Add Cloudflare support

.github/workflows/stale.yml

@@ -1,34 +0,0 @@
----
-name: Close inactive issues
-'on':
-  schedule:
-    - cron: "55 12 * * 1"  # semi-random time
-
-jobs:
-  close-issues:
-    runs-on: ubuntu-latest
-    permissions:
-      issues: write
-      pull-requests: write
-    steps:
-      - uses: actions/stale@v8
-        with:
-          days-before-stale: 120
-          days-before-close: 60
-          exempt-issue-labels: bug,pinned,security,planned
-          exempt-pr-labels: bug,pinned,security,planned
-          stale-issue-label: "stale"
-          stale-pr-label: "stale"
-          stale-issue-message: |
-            This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution!
-            
-            Please read [this blog post](https://www.jeffgeerling.com/blog/2020/enabling-stale-issue-bot-on-my-github-repositories) to see the reasons why I mark issues as stale.
-          close-issue-message: |
-            This issue has been closed due to inactivity. If you feel this is in error, please reopen the issue or file a new issue with the relevant details.
-          stale-pr-message: |
-            This pr has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution!
-            
-            Please read [this blog post](https://www.jeffgeerling.com/blog/2020/enabling-stale-issue-bot-on-my-github-repositories) to see the reasons why I mark issues as stale.
-          close-pr-message: |
-            This pr has been closed due to inactivity. If you feel this is in error, please reopen the issue or file a new issue with the relevant details.
-          repo-token: ${{ secrets.GITHUB_TOKEN }}

README.md

@@ -26,7 +26,7 @@ By default, this role configures a cron job to run under the provided user accou
 
 ### Automatic Certificate Generation
 
-Currently the `standalone` and `webroot` method are supported for generating new certificates using this role.
+Currently the `standalone`, `webroot`, and `dns-cloudflare` methods are supported for generating new certificates using this role.
 
 **For a complete example**: see the fully functional test playbook in [molecule/default/playbook-standalone-nginx-aws.yml](molecule/default/playbook-standalone-nginx-aws.yml).
 
@@ -36,7 +36,7 @@ Set `certbot_create_if_missing` to `yes` or `True` to let this role generate cer
 
     certbot_create_method: standalone
 
-Set the method used for generating certs with the `certbot_create_method` variable — current allowed values are: `standalone` or `webroot`.
+Set the method used for generating certs with the `certbot_create_method` variable — current allowed values are: `standalone`, `webroot`, or `dns-cloudflare`.
 
     certbot_testmode: false
 
@@ -86,6 +86,25 @@ This install method is currently experimental and may or may not work across all
 
 When using the `webroot` creation method, a `webroot` item has to be provided for every `certbot_certs` item, specifying which directory to use for the authentication. Also, make sure your webserver correctly delivers contents from this directory.
 
+#### DNS-01 Challenge with Cloudflare
+
+When using the `dns-cloudflare` creation method, you need to configure Cloudflare DNS credentials:
+
+    certbot_cloudflare_email: "your-email@example.com"
+    certbot_cloudflare_api_key: "your-global-api-key"
+    # OR use API token instead (recommended):
+    certbot_cloudflare_api_token: "your-api-token"
+    certbot_cloudflare_propagation_seconds: 10
+
+You can use either the email + Global API Key combination OR an API token. The API token method is recommended as it's more secure and allows for more granular permissions.
+
+For API token setup:
+1. Go to Cloudflare Dashboard → My Profile → API Tokens
+2. Create a token with `Zone:DNS:Edit` permissions for the zones you want certificates for
+3. Set the `certbot_cloudflare_api_token` variable with this token
+
+This method supports wildcard certificates and doesn't require your server to be publicly accessible on ports 80/443.
+
 ### Source Installation from Git
 
 You can install Certbot from it's Git source repository if desired with `certbot_install_method: source`. This might be useful in several cases, but especially when older distributions don't have Certbot packages available (e.g. CentOS < 7, Ubuntu < 16.10 and Debian < 8).

defaults/main.yml

@@ -12,12 +12,18 @@ certbot_hsts: false
 
 # Parameters used when creating new Certbot certs.
 certbot_create_if_missing: false
-certbot_create_method: standalone
+certbot_create_method: dns-cloudflare
 certbot_create_extra_args: ""
 certbot_admin_email: email@example.com
 certbot_expand: false
 
