[ADD] DNS hoster INWX

changelogs/fragments/19-add-inwx-dns-provider.yaml

@@ -0,0 +1,2 @@
+minor_changes:
+- "The role ``felixfontein.acme.acme_certificate`` can now handle the DNS provider INWX (https://github.com/felixfontein/ansible-acme/pull/19)."

docs/docsite/rst/acme_certificate_role.rst

@@ -191,6 +191,10 @@ This role can be used as follows. Note that it obtains several certificates, and
         # For DNS challenges with ns1:
         # acme_certificate_dns_provider: ns1
         # acme_certificate_ns1_secret_key: REPLACE_WITH_YOUR_SECRET_KEY
+        # For DNS challenges with inwx:
+        # acme_certificate_dns_provider: inwx
+        # acme_certificate_inwx_username: REPLACE_WITH_YOUR_USERNAME
+        # acme_certificate_inwx_password: REPLACE_WITH_YOUR_SECRET_PASSWORD
 
       roles:
         - role: felixfontein.acme.acme_certificate

docs/docsite/rst/general_role_parameters.rst

@@ -87,12 +87,13 @@ DNS Challenges
 
 If DNS challenges are used, the following variables define how the challenges can be fulfilled:
 
-- ``acme_certificate_dns_provider``: must be one of ``route53``, ``hosttech``, and ``ns1``. Each needs more information:
+- ``acme_certificate_dns_provider``: must be one of ``route53``, ``hosttech``, ``ns1``, and ``inwx``. Each needs more information:
   - For ``route53`` (`Amazon Route 53 <https://aws.amazon.com/route53/>`_), the credentials must be passed as ``acme_certificate_aws_access_key`` and ``acme_certificate_aws_secret_key``.
   - For ``hosttech`` (`hosttech GmbH <https://www.hosttech.ch/>`_), the credentials have to be passed as ``acme_certificate_hosttech_username`` and ``acme_certificate_hosttech_password`` for using the old WSDL API, and ``acme_certificate_hosttech_token`` for the new JSON API.
   - For ``ns1`` (`ns1.com <https://ns1.com>`_) the key for your API account must be passed as ``acme_certificate_ns1_secret_key``. Also it depends on external module ``ns1_record``. See below for instructions on how to install these modules.
+  - For ``inwx`` (`inwx.de <https://inwx.de>`_) the credentials have to be passed as ``acme_certificate_inwx_username`` and ``acme_certificate_inwx_password``. Please keep in mind that 2FA (two factor authentication) is currently not supported and needs do be disabled. Related Issue: (`inwx/ansible-collection#3 <https://github.com/inwx/ansible-collection/issues/3>`_)
 
-Please note that the DNS challenge code is not perfect. The Route 53, Hosttech and NS1 functionality has been tested.
+Please note that the DNS challenge code is not perfect. The Route 53, Hosttech, NS1, and INWX functionality has been tested.
 
