Skip to content
Snippets Groups Projects

WIP: add acmebot role

66 files
+ 1176
178
Compare changes
  • Side-by-side
  • Inline

Files

 
---
 
 
acmebot_account_mail: "{{ adminaddr }}"
 
acmebot_after_nginx_proxy: true
 
 
acmebot_settings: {}
 
acmebot_default_settings:
 
log_level: "detail"
 
color_output: true
 
 
acme_directory_url: "https://acme-v02.api.letsencrypt.org/directory"
 
public_suffix_list_url: "https://publicsuffix.org/list/public_suffix_list.dat"
 
ocsp_responder_urls:
 
- "http://ocsp.int-x3.letsencrypt.org"
 
reload_zone_command: null
 
nsupdate_command: null
 
hpkp_report_uri: null
 
ct_submit_logs:
 
- "google_icarus"
 
- "google_pilot"
 
 
file_user: root
 
file_group: ssl-cert
 
 
# TODO default to both key types or single one? default to non-/custom params?
 
key_size: 4096 # null to turn off RSA certificates
 
key_curve: "secp384r1" # null to turn off ECDSA certificates
 
key_cipher: null
 
key_passphrase: null # null to turn off private key encryption
 
dhparam_size: 2048 # null to turn off custom dhparams
 
ecparam_curve: "secp384r1" # null to turn off custom EC params
 
 
follower_mode: false
 
ocsp_must_staple: false # application support isn't good enough
 
auto_rollover: true # must be false on followers
 
pin_subdomains: false
 
verify: null # e.g. [443]
 
services: null # e.g. [nginx-proxy]
 
 
hpkp_days: 60
 
renewal_days: 30
 
expiration_days: 730
 
max_dns_lookup_attempts: 60
 
dns_lookup_delay: 10
 
max_domains_per_order: 100
 
max_authorization_attempts: 30
 
authorization_delay: 10
 
cert_poll_time: 30
 
max_ocsp_verify_attempts: 10
 
ocsp_verify_retry_delay: 5
 
min_run_delay: 300
 
max_run_delay: 3600
 
 
# can be empty string, e.g. when using only one key type
 
acmebot_key_suffixes: {}
 
acmebot_default_key_suffixes:
 
rsa: ".rsa"
 
ecdsa: ".ecdsa"
 
 
# format strings with: name (of privkey or cert), key_type, suffix, server
 
# http_challenge uses: zone, host (without zone, "." if fqdn == zone), fqdn
 
# if http_challenge is set, defaults to http-01
 
# set to null for specified certs to use dns-01 for those
 
acmebot_directories: {}
 
acmebot_default_directories:
 
pid: "/run"
 
log: "/var/log/acmebot"
 
resource: "/var/lib/acmebot"
 
temp: null
 
 
# TODO layout equivalent to acmetool
 
private_key: /etc/ssl/acmebot/privkey
 
backup_key: /etc/ssl/acmebot/backup_privkey
 
previous_key: null
 
full_key: /etc/ssl/acmebot/full_privkey # maybe null to turn off
 
certificate: /etc/ssl/acmebot/cert
 
full_certificate: /etc/ssl/acmebot/full_cert # maybe null
 
chain: /etc/ssl/acmebot/chain # maybe null
 
param: /etc/ssl/acmebot/params # maybe null
 
challenge: /etc/ssl/acmebot/challenges # for dns-01 only
 
http_challenge: /var/www/acme-challenge # maybe null
 
hpkp: /etc/ssl/acmebot/hpkp # maybe null
 
ocsp: /etc/ssl/acmebot/ocsp # maybe null
 
sct: "/etc/ssl/acmebot/scts/{name}/{key_type}" # maybe null
 
update_key: /etc/ssl/acmebot/update_keys
 
archive: /etc/ssl/acmebot/archive
 
 
# format strings with: name (of privkey or cert), key_type, suffix, server
 
acmebot_file_names: {}
 
acmebot_default_file_names:
 
log: "acmebot.log"
 
 
# TODO layout equivalent to acmetool
 
private_key: "{name}{suffix}.key"
 
backup_key: "{name}_backup{suffix}.key"
 
previous_key: "{name}_previous{suffix}.key"
 
full_key: "{name}_full{suffix}.key"
 
certificate: "{name}{suffix}.pem"
 
full_certificate: "{name}+root{suffix}.pem"
 
chain: "{name}_chain{suffix}.pem"
 
param: "{name}_param.pem"
 
challenge: "{name}"
 
hpkp: "{name}.{server}"
 
ocsp: "{name}{suffix}.ocsp"
 
sct: "{ct_log_name}.sct"
 
