community.hashi_vault
lexicon
community.hashi_vault | lexicon | |
---|---|---|
15 | 16 | |
78 | 1,444 | |
- | - | |
6.8 | 8.8 | |
19 days ago | 3 months ago | |
Python | Python | |
GNU General Public License v3.0 only | MIT License |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
community.hashi_vault
-
Easy HTTPS for your private networks
My way of doing private SSL (not necessarily the easiest):
* own CA, to be distributed to all systems via Ansible playbook or Dockerfile directives
* Hashicorp Vault with enabled PKI engine
* Ansible Hashivault module [1]
* Ansible role & playbook to tie it all together
* CI enviroment for automated deployment of SSL certs to target systems
Works flawlessly once set up, including restart/reload of affected services. Might do a writeup on my personal blog at some point.
[1] https://github.com/ansible-collections/community.hashi_vault
-
The Bullhorn #102 (Ansible Newsletter)
community.hashi_vault 5.0.0 has been released. See the collection changelog for details.
-
The Bullhorn #100 (Ansible Newsletter)
community.hashi_vault version 4.2.1 has been released with updated documentation for the vault_kv2_write module. There are no functional changes.
-
The Bullhorn #97 (Ansible Newsletter)
community.hashi_vault version 4.2.0 [changelog] has been released with a new KVv2 write module and a warning/deprecation for duplicated term string option use in the hashi_vault lookup.
-
The Bullhorn #88 (Ansible Newsletter)
The community.hashi_vault collection has released version 4.1.0 with a new vault_list module and lookup from a new contributor! There are also some upcoming deprecation announcements for hvac and ansible-core support.
-
The Bullhorn #81 (Ansible Newsletter)
community.hashi_vault version 4.0.0 has been released, with previously announced breaking changes to some default values, and improvements to module documentation with attributes that describe the use of action groups and check mode support.
-
The Bullhorn #71 (Ansible Newsletter)
community.hashi_vault version 3.2.0 has been released with support for the azure auth method, thanks to new contributor @jchenship. This release also includes retries on HTTP 412 and a bugfix affecting requests>=2.28.0.
-
The Bullhorn #68 (Ansible Newsletter)
community.hashi_vault has released version 3.1.0, announcing a change to a default value that will take place in 4.0.0.
-
The Bullhorn #65 (Ansible Newsletter)
The community.hashi_vault collection is looking for feedback about support for end-of-life Python versions going forward. Join the discussion.
-
The Bullhorn #60 (Ansible Newsletter)
community.hashi_vault version 3.0.0 has been released, dropping support for Ansible 2.9 and ansible-base 2.10, as well as removing some deprecated features.
lexicon
-
Dehydrated: Letsencrypt/acme client implemented as a shell-script
One of the biggest benefits of dehydrated is that it doesn't try to integrate with a DNS provider on its own. It just calls a hook, which can be implemented with a simple shell script[1]. The most popular third-party integration is lexicon[2], though you're not required to use Lexicon. (e.g. you're free to use awscli, gcloud, linode-cli, etc. to do the actual DNS record manipulation)
This means its dependencies footprint is much smaller, and allows you to do things that can be a nightmare to configure with Certbot or other alternatives. For example, at one of the scenarios I had to set up was that we had to query a credential via HashiCorp Vault, which is then used to cURL into an API endpoint. The shell script in total was pretty short (< 100 LOC) and it worked extremely well.
[1]: https://github.com/dehydrated-io/dehydrated/blob/master/docs...
[2]: https://github.com/AnalogJ/lexicon
-
Why Certificate Lifecycle Automation Matters
A reminder that if you an internal-only server where the typical http-01' verification connection method will not work, especially if you cannot easily/dynamically update DNS records, one can use dns-01* by using DNS aliasing/CNAME:
* https://dan.langille.org/2019/02/01/acme-domain-alias-mode/
* https://www.eff.org/deeplinks/2018/02/technical-deep-dive-se...
So if you want a cert for www.internal.example.com, you will first have do a one-time change to have a _acme-challenge.www.internal… CNAME created to point to any other (sub-)domain where you can easily update things dynamically, e.g., www-internal.example-dnsapi.com.
When request the cert for "www.internal…", LE/ACME will look up the corresponding _acme-challenge record, and go to "_acme-challenge.www-internal.example-dnsapi.com. The nonce token will be there in the 'final' destination following the CNAME in a TXT, which shows LE/ACME that you control the DNS chain.
To do the DNS updating, you can use a CLI/Python library like Lexicon, which supports dozens of APIs:
* https://github.com/AnalogJ/lexicon
-
Easy HTTPS for your private networks
This leverages the ACME DNS server which has a REST API:
* https://github.com/joohoi/acme-dns
If your DNS provider has an API, you can hook into that for internal-only web servers; this handy code supports several dozen APIs so you don't have to re-invent the wheel:
* https://github.com/AnalogJ/lexicon
* https://pypi.org/project/dns-lexicon/
* https://dns-lexicon.readthedocs.io/en/latest/user_guide.html
- Wie kommt Google Safe Browsing darauf, dass alle Seiten auf meiner Dyndns Domain phishing Seiten sind?
-
Uacme: ACMEv2 client written in plain C with minimal dependencies
> It even comes preconfigured for various DNS providers[2]
Also, CLI utility that supports a bunch of APIs:
* https://github.com/AnalogJ/lexicon
-
what are better alternatives of noip?
Then, you can use ddclient, which supports many DNS services (including those providing DynDNS protocol), or you can write a Python script using the dns-lexicon module to manipulate the DNS records over the API.
- NextDNS Launches API
- Lexicon: Manipulate DNS records on various DNS providers in a standardized way.
- Lexicon: Manipulate DNS records on various DNS providers in a standardized way
- Some of the popular DNS management services as a self hosted service
What are some alternatives?
community.general - Ansible Community General Collection
letsencrypt - Certbot is EFF's tool to obtain certs from Let's Encrypt and (optionally) auto-enable HTTPS on your server. It can also act as a client for any other CA that uses the ACME protocol.
minica - minica is a small, simple CA intended for use in situations where the CA operator also operates each host where a certificate will be used.
octoDNS - Tools for managing DNS across multiple providers
Ansible - Ansible is a radically simple IT automation platform that makes your applications and systems easier to deploy and maintain. Automate everything from code deployment to network configuration to cloud management, in a language that approaches plain English, using SSH, with no agents to install on remote systems. https://docs.ansible.com.
acme.sh - A pure Unix shell script implementing ACME client protocol
community-docs - docs.ansible.com/community
extdns - External DNS for docker-compose
vscode-ansible - vscode/vscodium extension for providing Ansible auto-completion and integrating quality assurance tools like ansible-lint, ansible syntax check, yamllint, molecule and ansible-test.
duckdns - Caddy module: dns.providers.duckdns
community.internal_test_tools - Internal only, not for end users
lego - Let's Encrypt/ACME client and library written in Go