From 3a4e849592d7af1db823d071265790e565e3dcdd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Krist=C3=B3f=20Torma?= <tormakristof@tormakristof.eu>
Date: Sun, 5 Mar 2023 19:48:09 +0100
Subject: [PATCH] use cloudflare memes

---
 roles/webserver/files/nginx.conf       |  2 +-
 roles/webserver/tasks/main.yaml        | 16 +++++++++++++---
 roles/webserver/templates/certbot.sh   |  2 +-
 roles/webserver/templates/cf-creds.ini |  3 +++
 4 files changed, 18 insertions(+), 5 deletions(-)
 create mode 100644 roles/webserver/templates/cf-creds.ini

diff --git a/roles/webserver/files/nginx.conf b/roles/webserver/files/nginx.conf
index ac451f0..7a7d6ab 100644
--- a/roles/webserver/files/nginx.conf
+++ b/roles/webserver/files/nginx.conf
@@ -69,4 +69,4 @@ http {
                 try_files $uri $uri/ =404;
             }
         }
-}
\ No newline at end of file
+}
diff --git a/roles/webserver/tasks/main.yaml b/roles/webserver/tasks/main.yaml
index 6ec0b58..78fdfd1 100644
--- a/roles/webserver/tasks/main.yaml
+++ b/roles/webserver/tasks/main.yaml
@@ -12,7 +12,7 @@
     name:
      - nginx
      - python3-certbot
-     - python3-certbot-nginx
+     - python3-certbot-dns-cloudflare
 
 - name: Copy default nginx config
   ansible.builtin.copy:
@@ -28,14 +28,24 @@
     state: restarted
     enabled: yes
 
+- name: "Get Cloudflare token from local environment variable"
+  ansible.builtin.set_fact:
+    cloudflare_token: "{{ lookup('env', 'CLOUDFLARE_TOKEN') }}"
+  delegate_to: localhost
+
+- name: "Render Cloudflare Certbot plugin configuration"
+  ansible.builtin.template:
+    src: cf-creds.ini
+    dest: /root/cf-creds.ini
+
 - name: Generate certificate for all server instances
   ansible.builtin.command:
-    cmd: certbot certonly --non-interactive --agree-tos -m tormakristof@tormakristof.eu --nginx -d {{item.domain}}
+    cmd: certbot certonly --non-interactive --agree-tos -m iam@tormakristof.eu --dns-cloudflare --dns-cloudflare-credentials /root/cf-creds.ini -d {{item.domain}}
   with_items: "{{ webserver }}"
 
 - name: "Generate certbot script"
   ansible.builtin.template:
-    src: certbot.sh
+    src: certbot.shb
     dest: /etc/cron.weekly/certbot
     owner: root
     group: root
diff --git a/roles/webserver/templates/certbot.sh b/roles/webserver/templates/certbot.sh
index a7ac395..dd874f9 100644
--- a/roles/webserver/templates/certbot.sh
+++ b/roles/webserver/templates/certbot.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
 # {{ansible_managed}}
 {% for server in webserver %}
-certbot renew --nginx --cert-name {{ server.domain }}
+certbot renew --dns-cloudflare --dns-cloudflare-credentials /root/cf-creds.ini 10 --cert-name {{ server.domain }}
 {% endfor %}
diff --git a/roles/webserver/templates/cf-creds.ini b/roles/webserver/templates/cf-creds.ini
new file mode 100644
index 0000000..a6eced3
--- /dev/null
+++ b/roles/webserver/templates/cf-creds.ini
@@ -0,0 +1,3 @@
+# Cloudflare API token used by Certbot
+# {{ ansible_managed }}
+dns_cloudflare_api_token = {{ cloudflare_token }}
\ No newline at end of file