Add support for DNS challenges for Let's encrypt

HTTP challenges remains the default challenge.
DNS challenges must be configured explicitly.

Introduces specific configuration folder for DNS
Generates configuration files (for all) and required certbot hooks (for AWS only)
Relies on official cerbot images with DNS plugins
Allows usage of custom images (for advanced users only)

roles/matrix-nginx-proxy/defaults/main.yml

@@ -547,8 +547,12 @@ matrix_ssl_lets_encrypt_staging: false
 # Learn more here: https://eff-certbot.readthedocs.io/en/stable/using.html#changing-the-acme-server
 matrix_ssl_lets_encrypt_server: ''
 
-matrix_ssl_lets_encrypt_certbot_docker_image: "{{ matrix_container_global_registry_prefix }}certbot/certbot:{{ matrix_ssl_architecture }}-v1.28.0"
-matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}"
+matrix_ssl_lets_encrypt_certbot_challenge_image: 'http'
+matrix_ssl_lets_encrypt_certbot_docker_image_version: "v1.28.0"
+matrix_ssl_lets_encrypt_certbot_http_docker_image: "{{ matrix_container_global_registry_prefix }}certbot/certbot:{{ matrix_ssl_architecture }}-{{ matrix_ssl_lets_encrypt_certbot_docker_image_version }}"
+matrix_ssl_lets_encrypt_certbot_dns_docker_image: "{{ matrix_container_global_registry_prefix }}certbot/dns-{{ matrix_ssl_lets_encrypt_certbot_official_dns_provider }}:{{ matrix_ssl_architecture }}-{{ matrix_ssl_lets_encrypt_certbot_docker_image_version }}"
+matrix_ssl_lets_encrypt_certbot_official_dns_provider: ''
+matrix_ssl_lets_encrypt_certbot_custom_docker_image: ''
 matrix_ssl_lets_encrypt_certbot_standalone_http_port: 2402
 matrix_ssl_lets_encrypt_support_email: ~
 
@@ -566,6 +570,8 @@ matrix_ssl_lets_encrypt_key_type: rsa
 matrix_ssl_base_path: "{{ matrix_base_data_path }}/ssl"
 matrix_ssl_config_dir_path: "{{ matrix_ssl_base_path }}/config"
 matrix_ssl_log_dir_path: "{{ matrix_ssl_base_path }}/log"
+# dns-config must be a folder different from matrix_ssl_config_dir_path to ensure it is mounted only when needed
+matrix_ssl_dns_config_dir_path: "{{ matrix_ssl_base_path }}/dns-config"
 
 # If you'd like to start some service before a certificate is obtained, specify it here.
 # This could be something like `matrix-dynamic-dns`, etc.

roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml

@@ -17,6 +17,15 @@
 #
 
 - block:
+    - ansible.builtin.set_fact:
+        matrix_ssl_lets_encrypt_certbot_docker_image: "{{ matrix_ssl_lets_encrypt_certbot_custom_docker_image if matrix_ssl_lets_encrypt_certbot_challenge_image == 'custom' else matrix_ssl_lets_encrypt_certbot_dns_docker_image if matrix_ssl_lets_encrypt_certbot_challenge_image == 'dns' else matrix_ssl_lets_encrypt_certbot_http_docker_image }}"
+
+    - ansible.builtin.set_fact:
+        matrix_ssl_lets_encrypt_certbot_docker_image_force_pull: "{{ matrix_ssl_lets_encrypt_certbot_docker_image.endswith(':latest') }}"
+
+    - ansible.builtin.debug:
+        msg: "Using certbot docker image: {{ matrix_ssl_lets_encrypt_certbot_docker_image }}"
+
     - name: Ensure certbot Docker image is pulled
       docker_image:
         name: "{{ matrix_ssl_lets_encrypt_certbot_docker_image }}"
@@ -24,6 +33,56 @@
         force_source: "{{ matrix_ssl_lets_encrypt_certbot_docker_image_force_pull if ansible_version.major > 2 or ansible_version.minor >= 8 else omit }}"
         force: "{{ omit if ansible_version.major > 2 or ansible_version.minor >= 8 else matrix_ssl_lets_encrypt_certbot_docker_image_force_pull }}"
 
