Skip to content

Instantly share code, notes, and snippets.

@bgulla

bgulla/playbook.yml

Created July 26, 2024 00:32
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save bgulla/6e82ca7d6a3d76f618524051bb0f4891 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save bgulla/6e82ca7d6a3d76f618524051bb0f4891 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. bgulla created this gist Jul 26, 2024.
    63 changes: 63 additions & 0 deletions playbook.yml
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,63 @@
    ---
    - name: Setup Let's Encrypt with Cloudflare DNS on PiKVM
    hosts: pikvm
    become: yes
    vars:
    cloudflare_email: "[email protected]"
    cloudflare_api_key: "your-cloudflare-api-key"
    domain: "pikvm.example.com"
    auth_file_path: "/var/lib/kvmd/pst/data/certbot/runroot/.cloudflare.auth"

    tasks:
    - name: Install certbot-dns-cloudflare
    pacman:
    name: certbot-dns-cloudflare
    state: present

    - name: Create directory for certbot runroot
    command: kvmd-pstrun -- mkdir -p /var/lib/kvmd/pst/data/certbot/runroot

    - name: Create Cloudflare credentials file
    copy:
    dest: "{{ auth_file_path }}"
    content: |
    dns_cloudflare_email = {{ cloudflare_email }}
    dns_cloudflare_api_key = {{ cloudflare_api_key }}
    register: auth_file

    - name: Set permissions on Cloudflare credentials file
    command: kvmd-pstrun -- chmod 600 {{ auth_file_path }}
    when: auth_file.changed

    - name: Set ownership on Cloudflare credentials file
    command: kvmd-pstrun -- chown kvmd-certbot: {{ auth_file_path }}
    when: auth_file.changed

    - name: Obtain SSL certificate from Let's Encrypt
    command: >
    kvmd-certbot certonly
    --dns-cloudflare
    --dns-cloudflare-propagation-seconds 60
    --dns-cloudflare-credentials {{ auth_file_path }}
    --agree-tos
    -n
    --email {{ cloudflare_email }}
    -d {{ domain }}
    register: certbot_output

    - name: Install SSL certificate for nginx
    command: kvmd-certbot install_nginx {{ domain }}
    when: certbot_output.rc == 0

    - name: Install SSL certificate for VNC
    command: kvmd-certbot install_vnc {{ domain }}
    when: certbot_output.rc == 0

    - name: Force SSL certificate renewal
    command: kvmd-certbot renew --force-renewal

    - name: Enable and start kvmd-certbot.timer
    systemd:
    name: kvmd-certbot.timer
    enabled: yes
    state: started