OpenBSD Homelab
ACME client supporting Let’s Encrypt and custom certificate authorities.
| variable | default value | notes |
|---|---|---|
lego_dns |
`` | (required) DNS provider to use for ACME DNS-01 challenge |
lego_env |
`` | (required) environment variables to set when running lego |
lego_mail |
{{ admin_mail }} |
email to use for registration, defaults to the specified homelab admin email |
lego_domain |
{{ domain }} |
domain to issue certificates for, defaults to the specified homelab domain |
lego_args |
`` | extra arguments to pass to lego |
lego_packages |
['lego'] |
packages to install for this role |
Lego is the first part of the OBSD Homelab setup as it is going to create the TLS certificates for the homelab domain. The default lego setup uses the DNS-01 challlenge, which allows it to create wildcard certificates for the domain. Lego supports a multitude of DNS providers, listed on its website.
The first example setup provided on the lego DNS page, which uses Cloudflare, would set the following OBSD Homelab variables in vars.yml-
lego_dns: cloudflare
lego_env:
CLOUDFLARE_EMAIL: foo@bar.com
CLOUDFLARE_API_KEY: b9841238feb177a84330febba8a83208921177bffe733
lego_mail: me@bar.com
An example setup for OBSD Homelab, which wants to use a custom lego solver and disable waiting for DNS propagation, would set the following lego variables -
lego_dns: exec
lego_env:
EXEC_PATH: /usr/local/libexec/lego_custom
lego_mail: obsd-homelab@bsd.ac
lego_args: '--dns.disable-cp'
The default key/cert pair used by OBSD Homelab is
| mode | owner | group | path | notes |
|---|---|---|---|---|
0640 |
_lego |
_lego |
/etc/ssl/homelab.key |
private key |
0644 |
_lego |
_lego |
/etc/ssl/homelab.crt |
public key |
If managing certificates manually, create a _lego user account prior to running the OBSD Homelab setup. After generating the certificates, copy them to the above location with the correct owner/group/permissions, as the _lego group is used by services to access the protected private key.