+    - name: Ensure cerbot DNS configurations removed
+      ansible.builtin.file:
+        path: "{{ matrix_ssl_dns_config_dir_path }}"
+        state: absent
+      when: "(matrix_ssl_lets_encrypt_dns_config is not defined) or (matrix_ssl_lets_encrypt_dns_config | length == 0)"
+
+    - block:
+        - name: Ensure cerbot DNS configurations paths exists
+          ansible.builtin.file:
+            path: "{{ matrix_ssl_dns_config_dir_path }}"
+            state: directory
+            mode: 0770
+            owner: "{{ matrix_user_username }}"
+            group: "{{ matrix_user_groupname }}"
+            recurse: true
+
+        - name: List existing cerbot DNS configurations
+          ansible.builtin.shell: "ls -1 {{ matrix_ssl_dns_config_dir_path }}"
+          register: dns_config_files
+          changed_when: false
+
+        - name: Remove useless cerbot DNS configurations
+          ansible.builtin.file:
+            path: "{{ matrix_ssl_dns_config_dir_path }}/{{ item }}"
+            state: absent
+          with_items: "{{ dns_config_files.stdout_lines }}"
+          when: "item not in matrix_ssl_lets_encrypt_dns_config | map(attribute='name') | list"
+
+        - name: Set up certbot DNS provider configurations
+          ansible.builtin.template:
+            src: "{{ role_path }}/templates/dns-config/{{ dns_config.template }}.j2"
+            dest: "{{ matrix_ssl_dns_config_dir_path }}/{{ dns_config.name }}"
+            mode: 0600
+            owner: "{{ matrix_user_username }}"
+            group: "{{ matrix_user_groupname }}"
+          no_log: true
+          with_items: "{{ matrix_ssl_lets_encrypt_dns_config }}"
+          loop_control:
+            loop_var: dns_config
+
+        - name: Ensure awsconfig setup script exists
+          ansible.builtin.template:
+            src: "{{ role_path }}/templates/certbot-hook/setup-awsconfig.sh.j2"
+            dest: "{{ matrix_ssl_dns_config_dir_path }}/setup-awsconfig.sh"
+            mode: 0700
+            owner: "{{ matrix_user_username }}"
+            group: "{{ matrix_user_groupname }}"
+          with_items: "{{ dns_config_files.stdout_lines }}"
+      when: "(matrix_ssl_lets_encrypt_dns_config is defined) and (matrix_ssl_lets_encrypt_dns_config | length > 0)"
+
     - name: Obtain Let's Encrypt certificates
       ansible.builtin.include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml"
       with_items: "{{ matrix_ssl_domains_to_obtain_certificates_for }}"
@@ -61,4 +120,9 @@
       ansible.builtin.file:
         path: "{{ matrix_local_bin_path }}/matrix-ssl-lets-encrypt-certificates-renew"
         state: absent
+
+    - name: Ensure Let's Encrypt DNS provider configurations removed
+      ansible.builtin.file:
+        path: "{{ matrix_ssl_dns_config_dir_path }}"
+        state: absent
   when: "matrix_ssl_retrieval_method != 'lets-encrypt'"

roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml

@@ -26,71 +26,129 @@
       when: "matrix_ssl_pre_obtaining_required_service_start_result.changed | bool"
   when: "domain_name_needs_cert | bool and matrix_ssl_pre_obtaining_required_service_name != ''"
 
