From 5f804ca3be2b854ccb55a28b9aa65ddc2d132d25 Mon Sep 17 00:00:00 2001 From: Franziska Kunsmann Date: Mon, 1 Jun 2020 12:29:16 +0200 Subject: [PATCH] bundles/letsencrypt: add metadata to reload certificates and services --- bundles/letsencrypt/files/config | 5 +++++ bundles/letsencrypt/files/hook.sh | 37 +++++++++++++++++++++++++++++++ bundles/letsencrypt/items.py | 5 +++++ bundles/nginx/metadata.py | 8 +++++-- nodes/htz/ex42-1048908.py | 21 ++++++++++++++++++ 5 files changed, 74 insertions(+), 2 deletions(-) create mode 100644 bundles/letsencrypt/files/config create mode 100644 bundles/letsencrypt/files/hook.sh diff --git a/bundles/letsencrypt/files/config b/bundles/letsencrypt/files/config new file mode 100644 index 0000000..2d4b2b6 --- /dev/null +++ b/bundles/letsencrypt/files/config @@ -0,0 +1,5 @@ +CONFIG_D=/etc/dehydrated/conf.d +BASEDIR=/var/lib/dehydrated +WELLKNOWN="${BASEDIR}/acme-challenges" +DOMAINS_TXT="/etc/dehydrated/domains.txt" +HOOK="/etc/dehydrated/hook.sh" diff --git a/bundles/letsencrypt/files/hook.sh b/bundles/letsencrypt/files/hook.sh new file mode 100644 index 0000000..0796a6d --- /dev/null +++ b/bundles/letsencrypt/files/hook.sh @@ -0,0 +1,37 @@ +deploy_cert() {<%text> + local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}" TIMESTAMP="${6}" +% for service, config in node.metadata.get('letsencrypt', {}).get('concat_and_deploy', {}).items(): +<%text> + ### concat_and_deploy ${service} + if [ "$DOMAIN" = "${config['match_domain']}" ]; then + cat $KEYFILE > ${config['target']} + cat $FULLCHAINFILE >> ${config['target']} +% if 'chown' in config: + chown ${config['chown']} ${config['target']} +% endif +% if 'chmod' in config: + chmod ${config['chmod']} ${config['target']} +% endif +% if 'commands' in config: +% for command in config['commands']: + ${command} +% endfor +% endif + fi +% endfor +} + + +exit_hook() {<%text> + local ERROR="${1:-}" + +% for service in sorted(node.metadata.get('letsencrypt', {}).get('reload_after', set())): + systemctl reload-or-restart ${service} +% endfor +} + +<%text> +HANDLER="$1"; shift +if [[ "${HANDLER}" =~ ^(deploy_cert|exit_hook)$ ]]; then + "$HANDLER" "$@" +fi diff --git a/bundles/letsencrypt/items.py b/bundles/letsencrypt/items.py index b8a5096..4848411 100644 --- a/bundles/letsencrypt/items.py +++ b/bundles/letsencrypt/items.py @@ -21,4 +21,9 @@ files = { 'action:letsencrypt_update_certificates', }, }, + '/etc/dehydrated/config': {}, + '/etc/dehydrated/hook.sh': { + 'content_type': 'mako', + 'mode': '0755', + }, } diff --git a/bundles/nginx/metadata.py b/bundles/nginx/metadata.py index b3c2e5e..10b1c0d 100644 --- a/bundles/nginx/metadata.py +++ b/bundles/nginx/metadata.py @@ -31,9 +31,13 @@ def letsencrypt(metadata): if not node.has_bundle('letsencrypt'): return metadata, DONE - le = metadata.setdefault('letsencrypt', {}).setdefault('domains', {}) + le = metadata.setdefault('letsencrypt', {}) + domains = le.setdefault('domains', {}) for domain in metadata.get('nginx', {}).get('vhosts', {}).keys(): - le[domain] = set() + domains[domain] = set() + + reload = le.setdefault('reload_after', set()) + reload.add('nginx') return metadata, RUN_ME_AGAIN diff --git a/nodes/htz/ex42-1048908.py b/nodes/htz/ex42-1048908.py index c02bb74..638592f 100644 --- a/nodes/htz/ex42-1048908.py +++ b/nodes/htz/ex42-1048908.py @@ -38,6 +38,27 @@ nodes['htz.ex42-1048908'] = { }, }, }, + 'letsencrypt': { + 'concat_and_deploy': { + 'kunsi-weechat': { + 'match_domain': 'part.of.the.trans-agenda.eu', + 'target': '/home/kunsi/.weechat/ssl/relay.pem', + 'chown': 'kunsi:kunsi', + 'chmod': '0440', + 'commands': [ + 'echo \'core.weechat */relay sslcertkey\' >> /home/kunsi/.weechat/weechat_fifo' + ], + }, + }, + 'domains': { + 'part.of.the.trans-agenda.eu': set(), + }, + 'reload_after': { + # TODO move to bundles + 'dovecot', + 'postfix', + }, + }, 'matrix-synapse': { 'server_name': 'franzi.business', 'baseurl': 'matrix.franzi.business',