 Setting up NS1 modules
 ~~~~~~~~~~~~~~~~~~~~~~
@@ -105,3 +106,10 @@ For ``ns1`` (`ns1.com <https://ns1.com>`_) the external ``ns1_record`` module ne
     curl --create-dirs -L -o ~/.ansible/plugins/modules/ns1_record.py https://github.com/ns1/ns1-ansible-modules/raw/master/library/ns1_record.py
 
 Once NS1 converts their `set of modules <https://github.com/ns1/ns1-ansible-modules>`_ into a `collection <https://docs.ansible.com/ansible/latest/dev_guide/developing_collections.html>`_, it will become a lot easier to install and use them (`NS1 tracking issue <https://github.com/ns1/ns1-ansible-modules/issues/32>`_).
+
+Setting up INWX modules
+~~~~~~~~~~~~~~~~~~~~~~~
+
+For ``inwx`` (`inwx.de <https://inwx.de>`_) the available Ansible Galaxy collection ``inwx.collection`` (`galaxy.ansible.com <https://galaxy.ansible.com/inwx/collection>`_) needs to be installed.
+
+It is as simple as: ``ansible-galaxy collection install inwx.collection``

docs/docsite/rst/requirements.rst

@@ -7,4 +7,4 @@ The collection requires the Python `cryptography <https://pypi.org/project/crypt
 
 The ``openssl`` binary must also be available in the executable path on the controller. It is needed by the :ref:`community.crypto.acme_certificate <ansible_collections.community.crypto.acme_certificate_module>` module in case ``cryptography`` is not installed, and it is used for certificate chain validation.
 
-If DNS challenges are used, there can be other requirements depending on the DNS provider. For example, for Amazon's Route 53, the Ansible :ref:`community.aws.route53 <ansible_collections.community.aws.route53_module>` requires the Python `boto <https://pypi.org/project/boto/>`_ package. If Hosttech DNS challenges are used, the `lxml <https://pypi.org/project/lxml/>`_ package needs to be installed. If DNS challenges with NS1 are used, the NS1 modules must be installed. See below for more information.
+If DNS challenges are used, there can be other requirements depending on the DNS provider. For example, for Amazon's Route 53, the Ansible :ref:`community.aws.route53 <ansible_collections.community.aws.route53_module>` requires the Python `boto <https://pypi.org/project/boto/>`_ package. If Hosttech DNS challenges are used, the `lxml <https://pypi.org/project/lxml/>`_ package needs to be installed. If DNS challenges with NS1 or INWX are used, the corresponding modules respectively collections must be installed. See below for more information.

roles/acme_certificate/meta/argument_specs.yml

@@ -81,6 +81,7 @@ argument_specs:
           - route53
           - hosttech
           - ns1
+          - inwx
           - ansibletest
         description:
           - Determines which DNS provider is used for DNS challenges.
@@ -119,6 +120,20 @@ argument_specs:
           - When using I(acme_certificate_dns_provider=ns1), the NS1 account key must be passed in this option.
           - Please note that NS1 support depends on the external module C(ns1_record). Please check out the
             documentation on how to install it.
+      acme_certificate_inwx_username:
+        type: str
+        description:
+          - When using I(acme_certificate_dns_provider=inwx), the INWX account username must be passed in this option.
+          - Please note that INWX support depends on the collection C(inwx.collection). Please check out the
+            documentation on how to install it.
+      acme_certificate_inwx_password:
+        type: str
+        description:
+          - When using I(acme_certificate_dns_provider=inwx), the INWX account password must be passed in this option.
+          - Please note that INWX support depends on the collection C(inwx.collection). Please check out the
+            documentation on how to install it.
+          - Please note that the collection C(inwx.collection) does currently not support 2FA (two factor authentication).
+            In order to use this module you need to disable it.
       acme_certificate_domains:
         type: str
         description:

roles/acme_certificate/tasks/dns-inwx-cleanup.yml

@@ -0,0 +1,17 @@
+---
+# Clean up DNS challenges for DNS provider INWX
+
+- name: Cleaning up challenge DNS entries for {{ ', '.join(acme_certificate_domains + acme_certificate_ips) }} via INWX
+  inwx.collection.dns:
+    state: absent
+    domain: "{{ item.0.key | community.dns.get_registrable_domain }}"
+    type: TXT
+    record: "{{ item.0.key | community.dns.remove_registrable_domain }}"
+    value: "{{ item.1 }}"
+    username: "{{ acme_certificate_inwx_username | default(omit) }}"
+    password: "{{ acme_certificate_inwx_password | default(omit) }}"
+  delegate_to: localhost
+  run_once: true
+  loop_control:
+    extended: yes
+  loop: "{{ acme_certificate_INTERNAL_challenge.challenge_data_dns | dict2items | subelements('value') }}"

roles/acme_certificate/tasks/dns-inwx-create.yml

@@ -0,0 +1,27 @@
+---
+# Create DNS challenges for DNS provider INWX
+
+- name: Creating challenge DNS entries for {{ ', '.join(acme_certificate_domains + acme_certificate_ips) }} via INWX
+  inwx.collection.dns:
+    state: present
+    domain: "{{ item.0.key | community.dns.get_registrable_domain }}"
+    type: TXT
+    record: "{{ item.0.key | community.dns.remove_registrable_domain }}"
+    value: "{{ item.1 }}"
+    solo: "{{ ansible_loop.first }}"
+    ttl: 300
+    username: "{{ acme_certificate_inwx_username | default(omit) }}"
+    password: "{{ acme_certificate_inwx_password | default(omit) }}"
+  delegate_to: localhost
+  run_once: true
+  loop_control:
+    extended: yes
+  loop: "{{ acme_certificate_INTERNAL_challenge.challenge_data_dns | dict2items | subelements('value') }}"
+
+- name: Wait for DNS entries to propagate
+  community.dns.wait_for_txt:
+    records: >-
+      {{ acme_certificate_INTERNAL_challenge.challenge_data_dns | dict2items(key_name='name', value_name='values') | list }}
+    timeout: 600
+  delegate_to: localhost
+  run_once: true

roles/acme_certificate/tasks/dns-inwx-sanity.yml

@@ -0,0 +1,8 @@
+---
+- name: DNS sanity checks
+  ansible.builtin.assert:
+    that:
+      - acme_certificate_inwx_username is defined
+      - acme_certificate_inwx_password is defined
+    msg: "acme_certificate_inwx_username and acme_certificate_inwx_password must be specified for INWX DNS"
+  run_once: true