-# This will fail if there is something running on port 80 (like matrix-nginx-proxy).
-# We suppress the error, as we'll try another method below.
-- name: Attempt initial SSL certificate retrieval with standalone authenticator (directly)
-  ansible.builtin.shell: >-
-    {{ matrix_host_command_docker }} run
-    --rm
-    --name=matrix-certbot
-    --user={{ matrix_user_uid }}:{{ matrix_user_gid }}
-    --cap-drop=ALL
-    -p {{ matrix_ssl_lets_encrypt_container_standalone_http_host_bind_port }}:8080
-    --mount type=bind,src={{ matrix_ssl_config_dir_path }},dst=/etc/letsencrypt
-    --mount type=bind,src={{ matrix_ssl_log_dir_path }},dst=/var/log/letsencrypt
-    {{ matrix_ssl_lets_encrypt_certbot_docker_image }}
-    certonly
-    --non-interactive
-    --work-dir=/tmp
-    --http-01-port 8080
-    {% if matrix_ssl_lets_encrypt_server %}--server={{ matrix_ssl_lets_encrypt_server|quote }}{% endif %}
-    {% if matrix_ssl_lets_encrypt_staging %}--staging{% endif %}
-    --key-type {{ matrix_ssl_lets_encrypt_key_type }}
-    --standalone
-    --preferred-challenges http
-    --agree-tos
-    --email={{ matrix_ssl_lets_encrypt_support_email }}
-    -d {{ domain_name }}
-  when: domain_name_needs_cert | bool
-  register: result_certbot_direct
-  ignore_errors: true
+# Execute certbot challenge
+- block:
+    # Decide which challenge to execute for the challenge
+    - ansible.builtin.set_fact:
+        certbot_challenge: "{{ 'dns' if domain_name in matrix_ssl_lets_encrypt_dns_challenge_domains | map(attribute='domain') | list else 'http' }}"
+
+    # Execute HTTP challenge
+    - block:
+        - ansible.builtin.debug:
+            msg: "Executing HTTP challenge"
+
+        # This will fail if there is something running on port 80 (like matrix-nginx-proxy).
+        # We suppress the error, as we'll try another method below.
+        - name: Attempt initial SSL certificate retrieval with standalone authenticator (directly)
+          ansible.builtin.shell: >-
+            {{ matrix_host_command_docker }} run
+            --rm
+            --name=matrix-certbot
+            --user={{ matrix_user_uid }}:{{ matrix_user_gid }}
+            --cap-drop=ALL
+            --publish {{ matrix_ssl_lets_encrypt_container_standalone_http_host_bind_port }}:8080
+            --mount type=bind,src={{ matrix_ssl_config_dir_path }},dst=/etc/letsencrypt
+            --mount type=bind,src={{ matrix_ssl_log_dir_path }},dst=/var/log/letsencrypt
+            {{ matrix_ssl_lets_encrypt_certbot_docker_image }}
+            certonly
+            --non-interactive
+            --work-dir=/tmp
+            --http-01-port 8080
+            {% if matrix_ssl_lets_encrypt_server %}--server={{ matrix_ssl_lets_encrypt_server | quote }}{% endif %}
+            {% if matrix_ssl_lets_encrypt_staging %}--staging{% endif %}
+            --key-type {{ matrix_ssl_lets_encrypt_key_type }}
+            --standalone
+            --preferred-challenges http
+            --agree-tos
+            --email={{ matrix_ssl_lets_encrypt_support_email }}
+            -d {{ domain_name }}
+          register: result_certbot_direct
+          changed_when: "not result_certbot_direct.failed"
+          ignore_errors: true
+
+        # If matrix-nginx-proxy is configured from a previous run of this playbook,
+        # and it's running now, it may be able to proxy requests to `matrix_ssl_lets_encrypt_certbot_standalone_http_port`.
+        - name: Attempt initial SSL certificate retrieval with standalone authenticator (via proxy)
+          ansible.builtin.shell: >-
+            {{ matrix_host_command_docker }} run
+            --rm
+            --name=matrix-certbot
+            --user={{ matrix_user_uid }}:{{ matrix_user_gid }}
+            --cap-drop=ALL
+            --publish 127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}:8080
+            --network={{ matrix_docker_network }}
+            --mount type=bind,src={{ matrix_ssl_config_dir_path }},dst=/etc/letsencrypt
+            --mount type=bind,src={{ matrix_ssl_log_dir_path }},dst=/var/log/letsencrypt
+            {{ matrix_ssl_lets_encrypt_certbot_docker_image }}
+            certonly
+            --non-interactive
+            --work-dir=/tmp
+            --http-01-port 8080
+            {% if matrix_ssl_lets_encrypt_server %}--server={{ matrix_ssl_lets_encrypt_server | quote }}{% endif %}
+            {% if matrix_ssl_lets_encrypt_staging %}--staging{% endif %}
+            --key-type {{ matrix_ssl_lets_encrypt_key_type }}
+            --standalone
+            --preferred-challenges http
+            --agree-tos
+            --email={{ matrix_ssl_lets_encrypt_support_email }}
+            -d {{ domain_name }}
+          when: "result_certbot_direct.failed"
+          register: result_certbot_proxy
+          changed_when: "not result_certbot_proxy.failed"
+          ignore_errors: true
+
+        - name: Fail if all SSL certificate retrieval attempts failed for HTTP challenge
+          ansible.builtin.fail:
+            msg: |
+              Failed to obtain a certificate directly (by listening on port 80)
+              and also failed to obtain by relying on the server at port 80 to proxy the request.
+              See above for details.
+              You may wish to set up proxying of /.well-known/acme-challenge to {{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }} or,
+              more easily, stop the server on port 80 while this playbook runs.
+          when: "result_certbot_direct.failed and result_certbot_proxy.failed"
+      when: "certbot_challenge == 'http'"
+
+    # Execute DNS challenge
+    - block:
+        - ansible.builtin.set_fact:
+            domain_config: "{{ matrix_ssl_lets_encrypt_dns_challenge_domains | selectattr('domain', 'equalto', domain_name) | list | first }}"
+
+        - ansible.builtin.debug:
+            msg: "Executing DNS challenge for {{ domain_config.provider }} with {{ domain_config.config_file }}"
 
