Add bastion and certificate jails.

ansible/roles/jail_certificate/tasks/freebsd.yaml

@@ -0,0 +1,44 @@
+- name: Install packages
+  package:
+    name:
+      - py311-certbot
+      - py311-certbot-dns-rfc2136
+    state: present
+
+- name: Enable periodic renew
+  community.general.sysrc:
+    name: weekly_certbot_enable
+    value: "YES"
+    path: /etc/periodic.conf.local
+
+- name: Create directories
+  file:
+    name: "{{ item }}"
+    state: directory
+    mode: 0755
+    owner: root
+    group: wheel
+  loop:
+    - /certbot
+
+- name: Install Configuration
+  diff: false
+  copy:
+    src: "files/{{ item.src }}"
+    dest: "{{ item.dest }}"
+    mode: 0600
+    owner: root
+    group: wheel
+  loop:
+    - src: credentials
+      dest: /certbot/credentials
+
+# For each domain, run:
+# certbot certonly -v --register-unsafely-without-email \
+#   --dns-rfc2136 \
+#   --dns-rfc2136-credentials /certbot/credentials \
+#   --dns-rfc2136-propagation-seconds 400 \
+#   -d example.com \
+#   -d www.example.com
+#
+# Add --test-cert for staging environment