Use BIND 9 server instead of Cloudfl. for DNS-01 challenge via nsupdate

Co-authored-by: Jannik Beyerstedt <code@jannikbeyerstedt.de>
2023-04-27 23:38:14 +02:00 · 2023-04-27 23:38:14 +02:00 · aac049efb2
commit aac049efb2
parent 4814ea8bda
5 changed files with 83 additions and 32 deletions
--- a/playbooks/roles/cert/tasks/deploy_cert.yml
+++ b/playbooks/roles/cert/tasks/deploy_cert.yml
@ -74,17 +74,22 @@
 - name: Retrieve certificate and fulfill challenge if needed # noqa no-handler
  when: cert__acme_challenge.changed # Can't be put in a handler, because then the block "always" tasks won't be executed for some reason
  block:
-    - name: Set DNS record via Cloudflare API to fulfill the challenge
-      when: not cert__acme_challenge.authorizations[item].status == "valid"
-      community.general.cloudflare_dns:
-        api_token: "{{ cert__cloudflare_dns.api_token }}"
-        zone: "{{ cert__cloudflare_dns.zone }}"
-        record: "{{ cert__acme_challenge.challenge_data[item]['dns-01'].record }}"
-        value: "{{ cert__acme_challenge.challenge_data[item]['dns-01'].resource_value }}"
-        type: TXT
-        ttl: 60
-        solo: true
-        state: present
+    - name: Add file containing nsupdate commands for adding TXT record for DNS-01 challenge
+      ansible.builtin.template:
+        src: nsupdate_add_txt_record.j2
+        dest: /root/nsupdate_add_txt_record
+        owner: root
+        group: root
+        mode: "0600"
+      vars:
+        cert__nsupdate_domain: "{{ cert__acme_challenge.challenge_data[item]['dns-01'].record }}"
+        cert__nsupdate_txt_data: "{{ cert__acme_challenge.challenge_data[item]['dns-01'].resource_value }}"
+      delegate_to: "{{ cert__bind_9_host }}"
+
+    - name: Add DNS record to BIND 9 server via nsupdate  # noqa: no-changed-when
+      ansible.builtin.command: /usr/bin/nsupdate -l /root/nsupdate_add_txt_record
+      delegate_to: "{{ cert__bind_9_host }}"
+
    - name: Retrieve certificate
      community.crypto.acme_certificate:
        account_email: "{{ cert__acme_account_email }}"
@ -101,16 +106,35 @@
      become: true
      notify: "{{ cert__handlers }}"
  always:
-    - name: Ensure DNS record is removed
-      when: not cert__acme_challenge.authorizations[item].status == "valid"
-      community.general.cloudflare_dns:
-        api_token: "{{ cert__cloudflare_dns.api_token }}"
-        zone: "{{ cert__cloudflare_dns.zone }}"
-        record: "{{ cert__acme_challenge.challenge_data[item]['dns-01'].record }}"
-        value: "{{ cert__acme_challenge.challenge_data[item]['dns-01'].resource_value }}"
-        type: TXT
-        ttl: 60
+    - name: Remove file containing nsupdate commands for adding TXT record again
+      ansible.builtin.file:
+        path: /root/nsupdate_add_txt_record
        state: absent
+      delegate_to: "{{ cert__bind_9_host }}"
+
+    - name: Remove TXT record again
+      block:
+        - name: Add file containing nsupdate commands for deleting TXT record for DNS-01 challenge
+          ansible.builtin.template:
+            src: nsupdate_delete_txt_record.j2
+            dest: /root/nsupdate_delete_txt_record
+            owner: root
+            group: root
+            mode: "0600"
+          vars:
+            cert__nsupdate_domain: "{{ cert__acme_challenge.challenge_data[item]['dns-01'].record }}"
+            cert__nsupdate_txt_data: "{{ cert__acme_challenge.challenge_data[item]['dns-01'].resource_value }}"
+          delegate_to: "{{ cert__bind_9_host }}"
+
+        - name: Remove DNS record from BIND 9 server via nsupdate  # noqa: no-changed-when
+          ansible.builtin.command: /usr/bin/nsupdate -l /root/nsupdate_delete_txt_record
+          delegate_to: "{{ cert__bind_9_host }}"
+      always:
+        - name: Remove file containing nsupdate commands for deleting TXT record again
+          ansible.builtin.file:
+            path: /root/nsupdate_delete_txt_record
+            state: absent
+          delegate_to: "{{ cert__bind_9_host }}"

 - name: Ensure correct permissions for certificate are set
  ansible.builtin.file: