From 06760bf9f7bb560509a2b57d35a9f8e4ce927373 Mon Sep 17 00:00:00 2001 From: Kishi85 Date: Mon, 11 Feb 2019 18:38:41 +0100 Subject: [PATCH] Add role to generate dns keys for acme/cermgr --- roles/acme-dnskey-generate/defaults/main.yml | 4 ++ roles/acme-dnskey-generate/tasks/main.yml | 39 +++++++++++++++++++ .../templates/nsupdate.key.j2 | 4 ++ 3 files changed, 47 insertions(+) create mode 100644 roles/acme-dnskey-generate/defaults/main.yml create mode 100644 roles/acme-dnskey-generate/tasks/main.yml create mode 100644 roles/acme-dnskey-generate/templates/nsupdate.key.j2 diff --git a/roles/acme-dnskey-generate/defaults/main.yml b/roles/acme-dnskey-generate/defaults/main.yml new file mode 100644 index 0000000..2dbeee1 --- /dev/null +++ b/roles/acme-dnskey-generate/defaults/main.yml @@ -0,0 +1,4 @@ +--- +dnskey_file: "/etc/nsupdate.key" +dnskey_algorithm: "hmac-sha512" +dnskey_server: "neon.binary-kitchen.net" diff --git a/roles/acme-dnskey-generate/tasks/main.yml b/roles/acme-dnskey-generate/tasks/main.yml new file mode 100644 index 0000000..0a850fe --- /dev/null +++ b/roles/acme-dnskey-generate/tasks/main.yml @@ -0,0 +1,39 @@ +--- +- name: Get nsupdate.key + shell: "pdnsutil list-tsig-keys | grep '^acme-{{ inventory_hostname }}. {{ acme_dnskey_algorithm }}'" + register: "pdns_key" + failed_when: "False" + changed_when: "False" + delegate_to: "{{ acme_dnskey_server }}" + +- name: Update updatepolicy.aliases + lineinfile: + path: "/etc/powerdns/updatepolicy.aliases" + line: 'alias["{{ inventory_hostname }}."] = {}' + delegate_to: "{{ acme_dnskey_server }}" + +- name: Update updatepolicy.aliases + lineinfile: + path: "/etc/powerdns/updatepolicy.aliases" + line: 'alias["{{ inventory_hostname }}."]["{{ item }}."] = "{{ item }}."' + loop: "{{ acme_dnskey_san_domains }}" + delegate_to: "{{ acme_dnskey_server }}" + +- name: Generate nsupdate.key + shell: "pdnsutil generate-tsig-key 'acme-{{ inventory_hostname }}.' '{{ acme_dnskey_algorithm }}'" + register: "pdns_genkey" + when: "pdns_key is defined and pdns_key.rc != 0" + delegate_to: "{{ acme_dnskey_server }}" + +- name: Get nsupdate.key again + shell: "pdnsutil list-tsig-keys | grep '^acme-{{ inventory_hostname }}. {{ acme_dnskey_algorithm }}'" + register: "pdns_key" + when: "pdns_genkey is defined" + changed_when: "False" + delegate_to: "{{ acme_dnskey_server }}" + +- name: Write nsupdate.key to file + template: + src: "nsupdate.key.j2" + dest: "{{ acme_dnskey_file }}" + when: "pdns_key is defined" diff --git a/roles/acme-dnskey-generate/templates/nsupdate.key.j2 b/roles/acme-dnskey-generate/templates/nsupdate.key.j2 new file mode 100644 index 0000000..b1aad71 --- /dev/null +++ b/roles/acme-dnskey-generate/templates/nsupdate.key.j2 @@ -0,0 +1,4 @@ +key acme-{{ inventory_hostname }}. { + algorithm {{ acme_nsupdate_keyalgo }}; + secret "{{ pdns_nsupdate_key.stdout.split(' ')[2] }}"; +};