[ADD] DNS hoster INWX (#19)

* [ADD] DNS hoster INWX (#1) * [ADD] DNS provider 'INWX' to argument_specs.yml * [ADD] INWX sanity checks * [ADD] INWX create * [ADD] INWX cleanup * [FIX] typo in argument_specs.yml * [FIX] typo 'wait_for_txt' dns-inwx-create.yml Remove `always_ask_default_resolver: false` from module `community.dns.wait_for_txt` while 'Wait for DNS entries to propagate' * [FIX] INWX and docs (#2) * [FIX] multiple record values dns-inwx-create.yml this is necessary as long as inwx/ansible-collection#9 is not resolved. * Update general_role_parameters.rst * Update acme_certificate_role.rst * Update dns-inwx-cleanup.yml (#3) * I should update the general requirements * Create 19-add-inwx-dns-provider.yaml (#4) * [FIX] Sanity (Ⓐstable-2.10) / Extra Sanity `ERROR: docs/docsite/rst/general_role_parameters.rst:95:0: Bullet list ends without a blank line; unexpected unindent.` / `./docs/docsite/rst/general_role_parameters.rst:95:0: (WARNING/2) Bullet list ends without a blank line; unexpected unindent.` I hope that is the needed fix. * Update docs/docsite/rst/general_role_parameters.rst Co-authored-by: Felix Fontein <[email protected]> * Update docs/docsite/rst/general_role_parameters.rst Co-authored-by: Felix Fontein <[email protected]> * Update docs/docsite/rst/requirements.rst Co-authored-by: Felix Fontein <[email protected]> * Update roles/acme_certificate/meta/argument_specs.yml Co-authored-by: Felix Fontein <[email protected]> * Update roles/acme_certificate/tasks/dns-inwx-create.yml Co-authored-by: Felix Fontein <[email protected]> * Update docs/docsite/rst/general_role_parameters.rst Co-authored-by: Felix Fontein <[email protected]> * Update docs/docsite/rst/general_role_parameters.rst Co-authored-by: Felix Fontein <[email protected]> * Update roles/acme_certificate/tasks/dns-inwx-create.yml Co-authored-by: Felix Fontein <[email protected]> * Update changelogs/fragments/19-add-inwx-dns-provider.yaml Co-authored-by: Felix Fontein <[email protected]> Co-authored-by: Felix Fontein <[email protected]>
felixfontein · Oct 31, 2021 · 76a0493 · 76a0493
1 parent 856e080
commit 76a0493
Show file tree

Hide file tree

Showing 8 changed files with 84 additions and 3 deletions.
diff --git a/changelogs/fragments/19-add-inwx-dns-provider.yaml b/changelogs/fragments/19-add-inwx-dns-provider.yaml
@@ -0,0 +1,2 @@
+minor_changes:
+- "The role ``felixfontein.acme.acme_certificate`` can now handle the DNS provider INWX (https://github.com/felixfontein/ansible-acme/pull/19)."
diff --git a/docs/docsite/rst/acme_certificate_role.rst b/docs/docsite/rst/acme_certificate_role.rst
@@ -191,6 +191,10 @@ This role can be used as follows. Note that it obtains several certificates, and
         # For DNS challenges with ns1:
         # acme_certificate_dns_provider: ns1
         # acme_certificate_ns1_secret_key: REPLACE_WITH_YOUR_SECRET_KEY
+        # For DNS challenges with inwx:
+        # acme_certificate_dns_provider: inwx
+        # acme_certificate_inwx_username: REPLACE_WITH_YOUR_USERNAME
+        # acme_certificate_inwx_password: REPLACE_WITH_YOUR_SECRET_PASSWORD
 
       roles:
         - role: felixfontein.acme.acme_certificate

diff --git a/docs/docsite/rst/general_role_parameters.rst b/docs/docsite/rst/general_role_parameters.rst
@@ -87,12 +87,13 @@ DNS Challenges
 
 If DNS challenges are used, the following variables define how the challenges can be fulfilled:
 
-- ``acme_certificate_dns_provider``: must be one of ``route53``, ``hosttech``, and ``ns1``. Each needs more information:
+- ``acme_certificate_dns_provider``: must be one of ``route53``, ``hosttech``, ``ns1``, and ``inwx``. Each needs more information:
   - For ``route53`` (`Amazon Route 53 <https://aws.amazon.com/route53/>`_), the credentials must be passed as ``acme_certificate_aws_access_key`` and ``acme_certificate_aws_secret_key``.
   - For ``hosttech`` (`hosttech GmbH <https://www.hosttech.ch/>`_), the credentials have to be passed as ``acme_certificate_hosttech_username`` and ``acme_certificate_hosttech_password`` for using the old WSDL API, and ``acme_certificate_hosttech_token`` for the new JSON API.
   - For ``ns1`` (`ns1.com <https://ns1.com>`_) the key for your API account must be passed as ``acme_certificate_ns1_secret_key``. Also it depends on external module ``ns1_record``. See below for instructions on how to install these modules.
+  - For ``inwx`` (`inwx.de <https://inwx.de>`_) the credentials have to be passed as ``acme_certificate_inwx_username`` and ``acme_certificate_inwx_password``. Please keep in mind that 2FA (two factor authentication) is currently not supported and needs do be disabled. Related Issue: (`inwx/ansible-collection#3 <https://github.com/inwx/ansible-collection/issues/3>`_)
 