-# If matrix-nginx-proxy is configured from a previous run of this playbook,
-# and it's running now, it may be able to proxy requests to `matrix_ssl_lets_encrypt_certbot_standalone_http_port`.
-- name: Attempt initial SSL certificate retrieval with standalone authenticator (via proxy)
-  ansible.builtin.shell: >-
-    {{ matrix_host_command_docker }} run
-    --rm
-    --name=matrix-certbot
-    --user={{ matrix_user_uid }}:{{ matrix_user_gid }}
-    --cap-drop=ALL
-    -p 127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}:8080
-    --network={{ matrix_docker_network }}
-    --mount type=bind,src={{ matrix_ssl_config_dir_path }},dst=/etc/letsencrypt
-    --mount type=bind,src={{ matrix_ssl_log_dir_path }},dst=/var/log/letsencrypt
-    {{ matrix_ssl_lets_encrypt_certbot_docker_image }}
-    certonly
-    --non-interactive
-    --work-dir=/tmp
-    --http-01-port 8080
-    {% if matrix_ssl_lets_encrypt_server %}--server={{ matrix_ssl_lets_encrypt_server|quote }}{% endif %}
-    {% if matrix_ssl_lets_encrypt_staging %}--staging{% endif %}
-    --key-type {{ matrix_ssl_lets_encrypt_key_type }}
-    --standalone
-    --preferred-challenges http
-    --agree-tos
-    --email={{ matrix_ssl_lets_encrypt_support_email }}
-    -d {{ domain_name }}
-  when: "domain_name_needs_cert and result_certbot_direct.failed"
-  register: result_certbot_proxy
-  ignore_errors: true
+        - name: Attempt initial SSL certificate retrieval with dns authenticator
+          ansible.builtin.shell: >-
+            {{ matrix_host_command_docker }} run
+            --rm
+            --name=matrix-certbot
+            --user={{ matrix_user_uid }}:{{ matrix_user_gid }}
+            --cap-drop=ALL
+            --mount type=bind,src={{ matrix_ssl_config_dir_path }},dst=/etc/letsencrypt
+            --mount type=bind,src={{ matrix_ssl_dns_config_dir_path }},dst=/etc/letsencrypt-dns-config,readonly
+            --mount type=bind,src={{ matrix_ssl_log_dir_path }},dst=/var/log/letsencrypt
+            {{ matrix_ssl_lets_encrypt_certbot_docker_image }}
+            certonly
+            --non-interactive
+            --work-dir=/tmp
+            {% if matrix_ssl_lets_encrypt_server %}--server={{ matrix_ssl_lets_encrypt_server | quote }}{% endif %}
+            {% if matrix_ssl_lets_encrypt_staging %}--staging{% endif %}
+            --key-type {{ matrix_ssl_lets_encrypt_key_type }}
+            --dns-{{ domain_config.provider }}
+            {% if domain_config.provider in ['cloudflare', 'cloudxns', 'digitalocean', 'dnsmadeeasy', 'dnssimple', 'gehirn', 'google', 'linode', 'luadns', 'nsone', 'ovh', 'rfc2136', 'sakuracloud'] %}--dns-{{ domain_config.provider }}-credentials "/etc/letsencrypt-dns-config/{{ domain_config.config_file }}"{% endif %}
+            {% if domain_config.provider in ['route53'] %}--pre-hook "/etc/letsencrypt-dns-config/setup-awsconfig.sh '{{ domain_config.config_file }}'"{% endif %}
+            --agree-tos
+            --email={{ matrix_ssl_lets_encrypt_support_email }}
+            -d {{ domain_name }}
+          register: result_certbot_dns
+          changed_when: "not result_certbot_dns.failed"
+          ignore_errors: true
 
