bundles/letsencrypt: add metadata to reload certificates and services

2020-06-01 12:29:16 +02:00 · 2020-06-01 12:29:16 +02:00 · 5f804ca3be
parent 2a6547dfb7
commit 5f804ca3be
5 changed files with 74 additions and 2 deletions
--- a/bundles/letsencrypt/files/config
+++ b/bundles/letsencrypt/files/config
@ -0,0 +1,5 @@
+CONFIG_D=/etc/dehydrated/conf.d
+BASEDIR=/var/lib/dehydrated
+WELLKNOWN="${BASEDIR}/acme-challenges"
+DOMAINS_TXT="/etc/dehydrated/domains.txt"
+HOOK="/etc/dehydrated/hook.sh"
--- a/bundles/letsencrypt/files/hook.sh
+++ b/bundles/letsencrypt/files/hook.sh
@ -0,0 +1,37 @@
+deploy_cert() {<%text>
+    local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}" TIMESTAMP="${6}"</%text>
+% for service, config in node.metadata.get('letsencrypt', {}).get('concat_and_deploy', {}).items():
+<%text>
+    ### concat_and_deploy ${service}</%text>
+    if [ "$DOMAIN" = "${config['match_domain']}" ]; then
+        cat $KEYFILE > ${config['target']}
+        cat $FULLCHAINFILE >> ${config['target']}
+%  if 'chown' in config:
+        chown ${config['chown']} ${config['target']}
+%  endif
+%  if 'chmod' in config:
+        chmod ${config['chmod']} ${config['target']}
+%  endif
+%  if 'commands' in config:
+%   for command in config['commands']:
+        ${command}
+%   endfor
+%  endif
+    fi
+% endfor
+}
+
+
+exit_hook() {<%text>
+    local ERROR="${1:-}"</%text>
+
+% for service in sorted(node.metadata.get('letsencrypt', {}).get('reload_after', set())):
+    systemctl reload-or-restart ${service}
+% endfor
+}
+
+<%text>
+HANDLER="$1"; shift
+if [[ "${HANDLER}" =~ ^(deploy_cert|exit_hook)$ ]]; then
+  "$HANDLER" "$@"
+fi</%text>
--- a/bundles/letsencrypt/items.py
+++ b/bundles/letsencrypt/items.py
@ -21,4 +21,9 @@ files = {
            'action:letsencrypt_update_certificates',
        },
    },
+    '/etc/dehydrated/config': {},
+    '/etc/dehydrated/hook.sh': {
+        'content_type': 'mako',
+        'mode': '0755',
+    },
 }
--- a/bundles/nginx/metadata.py
+++ b/bundles/nginx/metadata.py
@ -31,9 +31,13 @@ def letsencrypt(metadata):
    if not node.has_bundle('letsencrypt'):
        return metadata, DONE

-    le = metadata.setdefault('letsencrypt', {}).setdefault('domains', {})
+    le = metadata.setdefault('letsencrypt', {})
+    domains = le.setdefault('domains', {})

    for domain in metadata.get('nginx', {}).get('vhosts', {}).keys():
-        le[domain] = set()
+        domains[domain] = set()
+
+    reload = le.setdefault('reload_after', set())
+    reload.add('nginx')

    return metadata, RUN_ME_AGAIN
--- a/nodes/htz/ex42-1048908.py
+++ b/nodes/htz/ex42-1048908.py
@ -38,6 +38,27 @@ nodes['htz.ex42-1048908'] = {
                },
            },
        },
+        'letsencrypt': {
+            'concat_and_deploy': {
+                'kunsi-weechat': {
+                    'match_domain': 'part.of.the.trans-agenda.eu',
+                    'target': '/home/kunsi/.weechat/ssl/relay.pem',
+                    'chown': 'kunsi:kunsi',
+                    'chmod': '0440',
+                    'commands': [
+                        'echo \'core.weechat */relay sslcertkey\' >> /home/kunsi/.weechat/weechat_fifo'
+                    ],
+                },
+            },
+            'domains': {
+                'part.of.the.trans-agenda.eu': set(),
+            },
+            'reload_after': {
+                # TODO move to bundles
+                'dovecot',
+                'postfix',
+            },
+        },
        'matrix-synapse': {
            'server_name': 'franzi.business',
            'baseurl': 'matrix.franzi.business',