-Please note that the DNS challenge code is not perfect. The Route 53, Hosttech and NS1 functionality has been tested.
+Please note that the DNS challenge code is not perfect. The Route 53, Hosttech, NS1, and INWX functionality has been tested.
 
 Setting up NS1 modules
 ~~~~~~~~~~~~~~~~~~~~~~
@@ -105,3 +106,10 @@ For ``ns1`` (`ns1.com <https://ns1.com>`_) the external ``ns1_record`` module ne
     curl --create-dirs -L -o ~/.ansible/plugins/modules/ns1_record.py https://github.com/ns1/ns1-ansible-modules/raw/master/library/ns1_record.py
 
 Once NS1 converts their `set of modules <https://github.com/ns1/ns1-ansible-modules>`_ into a `collection <https://docs.ansible.com/ansible/latest/dev_guide/developing_collections.html>`_, it will become a lot easier to install and use them (`NS1 tracking issue <https://github.com/ns1/ns1-ansible-modules/issues/32>`_).
+
+Setting up INWX modules
+~~~~~~~~~~~~~~~~~~~~~~~
+
+For ``inwx`` (`inwx.de <https://inwx.de>`_) the available Ansible Galaxy collection ``inwx.collection`` (`galaxy.ansible.com <https://galaxy.ansible.com/inwx/collection>`_) needs to be installed.
+
+It is as simple as: ``ansible-galaxy collection install inwx.collection``
diff --git a/docs/docsite/rst/requirements.rst b/docs/docsite/rst/requirements.rst
@@ -7,4 +7,4 @@ The collection requires the Python `cryptography <https://pypi.org/project/crypt
 
 The ``openssl`` binary must also be available in the executable path on the controller. It is needed by the :ref:`community.crypto.acme_certificate <ansible_collections.community.crypto.acme_certificate_module>` module in case ``cryptography`` is not installed, and it is used for certificate chain validation.
 
-If DNS challenges are used, there can be other requirements depending on the DNS provider. For example, for Amazon's Route 53, the Ansible :ref:`community.aws.route53 <ansible_collections.community.aws.route53_module>` requires the Python `boto <https://pypi.org/project/boto/>`_ package. If Hosttech DNS challenges are used, the `lxml <https://pypi.org/project/lxml/>`_ package needs to be installed. If DNS challenges with NS1 are used, the NS1 modules must be installed. See below for more information.
+If DNS challenges are used, there can be other requirements depending on the DNS provider. For example, for Amazon's Route 53, the Ansible :ref:`community.aws.route53 <ansible_collections.community.aws.route53_module>` requires the Python `boto <https://pypi.org/project/boto/>`_ package. If Hosttech DNS challenges are used, the `lxml <https://pypi.org/project/lxml/>`_ package needs to be installed. If DNS challenges with NS1 or INWX are used, the corresponding modules respectively collections must be installed. See below for more information.
diff --git a/roles/acme_certificate/meta/argument_specs.yml b/roles/acme_certificate/meta/argument_specs.yml
@@ -81,6 +81,7 @@ argument_specs:
           - route53
           - hosttech
           - ns1
+          - inwx
           - ansibletest
         description:
           - Determines which DNS provider is used for DNS challenges.
@@ -119,6 +120,20 @@ argument_specs:
           - When using I(acme_certificate_dns_provider=ns1), the NS1 account key must be passed in this option.
           - Please note that NS1 support depends on the external module C(ns1_record). Please check out the
             documentation on how to install it.
+      acme_certificate_inwx_username:
+        type: str
+        description:
+          - When using I(acme_certificate_dns_provider=inwx), the INWX account username must be passed in this option.
+          - Please note that INWX support depends on the collection C(inwx.collection). Please check out the
+            documentation on how to install it.
+      acme_certificate_inwx_password:
+        type: str
+        description:
+          - When using I(acme_certificate_dns_provider=inwx), the INWX account password must be passed in this option.
+          - Please note that INWX support depends on the collection C(inwx.collection). Please check out the
+            documentation on how to install it.
+          - Please note that the collection C(inwx.collection) does currently not support 2FA (two factor authentication).
+            In order to use this module you need to disable it.