-- name: Fail if all SSL certificate retrieval attempts failed
-  ansible.builtin.fail:
-    msg: |
-      Failed to obtain a certificate directly (by listening on port 80)
-      and also failed to obtain by relying on the server at port 80 to proxy the request.
-      See above for details.
-      You may wish to set up proxying of /.well-known/acme-challenge to {{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }} or,
-      more easily, stop the server on port 80 while this playbook runs.
-  when: "domain_name_needs_cert and result_certbot_direct.failed and result_certbot_proxy.failed"
+        - name: Fail if all SSL certificate retrieval attempts failed for DNS challenge
+          ansible.builtin.fail:
+            msg: |
+              Failed to obtain a certificate through DNS challenge.
+              See above for details.
+              You may wish to ensure permissions to update DNS records are properly set and still valid.
+          when: "result_certbot_dns.failed"
+      when: "certbot_challenge == 'dns'"
+  when: "domain_name_needs_cert | bool"

roles/matrix-nginx-proxy/tasks/validate_config.yml

@@ -56,7 +56,69 @@
         - "matrix_nginx_proxy_proxy_synapse_federation_api_addr_with_container"
         - "matrix_nginx_proxy_proxy_synapse_client_api_addr_with_container"
         - "matrix_nginx_proxy_proxy_synapse_client_api_addr_sans_container"
+        - "matrix_ssl_lets_encrypt_certbot_challenge_image"
       when: "vars[item] == '' or vars[item] is none"
+
+    - name: "Fail if unsupported matrix_ssl_lets_encrypt_certbot_challenge_image"
+      ansible.builtin.fail:
+        msg: >-
+          `matrix_ssl_lets_encrypt_certbot_challenge_image` must be set to a known value: 'http' (default), 'dns' or 'custom'.
+      when: "matrix_ssl_lets_encrypt_certbot_challenge_image not in ['http', 'dns', 'custom']"
+
+    - name: "Fail if custom certbot image is missing when required"
+      ansible.builtin.fail:
+        msg: >-
+          No `matrix_ssl_lets_encrypt_certbot_custom_docker_image` has been provided while `matrix_ssl_lets_encrypt_certbot_challenge_image` is set to 'custom'.
+      when: "matrix_ssl_lets_encrypt_certbot_challenge_image == 'custom' and (matrix_ssl_lets_encrypt_certbot_custom_docker_image == '' or matrix_ssl_lets_encrypt_certbot_custom_docker_image is none)"
+
+    - name: "Fail if DNS certbot official image is not supported"
+      ansible.builtin.fail:
+        msg: >-
+          `matrix_ssl_lets_encrypt_certbot_official_dns_provider` needs to be set to a known value.
+      when: "matrix_ssl_lets_encrypt_certbot_challenge_image == 'dns' and matrix_ssl_lets_encrypt_certbot_official_dns_provider not in ['cloudflare', 'cloudxns', 'digitalocean', 'dnsmadeeasy', 'dnssimple', 'gehirn', 'google', 'linode', 'luadns', 'nsone', 'ovh', 'rfc2136', 'route53', 'sakuracloud']"
+
+    - block:
+        - name: "Fail if DNS challenge configured with image supporting only HTTP challenge"
+          ansible.builtin.fail:
+            msg: >-
+              `matrix_ssl_lets_encrypt_dns_challenge_domains` is defined but the configured image doesn't support DNS challenges.
+          when: matrix_ssl_lets_encrypt_certbot_challenge_image not in ['dns', 'custom']
+
+        - name: "Fail if required variables are undefined for an entry of `matrix_ssl_lets_encrypt_dns_challenge_domains`"
+          ansible.builtin.fail:
+            msg: >-
+              The `{{ item[1] }}` variable must be defined for configuration `{{ item[0] }}`
+          loop: "{{ matrix_ssl_lets_encrypt_dns_challenge_domains | product(['domain', 'provider', 'config_file']) | list }}"
+          when: "item[0][item[1]] is not defined"
+
+        - name: "Fail if domain configured for DNS challenge is unkown"
+          ansible.builtin.fail:
+            msg: >-
+              The domain `{{ dns_challenge_domain.domain }}` is not in the list of domains for which a certificate will be requested.
+              The associated module might be enabled or it might be added to `matrix_ssl_additional_domains_to_obtain_certificates_for`.
+          with_items: "{{ matrix_ssl_lets_encrypt_dns_challenge_domains }}"
+          loop_control:
+            loop_var: dns_challenge_domain
+          when: "dns_challenge_domain.domain not in matrix_ssl_domains_to_obtain_certificates_for | list"
+
+        - name: "Fail if DNS provider is not supported"
+          ansible.builtin.fail:
+            msg: >-
+              The DNS provider `{{ dns_challenge_domain.provider }}` is not supported for DNS challenges.
+          with_items: "{{ matrix_ssl_lets_encrypt_dns_challenge_domains }}"
+          loop_control:
+            loop_var: dns_challenge_domain
+          when: "dns_challenge_domain.provider not in ['cloudflare', 'cloudxns', 'digitalocean', 'dnsmadeeasy', 'dnssimple', 'gehirn', 'google', 'linode', 'luadns', 'nsone', 'ovh', 'rfc2136', 'route53', 'sakuracloud']"
+
+        - name: "Fail if DNS provider configuration is missing"
+          ansible.builtin.fail:
+            msg: >-
+              The configuration file `{{ dns_challenge_domain.config_file }}` is not declared in `matrix_ssl_lets_encrypt_dns_config`.
+          with_items: "{{ matrix_ssl_lets_encrypt_dns_challenge_domains }}"
+          loop_control:
+            loop_var: dns_challenge_domain
+          when: "dns_challenge_domain.config_file not in matrix_ssl_lets_encrypt_dns_config | map(attribute='name') | list"
+      when: "(matrix_ssl_lets_encrypt_dns_challenge_domains is defined) and (matrix_ssl_lets_encrypt_dns_challenge_domains | length > 0)"
   when: "matrix_ssl_retrieval_method == 'lets-encrypt'"
 
