Add role to generate dns keys for acme/cermgr

roles/acme-dnskey-generate/defaults/main.yml

@@ -0,0 +1,4 @@
+---
+dnskey_file: "/etc/nsupdate.key"
+dnskey_algorithm: "hmac-sha512"
+dnskey_server: "neon.binary-kitchen.net"

roles/acme-dnskey-generate/tasks/main.yml

@@ -0,0 +1,39 @@
+---
+- name: Get nsupdate.key 
+  shell: "pdnsutil list-tsig-keys | grep '^acme-{{ inventory_hostname }}. {{ acme_dnskey_algorithm }}'"
+  register: "pdns_key"
+  failed_when: "False"
+  changed_when: "False"
+  delegate_to: "{{ acme_dnskey_server }}"
+
+- name: Update updatepolicy.aliases
+  lineinfile:
+    path: "/etc/powerdns/updatepolicy.aliases"
+    line: 'alias["{{ inventory_hostname }}."] = {}'
+  delegate_to: "{{ acme_dnskey_server }}"
+
+- name: Update updatepolicy.aliases
+  lineinfile:
+    path: "/etc/powerdns/updatepolicy.aliases"
+    line: 'alias["{{ inventory_hostname }}."]["{{ item }}."] = "{{ item }}."'
+  loop: "{{ acme_dnskey_san_domains }}"
+  delegate_to: "{{ acme_dnskey_server }}"
+
+- name: Generate nsupdate.key
+  shell: "pdnsutil generate-tsig-key 'acme-{{ inventory_hostname }}.' '{{ acme_dnskey_algorithm }}'"
+  register: "pdns_genkey"
+  when: "pdns_key is defined and pdns_key.rc != 0"
+  delegate_to: "{{ acme_dnskey_server }}"
+  
+- name: Get nsupdate.key again
+  shell: "pdnsutil list-tsig-keys | grep '^acme-{{ inventory_hostname }}. {{ acme_dnskey_algorithm }}'"
+  register: "pdns_key"
+  when: "pdns_genkey is defined"
+  changed_when: "False"
+  delegate_to: "{{ acme_dnskey_server }}"
+
+- name: Write nsupdate.key to file
+  template:
+      src: "nsupdate.key.j2"
+      dest: "{{ acme_dnskey_file }}"
+  when: "pdns_key is defined"

roles/acme-dnskey-generate/templates/nsupdate.key.j2

@@ -0,0 +1,4 @@
+key acme-{{ inventory_hostname }}. {
+    algorithm {{ acme_nsupdate_keyalgo }};
+    secret "{{ pdns_nsupdate_key.stdout.split(' ')[2] }}";
+};