cp over all the bundles from kunsis bw repo

2021-12-21 15:56:24 +01:00 · 2021-12-21 15:56:24 +01:00 · 1f73b04351
commit 1f73b04351
parent 65b117b819
89 changed files with 3991 additions and 0 deletions
--- a/bundles/letsencrypt/files/config
+++ b/bundles/letsencrypt/files/config
@ -0,0 +1,5 @@
+CONFIG_D=/etc/dehydrated/conf.d
+BASEDIR=/var/lib/dehydrated
+WELLKNOWN="${BASEDIR}/acme-challenges"
+DOMAINS_TXT="/etc/dehydrated/domains.txt"
+HOOK="/etc/dehydrated/hook.sh"
--- a/bundles/letsencrypt/files/domains.txt
+++ b/bundles/letsencrypt/files/domains.txt
@ -0,0 +1,3 @@
+% for domain, aliases in sorted(node.metadata.get('letsencrypt/domains', {}).items()):
+${domain} ${' '.join(sorted(aliases))}
+% endfor
--- a/bundles/letsencrypt/files/hook.sh
+++ b/bundles/letsencrypt/files/hook.sh
@ -0,0 +1,37 @@
+deploy_cert() {<%text>
+    local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}" TIMESTAMP="${6}"</%text>
+% for service, config in node.metadata.get('letsencrypt/concat_and_deploy', {}).items():
+
+    # concat_and_deploy ${service}
+    if [ "$DOMAIN" = "${config['match_domain']}" ]; then
+        cat $KEYFILE > ${config['target']}
+        cat $FULLCHAINFILE >> ${config['target']}
+%  if 'chown' in config:
+        chown ${config['chown']} ${config['target']}
+%  endif
+%  if 'chmod' in config:
+        chmod ${config['chmod']} ${config['target']}
+%  endif
+%  if 'commands' in config:
+%   for command in config['commands']:
+        ${command}
+%   endfor
+%  endif
+    fi
+% endfor
+}
+
+
+exit_hook() {<%text>
+    local ERROR="${1:-}"</%text>
+
+% for service in sorted(node.metadata.get('letsencrypt/reload_after', set())):
+    systemctl reload-or-restart ${service}
+% endfor
+}
+
+<%text>
+HANDLER="$1"; shift
+if [[ "${HANDLER}" =~ ^(deploy_cert|exit_hook)$ ]]; then
+    "$HANDLER" "$@"
+fi</%text>
--- a/bundles/letsencrypt/files/letsencrypt-ensure-some-certificate
+++ b/bundles/letsencrypt/files/letsencrypt-ensure-some-certificate
@ -0,0 +1,31 @@
+#!/bin/sh
+
+domain=$1
+just_check=$2
+
+cert_path="/var/lib/dehydrated/certs/$domain"
+
+already_exists=false
+if [ -f "$cert_path/privkey.pem" -a -f "$cert_path/fullchain.pem" -a -f "$cert_path/chain.pem" ]
+then
+    already_exists=true
+fi
+
+if [ "$just_check" = true ]
+then
+    if [ "$already_exists" = true ]
+    then
+        exit 0
+    else
+        exit 1
+    fi
+fi
+
+if [ "$already_exists" != true ]
+then
+    rm -r "$cert_path"
+    mkdir -p "$cert_path"
+    openssl req -x509 -newkey rsa:4096 -nodes -days 1 -subj "/CN=$domain" -keyout "$cert_path/privkey.pem" -out "$cert_path/fullchain.pem"
+    chmod 0600 "$cert_path/privkey.pem"
+    cp "$cert_path/fullchain.pem" "$cert_path/chain.pem"
+fi
--- a/bundles/letsencrypt/items.py
+++ b/bundles/letsencrypt/items.py
@ -0,0 +1,52 @@
+repo.libs.tools.require_bundle(node, 'nginx', 'letsencrypt bundle needs nginx for http challenge')
+
+directories = {
+    '/etc/dehydrated/conf.d': {},
+    '/var/lib/dehydrated/acme-challenges': {},
+}
+
+actions = {
+    'letsencrypt_update_certificates': {
+        'command': 'dehydrated --cron --accept-terms --challenge http-01',
+        'triggered': True,
+        'needs': {
+            'svc_systemd:nginx',
+        },
+    },
+}
+
+for domain, _ in node.metadata.get('letsencrypt/domains').items():
+    actions['letsencrypt_ensure-some-certificate_{}'.format(domain)] = {
+        'command': '/etc/dehydrated/letsencrypt-ensure-some-certificate {}'.format(domain),
+        'unless': '/etc/dehydrated/letsencrypt-ensure-some-certificate {} true'.format(domain),
+        'needs': {
+            'file:/etc/dehydrated/letsencrypt-ensure-some-certificate',
+        },
+        'needed_by': {
+            'svc_systemd:nginx',
+        },
+        'triggers': {
+            'action:letsencrypt_update_certificates',
+        },
+    }
+
+files = {
+    '/etc/dehydrated/domains.txt': {
+        'content_type': 'mako',
+        'triggers': {
+            'action:letsencrypt_update_certificates',
+        },
+    },
+    '/etc/dehydrated/config': {
+        'triggers': {
+            'action:letsencrypt_update_certificates',
+        },
+    },
+    '/etc/dehydrated/hook.sh': {
+        'content_type': 'mako',
+        'mode': '0755',
+    },
+    '/etc/dehydrated/letsencrypt-ensure-some-certificate': {
+        'mode': '0755',
+    },
+}
--- a/bundles/letsencrypt/metadata.py
+++ b/bundles/letsencrypt/metadata.py
@ -0,0 +1,24 @@
+defaults = {
+    'apt': {
+        'packages': {
+            'dehydrated': {
+                'needed_by': {
+                    'action:letsencrypt_update_certificates',
+                },
+            },
+        },
+    },
+    'cron': {
+        'letsencrypt_renew': '{} 4 * * *    root    /usr/bin/dehydrated --cron --accept-terms --challenge http-01 > /dev/null'.format((node.magic_number % 60)),
+        'letsencrypt_cleanup': '{} 4 * * 0    root    /usr/bin/dehydrated --cleanup > /dev/null'.format((node.magic_number % 60)),
+    },
+    'pacman': {
+        'packages': {
+            'dehydrated': {
+                'needed_by': {
+                    'action:letsencrypt_update_certificates',
+                },
+            },
+        },
+    },
+}