 - name: (Deprecation) Catch and report old metrics usage

roles/matrix-nginx-proxy/templates/certbot-hook/setup-awsconfig.sh.j2

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+ln -sf "/etc/letsencrypt-dns-config/$1" "~/.aws/config"

roles/matrix-nginx-proxy/templates/dns-config/cloudflare.apikey.ini.j2

@@ -0,0 +1,3 @@
+# Cloudflare API credentials used by Certbot
+dns_cloudflare_email = {{ dns_config.dns_cloudflare_email }}
+dns_cloudflare_api_key = {{ dns_config.dns_cloudflare_api_key }}

roles/matrix-nginx-proxy/templates/dns-config/cloudflare.apitoken.ini.j2

@@ -0,0 +1,2 @@
+# Cloudflare API token used by Certbot
+dns_cloudflare_api_token = {{ dns_config.dns_cloudflare_api_token }}

roles/matrix-nginx-proxy/templates/dns-config/cloudxns.ini.j2

@@ -0,0 +1,3 @@
+# CloudXNS API credentials used by Certbot
+dns_cloudxns_api_key = {{ dns_config.dns_cloudxns_api_key }}
+dns_cloudxns_secret_key = {{ dns_config.dns_cloudxns_secret_key }}

roles/matrix-nginx-proxy/templates/dns-config/digitalocean.ini.j2

@@ -0,0 +1,2 @@
+# DigitalOcean API credentials used by Certbot
+dns_digitalocean_token = {{ dns_config.dns_digitalocean_token }}

roles/matrix-nginx-proxy/templates/dns-config/dnsmadeeasy.ini.j2

@@ -0,0 +1,3 @@
+# DNS Made Easy API credentials used by Certbot
+dns_dnsmadeeasy_api_key = {{ dns_config.dns_dnsmadeeasy_api_key }}
+dns_dnsmadeeasy_secret_key = {{ dns_config.dns_dnsmadeeasy_secret_key }}

roles/matrix-nginx-proxy/templates/dns-config/dnssimple.ini.j2

@@ -0,0 +1,2 @@
+# DNSimple API credentials used by Certbot
+dns_dnsimple_token = {{ dns_config.dns_dnsimple_token }}

