - list of FQDNs to request a certificate for
  • lego_acme_account_email - when using letsencrypt, a contact email is mandatory

Proxies / Registries

The role ensure lego is downloaded from the github release page. If you are behind a proxy or use a registry like Nexus3, set lego_release_archive_server.

ACME server

Per default, the Letsencrypt Staging ACME server is configured. Set lego_acme_server_url from lego_letsencrypt_server_urls.{qa,prod} or configure your own ACME v2 server directly.

Certificate

To set for which domains to request a certificate for, set them as a list of SANs in lego_cert_domains. The default key type is EC256 and can be overridden using lego_cert_key_type.

Set the type of challenge in lego_acme_challenge_type (to either http or dns), and lego_acme_challenge_provider to, for example, rfc2136 for DNS challenges using the DNSUPDATE mechanism. If your challenge needs additional data, set that in lego_command_config as a dictionary analog to lego_base_command_config (see defaults).

Trivia

Architecture

By default, the lego distribution for linux on amd64 is downloaded. If your target needs a different architecture or target OS, adjust this in lego_os and lego_architecture, cross-checking with the lego GitHub release page for upstream availability.

User management

The role will attempt to create user+group for each seperate lego instance for data isolation (i.e. to avoid leaking a TSIG key from one lego instance to other services). The user and group are of the form acme-{{ lego_instance }}. Beware that changing this in lego_cert_{user,group} also requires lego_systemd_{user,group} to be adjusted!

Binding to ports < 1024 (HTTP-01 challenge)

Set lego_binary_allow_net_bind_service: true to allow the lego binary to bind to ports in the 'privileged' (< 1024) port range.