 
# override with null
 
acmebot_hpkp_headers: {}
 
acmebot_default_hpkp_headers:
 
apache: "Header always set Public-Key-Pins \"{header}\"\n"
 
nginx: "add_header Public-Key-Pins \"{header}\" always;\n"
 
 
acmebot_services: {}
 
acmebot_default_services:
 
dovecot: "systemctl restart dovecot"
 
mysql: "systemctl reload mysql"
 
nginx: "systemctl reload nginx"
 
nginx-proxy: "systemctl reload nginx-proxy"
 
postfix: "systemctl reload postfix"
 
postgresql: "systemctl reload postgresql"
 
prosody: "systemctl restart prosody"
 
 
# authorizations to maintain without certficates (e.g. for master/follower)
 
acmebot_authorizations: {}
 
# <zone-name>:
 
# - <host-name>
 
# - <host-name>
 
 
# when global http_challenges directory set: use null to revert back to dns-01
 
# else: override dns-01 default with http-01 per domain
 
acmebot_http_challenges: {}
 
# <domain-name>: <challenge-directory>
 
 
# for doing DNSSEC manually, specify TSIG keys
 
acmebot_zone_update_keys: {}
 
 
# when using HPKP it may be beneficial to share private keys between certs
 
# this dict contains multiple certificate sections per private key,
 
# all key-specific config moved up
 
acmebot_private_keys: {}
 
 
acmebot_certificates: {}
 
# <certificate-name>:
 
# common_name: <common-name>
 
# alt_names:
 
# <zone-name>:
 
# - "@",
 
# - <host-name>
 
# services:
 
# - <service-name>
 
# tlsa_records:
 
# <zone-name>:
 
# - <host-name>
 
# - host: <host-name>
 
# port: <port-number>
 
# usage: pkix-ee
 
# selector: spki
 
# protocol: tcp
 
# ttl: 300
 
# dhparam_size: 2048
 
# ecparam_curve: secp384r1
 
# key_types:
 
# - rsa
 
# - ecdsa
 
# key_size: 4096
 
# key_curve: secp384r1
 
# key_cipher: blowfish
 
# key_passphrase:
 
# expiration_days: 730
 
# auto_rollover: false
 
# hpkp_days: 30
 
# pin_subdomains: true
 
# hpkp_report_uri:
 
# ocsp_must_staple: false
 
# ocsp_responder_urls:
 
# - "http://ocsp.int-x3.letsencrypt.org"
 
# ct_submit_logs:
 
# - google_icarus
 
# - google_pilot
 
# verify:
 
# - 443,
 
# - port: 25
 
# hosts:
 
# - <domain-name>
 
# - <domain-name>
 
# starttls: smtp
 
# key_types:
 
# - rsa
 
# - ecdsa
 
 
# all empty per default, see README for possible hook names
 
acmebot_hooks: {}
 
 
# see also: https://www.certificate-transparency.org/known-logs
 
acmebot_ct_logs: {}
 
acmebot_default_ct_logs:
 
google_pilot:
 
url: "https://ct.googleapis.com/pilot"
 
id: "pLkJkLQYWBSHuxOizGdwCjw1mAT5G9+443fNDsgN3BA="
 
google_icarus:
 
url: "https://ct.googleapis.com/icarus"
 
id: "KTxRllTIOWW6qlD8WAfUt2+/WHopctykwwz05UVH9Hg="
 
google_rocketeer:
 
url: "https://ct.googleapis.com/rocketeer"
 
id: "7ku9t3XOYLrhQmkfq+GeZqMPfl+wctiDAMR7iXqo/cs="
 
google_skydiver:
 
url: "https://ct.googleapis.com/skydiver"
 
id: "u9nfvB+KcbWTlCOXqpJ7RzhXlQqrUugakJZkNo4e0YU="
 
google_argon2018:
 
url: "https://ct.googleapis.com/logs/argon2018"
 
id: "pFASaQVaFVReYhGrN7wQP2KuVXakXksXFEU+GyIQaiU="
 
digicert:
 
url: "https://ct1.digicert-ct.com/log"
 
id: "VhQGmi/XwuzT9eG9RLI+x0Z2ubyZEVzA75SYVdaJ0N0="
 
symantec_ct:
 
url: "https://ct.ws.symantec.com"
 
id: "3esdK3oNT6Ygi4GtgWhwfi6OnQHVXIiNPRHEzbbsvsw="
 
symantec_vega:
 
url: "https://vega.ws.symantec.com"
 
id: "vHjh38X2PGhGSTNNoQ+hXwl5aSAJwIG08/aRfz7ZuKU="
 
cloudflare_nimbus2018:
 
url: "https://ct.cloudflare.com/logs/nimbus2018"
 
id: "23Sv7ssp7LH+yj5xbSzluaq7NveEcYPHXZ1PN7Yfv2Q="
Loading