roles/matrix-nginx-proxy/templates/dns-config/gehirn.ini.j2

@@ -0,0 +1,3 @@
+# Gehirn Infrastructure Service API credentials used by Certbot
+dns_gehirn_api_token  = {{ dns_config.dns_gehirn_api_token }}
+dns_gehirn_api_secret = {{ dns_config.dns_gehirn_api_secret }}

roles/matrix-nginx-proxy/templates/dns-config/google.json.j2

@@ -0,0 +1,12 @@
+{
+   "type": "{{ dns_config.type | default('service_account') }}",
+   "project_id": "{{ dns_config.project_id }}",
+   "private_key_id": "{{ dns_config.private_key_id }}",
+   "private_key": "{{ dns_config.private_key }}",
+   "client_email": "{{ dns_config.client_email }}",
+   "client_id": "{{ dns_config.client_id }}",
+   "auth_uri": "{{ dns_config.auth_uri | default('https://accounts.google.com/o/oauth2/auth') }}",
+   "token_uri": "{{ dns_config.token_uri | default('https://accounts.google.com/o/oauth2/token') }}",
+   "auth_provider_x509_cert_url": "{{ dns_config.auth_provider_x509_cert_url | default('https://www.googleapis.com/oauth2/v1/certs') }}",
+   "client_x509_cert_url": "{{ dns_config.client_x509_cert_url }}"
+}

roles/matrix-nginx-proxy/templates/dns-config/linode.ini.j2

@@ -0,0 +1,3 @@
+# Linode API credentials used by Certbot
+dns_linode_key = {{ dns_config.dns_linode_key }}
+dns_linode_version = {{ dns_config.dns_linode_version }}

roles/matrix-nginx-proxy/templates/dns-config/luadns.ini.j2

@@ -0,0 +1,3 @@
+# LuaDNS API credentials used by Certbot
+dns_luadns_email = {{ dns_config.dns_luadns_email }}
+dns_luadns_token = {{ dns_config.dns_luadns_token }}

roles/matrix-nginx-proxy/templates/dns-config/nsone.ini.j2

@@ -0,0 +1,2 @@
+# NS1 API credentials used by Certbot
+dns_nsone_api_key = {{ dns_config.dns_nsone_api_key }}

roles/matrix-nginx-proxy/templates/dns-config/ovh.ini.j2

@@ -0,0 +1,5 @@
+# OVH API credentials used by Certbot
+dns_ovh_endpoint = {{ dns_config.dns_ovh_endpoint }}
+dns_ovh_application_key = {{ dns_config.dns_ovh_application_key }}
+dns_ovh_application_secret = {{ dns_config.dns_ovh_application_secret }}
+dns_ovh_consumer_key = {{ dns_config.dns_ovh_consumer_key }}

roles/matrix-nginx-proxy/templates/dns-config/rfc2136.ini.j2

@@ -0,0 +1,10 @@
+# Target DNS server (IPv4 or IPv6 address, not a hostname)
+dns_rfc2136_server = {{ dns_config.dns_rfc2136_server }}
+# Target DNS port
+dns_rfc2136_port = {{ dns_config.dns_rfc2136_port | default(53) }}
+# TSIG key name
+dns_rfc2136_name = {{ dns_config.dns_rfc2136_name }}
+# TSIG key secret
+dns_rfc2136_secret = {{ dns_config.dns_rfc2136_secret }}
+# TSIG key algorithm
+dns_rfc2136_algorithm = {{ dns_config.dns_rfc2136_algorithm | default('HMAC-SHA512') }}

roles/matrix-nginx-proxy/templates/dns-config/route53.ini.j2

@@ -0,0 +1,3 @@
+[default]
+aws_access_key_id={{ dns_config.aws_access_key_id }}
+aws_secret_access_key={{ dns_config.aws_secret_access_key }}

roles/matrix-nginx-proxy/templates/dns-config/sakuracloud.ini.j2

@@ -0,0 +1,3 @@
+# Sakura Cloud API credentials used by Certbot
+dns_sakuracloud_api_token  = {{ dns_config.dns_sakuracloud_api_token }}
+dns_sakuracloud_api_secret = {{ dns_config.dns_sakuracloud_api_secret }}