Merge 53d15320e6c8d1c1d327c94c0202243868fc37e9 into d35de757e01902399e685c2b344823ebc09b3372

README.md

@@ -26,7 +26,12 @@ By default, this role configures a cron job to run under the provided user accou
 
 ### Automatic Certificate Generation
 
-Currently the `standalone` and `webroot` method are supported for generating new certificates using this role.
+Current methods supported for generating new certificates using this role:
+
+  - `standalone`
+  - `webroot`
+  - `nginx`
+  - `dns-cloudflare`
 
 **For a complete example**: see the fully functional test playbook in [molecule/default/playbook-standalone-nginx-aws.yml](molecule/default/playbook-standalone-nginx-aws.yml).
 
@@ -36,7 +41,7 @@ Set `certbot_create_if_missing` to `yes` or `True` to let this role generate cer
 
     certbot_create_method: standalone
 
-Set the method used for generating certs with the `certbot_create_method` variable — current allowed values are: `standalone` or `webroot`.
+Set the method used for generating certs with the `certbot_create_method` variable — current allowed values are: `standalone`, `webroot` or 'dns-cloudflare'.
 
     certbot_testmode: false
 
@@ -86,6 +91,15 @@ This install method is currently experimental and may or may not work across all
 
 When using the `webroot` creation method, a `webroot` item has to be provided for every `certbot_certs` item, specifying which directory to use for the authentication. Also, make sure your webserver correctly delivers contents from this directory.
 
+### nginx Certificate Generation
+
+When using the `nginx` creation method, `nginx` package will be installed as a dependency of `python3-certbot-nginx`.
+
+#### dns-cloudflare Certificate Generation
+
+When using the `dns-cloudflare` creation method, set `certbot_dns_cloudflare_api_token` with your Cloudflare API token.
+The process will generate a `dns-01` challenge (*DNS01*) by creating, and subsequently removing, TXT records using the Cloudflare API. See [certbot-dns-cloudflare documentation](https://certbot-dns-cloudflare.readthedocs.io/en/stable/) for details.
+
 ### Source Installation from Git
 
 You can install Certbot from it's Git source repository if desired with `certbot_install_method: source`. This might be useful in several cases, but especially when older distributions don't have Certbot packages available (e.g. CentOS < 7, Ubuntu < 16.10 and Debian < 8).

defaults/main.yml

@@ -40,6 +40,9 @@ certbot_create_command: >-
   {{ '--webroot-path ' if certbot_create_method == 'webroot'  else '' }}
   {{ cert_item.webroot | default(certbot_webroot) if certbot_create_method == 'webroot' else '' }}
   {{ certbot_create_extra_args }}
+  {{ '--dns-cloudflare-credentials /etc/letsencrypt/dnscloudflare.ini'
+    if certbot_create_method == 'dns-cloudflare'
+  else '' }}
   --cert-name {{ cert_item_name }}
   -d {{ cert_item.domains | join(',') }}
   {{ '--expand' if certbot_expand else '' }}
@@ -58,6 +61,8 @@ certbot_create_standalone_stop_services:
   # - apache
   # - varnish
 
+certbot_dns_cloudflare_api_token: fakeone
+
 # Available options: 'package', 'snap', 'source'.
 certbot_install_method: 'package'
 

tasks/create-cert-dns-cloudflare.yml

@@ -0,0 +1,15 @@
+---
+- name: Determine certificate name
+  set_fact:
+    cert_item_name: "{{ cert_item.name | default(cert_item.domains | first | replace('*.', '')) }}"
+
+- name: Check if certificate already exists.
+  stat:
+    path: /etc/letsencrypt/live/{{ cert_item.domains | first | replace('*.', '') }}/cert.pem
+  register: letsencrypt_cert
+  become: true
+
+- name: Generate new certificate if one doesn't exist.
+  command: "{{ certbot_create_command }}"
+  when: not letsencrypt_cert.stat.exists
+  become: true

tasks/create-cert-nginx.yml

@@ -0,0 +1,15 @@
+---
+- name: Determine certificate name
+  set_fact:
+    cert_item_name: "{{ cert_item.name | default(cert_item.domains | first | replace('*.', '')) }}"
+
+- name: Check if certificate already exists.
+  stat:
+    path: /etc/letsencrypt/live/{{ cert_item.domains | first | replace('*.', '') }}/cert.pem
+  register: letsencrypt_cert
+  become: true
+
+- name: Generate new certificate if one doesn't exist.
+  command: "{{ certbot_create_command }}"
+  when: not letsencrypt_cert.stat.exists
+  become: true

tasks/install-with-package.yml

@@ -4,6 +4,16 @@
     name: "{{ certbot_package }}"
     state: present
 
+- name: Install Certbot dependencies.
+  package:
+    name: "{{ cert_item }}"
+    state: present
+  when:
+    - certbot_create_method in certbot_create_packages
+  loop: "{{ certbot_create_packages[certbot_create_method] }}"
+  loop_control:
+    loop_var: cert_item
+
 - name: Set Certbot script variable.
   set_fact:
     certbot_script: "{{ certbot_package }}"

tasks/main.yml

@@ -13,6 +13,17 @@
 - import_tasks: install-from-source.yml
   when: certbot_install_method == 'source'
 
+- name: Cloudflare API token
+  ansible.builtin.template:
+    src: dnscloudflare.ini.j2
+    dest: "/etc/letsencrypt/dnscloudflare.ini"
+    owner: root
+    group: root
+    mode: '0600'
+  when:
+    - certbot_create_method == 'dns-cloudflare'
+  become: true
+
 - include_tasks: create-cert-standalone.yml
   with_items: "{{ certbot_certs }}"
   when:
@@ -29,5 +40,21 @@
   loop_control:
     loop_var: cert_item
 
+- include_tasks: create-cert-nginx.yml
+  with_items: "{{ certbot_certs }}"
+  when:
+    - certbot_create_if_missing
+    - certbot_create_method == 'nginx'
+  loop_control:
+    loop_var: cert_item
+
+- include_tasks: create-cert-dns-cloudflare.yml
+  with_items: "{{ certbot_certs }}"
+  when:
+    - certbot_create_if_missing
+    - certbot_create_method == 'dns-cloudflare'
+  loop_control:
+    loop_var: cert_item
+
 - import_tasks: renew-cron.yml
   when: certbot_auto_renew

templates/dnscloudflare.ini.j2

@@ -0,0 +1 @@
+dns_cloudflare_api_token = {{ certbot_dns_cloudflare_api_token }}

vars/default.yml

@@ -1,2 +1,7 @@
 ---
 certbot_package: certbot
+certbot_create_packages:
+  nginx:
+    - python3-certbot-nginx
+  'dns-cloudflare':
+    - python3-certbot-dns-cloudflare