add super secret secrets

2026-01-24 13:21:14 -07:00
parent 04823e681f
commit f8b2ae3f02
4 changed files with 23 additions and 23 deletions
--- a/ansible/inventories/production/host_vars/ldap.home.jthan.io/vars.yaml
+++ b/ansible/inventories/production/host_vars/ldap.home.jthan.io/vars.yaml
@@ -1,4 +1,5 @@
-#root_pw: "{{ lookup('bitwarden.secrets.lookup', '4c3d81e6-bb31-40f9-a37a-b3bd00484160') }}" 
+root_pw: "{{ lookup('bitwarden.secrets.lookup', '64a96d82-179b-41af-898d-b3dc014f44a0') }}" 
+linode_dns_token: "{{ lookup('bitwarden.secrets.lookup', '8849d676-e53e-4aef-a7e6-b3dc014dd698') }}" 
 ldap_domain: ldap.home.jthan.io
 ldap_basedn: dc=ldap,dc=home,dc=jthan,dc=io

@@ -10,3 +11,4 @@ ldap_users:
    gidNumber: 10001
    ssh_keys:
      - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHQyLuuN1SYM3ise8983bA7tT5VJqAI5CpPV1whEA9VF
+
--- a/ansible/roles/lego/tasks/generate_cert.yaml
+++ b/ansible/roles/lego/tasks/generate_cert.yaml
@@ -0,0 +1,19 @@
+- name: Gather package facts
+  ansible.builtin.package_facts:
+    manager: auto  
+
+- name: Generate initial cert (http)
+  command:
+    cmd: /usr/local/bin/lego -a --email="{{ letsencrypt_email }}" --domains="{{ inventory_hostname | default(cert_domain) }}" --key-type {{ cert_key_type | default('rsa4096') }} --http run
+    chdir: /root
+    creates: "/root/.lego/certificates/{{ inventory_hostname | default(cert_domain) }}.crt"
+
+- name: Generate initial cert (dns)
+  command:
+    cmd: /usr/local/bin/lego -a --email="{{ letsencrypt_email }}" --dns linode --domains="{{ inventory_hostname | default(cert_domain) }}" --key-type {{ cert_key_type | default('rsa4096') }} run
+    chdir: /root
+    creates: "/root/.lego/certificates/{{ inventory_hostname | default(cert_domain) }}.crt"
+    environment:
+      LINODE_POLLING_INTERVAL: 120
+      LINODE_PROPAGATION_TIMEOUT: 600
+      LINODE_TOKEN: {{ linode_dns_token }}
--- a/ansible/roles/lego/tasks/initial_cert.yaml
+++ b/ansible/roles/lego/tasks/initial_cert.yaml
@@ -1,22 +0,0 @@
- name: Gather package facts
-  ansible.builtin.package_facts:
-    manager: auto  
-
- name: Stop nginx to generate initial lego cert
-  service:
-    name: nginx
-    state: stopped
-  when: "'nginx' in ansible_facts.packages" 
-
- name: Generate initial cert
-  command:
-    cmd: /usr/local/bin/lego -a --email="{{ letsencrypt_email }}" --domains="{{ inventory_hostname | default(cert_domain) }}" --key-type {{ cert_key_type | default('rsa4096') }} --http run
-    chdir: /root
-    creates: "/root/.lego/certificates/{{ inventory_hostname | default(cert_domain) }}.crt"
-  when: "'nginx' in ansible_facts.packages"
-
- name: Start nginx after generating initial lego cert
-  service:
-    name: nginx
-    state: started
-  when: "'nginx' in ansible_facts.packages"
--- a/ansible/roles/lego/tasks/main.yaml
+++ b/ansible/roles/lego/tasks/main.yaml
@@ -1 +1,2 @@
 - import_tasks: install.yaml
+- import_tasks: generate_cert.yaml