-# Default webroot, overwritten by individual per-cert webroot directories
+# Cloudflare DNS credentials (use either API token OR email+api_key)
+certbot_cloudflare_email: ""
+certbot_cloudflare_api_key: ""
+certbot_cloudflare_api_token: ""
+certbot_cloudflare_propagation_seconds: 60
+
+# Default webroot, overwritten by individual per-cert webroot directories (not used with DNS-01)
 certbot_webroot: /var/www/letsencrypt
 
 certbot_certs: []
@@ -39,6 +45,8 @@ certbot_create_command: >-
   {{ '--expand' if certbot_expand else '' }}
   {{ '--webroot-path ' if certbot_create_method == 'webroot'  else '' }}
   {{ cert_item.webroot | default(certbot_webroot) if certbot_create_method == 'webroot' else '' }}
+  {{ '--dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini' if certbot_create_method == 'dns-cloudflare' else '' }}
+  {{ '--dns-cloudflare-propagation-seconds ' + (certbot_cloudflare_propagation_seconds | string) if certbot_create_method == 'dns-cloudflare' else '' }}
   {{ certbot_create_extra_args }}
   --cert-name {{ cert_item_name }}
   -d {{ cert_item.domains | join(',') }}

tasks/create-cert-dns-cloudflare.yml

@@ -0,0 +1,39 @@
+---
+- name: Determine certificate name
+  set_fact:
+    cert_item_name: "{{ cert_item.name | default(cert_item.domains | first | replace('*.', '')) }}"
+
+- name: Check if certificate already exists.
+  stat:
+    path: /etc/letsencrypt/live/{{ cert_item_name }}/cert.pem
+  register: letsencrypt_cert
+
+- name: Create Cloudflare credentials file
+  template:
+    src: cloudflare.ini.j2
+    dest: /etc/letsencrypt/cloudflare.ini
+    owner: root
+    group: root
+    mode: 0600
+  when: certbot_cloudflare_email or certbot_cloudflare_api_token
+
+- name: Check if domains have changed
+  block:
+    - name: Register certificate domains
+      shell: "{{ certbot_script }} certificates --cert-name {{ cert_item_name }} | grep Domains | cut -d':' -f2"
+      changed_when: false
+      register: letsencrypt_cert_domains_dirty
+
+    - name: Cleanup domain list
+      set_fact:
+        letsencrypt_cert_domains: "{{ letsencrypt_cert_domains_dirty.stdout | trim | split(' ') | map('trim') | select('!=', '') | list | sort }}"
+
+    - name: Determine if domains have changed
+      set_fact:
+        letsencrypt_cert_domains_changed: "{{ letsencrypt_cert_domains != (cert_item.domains | map('trim') | select('!=', '') | list | sort) }}"
+
+  when: letsencrypt_cert.stat.exists
+
+- name: Generate new certificate if one doesn't exist.
+  command: "{{ certbot_create_command }}"
+  when: not letsencrypt_cert.stat.exists or letsencrypt_cert_domains_changed | default(false)

tasks/install-from-source.yml

@@ -15,3 +15,9 @@
   file:
     path: "{{ certbot_script }}"
     mode: 0755
+
+- name: Install certbot-dns-cloudflare plugin via pip.
+  pip:
+    name: certbot-dns-cloudflare
+    state: present
+  when: certbot_create_method == 'dns-cloudflare'

tasks/install-with-package.yml

@@ -4,6 +4,12 @@
     name: "{{ certbot_package }}"
     state: present
 
+- name: Install Certbot Cloudflare DNS plugin.
+  package:
+    name: "{{ certbot_dns_cloudflare_package }}"
+    state: present
+  when: certbot_create_method == 'dns-cloudflare'
+
 - name: Set Certbot script variable.
   set_fact:
     certbot_script: "{{ certbot_package }}"

tasks/install-with-snap.yml

@@ -29,6 +29,11 @@
     name: certbot
     classic: true
 
+- name: Install certbot-dns-cloudflare plugin via snap.
+  snap:
+    name: certbot-dns-cloudflare
+  when: certbot_create_method == 'dns-cloudflare'
+
 - name: Symlink certbot into place.
   file:
     src: /snap/bin/certbot

tasks/main.yml

@@ -29,5 +29,13 @@
   loop_control:
     loop_var: cert_item
 
+- include_tasks: create-cert-dns-cloudflare.yml
+  with_items: "{{ certbot_certs }}"
+  when:
+    - certbot_create_if_missing
+    - certbot_create_method == 'dns-cloudflare'
+  loop_control:
+    loop_var: cert_item
+
 - import_tasks: renew-cron.yml
   when: certbot_auto_renew

templates/cloudflare.ini.j2

@@ -0,0 +1,7 @@
+# Cloudflare API credentials
+{% if certbot_cloudflare_api_token %}
+dns_cloudflare_api_token = {{ certbot_cloudflare_api_token }}
+{% else %}
+dns_cloudflare_email = {{ certbot_cloudflare_email }}
+dns_cloudflare_api_key = {{ certbot_cloudflare_api_key }}
+{% endif %}

vars/default.yml

@@ -1,2 +1,3 @@
 ---
 certbot_package: certbot
+certbot_dns_cloudflare_package: python3-certbot-dns-cloudflare