       acme_certificate_domains:
         type: str
         description:

diff --git a/roles/acme_certificate/tasks/dns-inwx-cleanup.yml b/roles/acme_certificate/tasks/dns-inwx-cleanup.yml
@@ -0,0 +1,17 @@
+---
+# Clean up DNS challenges for DNS provider INWX
+
+- name: Cleaning up challenge DNS entries for {{ ', '.join(acme_certificate_domains + acme_certificate_ips) }} via INWX
+  inwx.collection.dns:
+    state: absent
+    domain: "{{ item.0.key | community.dns.get_registrable_domain }}"
+    type: TXT
+    record: "{{ item.0.key | community.dns.remove_registrable_domain }}"
+    value: "{{ item.1 }}"
+    username: "{{ acme_certificate_inwx_username | default(omit) }}"
+    password: "{{ acme_certificate_inwx_password | default(omit) }}"
+  delegate_to: localhost
+  run_once: true
+  loop_control:
+    extended: yes
+  loop: "{{ acme_certificate_INTERNAL_challenge.challenge_data_dns | dict2items | subelements('value') }}"
diff --git a/roles/acme_certificate/tasks/dns-inwx-create.yml b/roles/acme_certificate/tasks/dns-inwx-create.yml
@@ -0,0 +1,27 @@
+---
+# Create DNS challenges for DNS provider INWX
+
+- name: Creating challenge DNS entries for {{ ', '.join(acme_certificate_domains + acme_certificate_ips) }} via INWX
+  inwx.collection.dns:
+    state: present
+    domain: "{{ item.0.key | community.dns.get_registrable_domain }}"
+    type: TXT
+    record: "{{ item.0.key | community.dns.remove_registrable_domain }}"
+    value: "{{ item.1 }}"
+    solo: "{{ ansible_loop.first }}"
+    ttl: 300
+    username: "{{ acme_certificate_inwx_username | default(omit) }}"
+    password: "{{ acme_certificate_inwx_password | default(omit) }}"
+  delegate_to: localhost
+  run_once: true
+  loop_control:
+    extended: yes
+  loop: "{{ acme_certificate_INTERNAL_challenge.challenge_data_dns | dict2items | subelements('value') }}"
+
+- name: Wait for DNS entries to propagate
+  community.dns.wait_for_txt:
+    records: >-
+      {{ acme_certificate_INTERNAL_challenge.challenge_data_dns | dict2items(key_name='name', value_name='values') | list }}
+    timeout: 600
+  delegate_to: localhost
+  run_once: true
diff --git a/roles/acme_certificate/tasks/dns-inwx-sanity.yml b/roles/acme_certificate/tasks/dns-inwx-sanity.yml
@@ -0,0 +1,8 @@
+---
+- name: DNS sanity checks
+  ansible.builtin.assert:
+    that:
+      - acme_certificate_inwx_username is defined
+      - acme_certificate_inwx_password is defined
+    msg: "acme_certificate_inwx_username and acme_certificate_inwx_password must be specified for INWX DNS"
+  run_once: true
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		minor_changes:
		- "The role ``felixfontein.acme.acme_certificate`` can now handle the DNS provider INWX (https://github.com/felixfontein/ansible-acme/pull/19)."
Original file line number	Diff line number	Diff line change
Expand Up		@@ -7,4 +7,4 @@ The collection requires the Python `cryptography <https://pypi.org/project/crypt

		The ``openssl`` binary must also be available in the executable path on the controller. It is needed by the :ref:`community.crypto.acme_certificate <ansible_collections.community.crypto.acme_certificate_module>` module in case ``cryptography`` is not installed, and it is used for certificate chain validation.

		If DNS challenges are used, there can be other requirements depending on the DNS provider. For example, for Amazon's Route 53, the Ansible :ref:`community.aws.route53 <ansible_collections.community.aws.route53_module>` requires the Python `boto <https://pypi.org/project/boto/>`_ package. If Hosttech DNS challenges are used, the `lxml <https://pypi.org/project/lxml/>`_ package needs to be installed. If DNS challenges with NS1 are used, the NS1 modules must be installed. See below for more information.
		If DNS challenges are used, there can be other requirements depending on the DNS provider. For example, for Amazon's Route 53, the Ansible :ref:`community.aws.route53 <ansible_collections.community.aws.route53_module>` requires the Python `boto <https://pypi.org/project/boto/>`_ package. If Hosttech DNS challenges are used, the `lxml <https://pypi.org/project/lxml/>`_ package needs to be installed. If DNS challenges with NS1 or INWX are used, the corresponding modules respectively collections must be installed. See below for more information.