diff --git a/_modules/node.py b/_modules/node.py --- a/_modules/node.py +++ b/_modules/node.py @@ -23,6 +23,12 @@ ] +WITH_NGINX_ROLES = [ + "webserver-core", + "paas-docker", +] + + def _get_all_nodes(): return __pillar__.get("nodes", {}) @@ -196,6 +202,13 @@ return content in filter_by_role("web_content_sls", nodename) +def has_nginx(nodename=None): + """ + A function to determine if this server role should include nginx. + """ + return any(role in WITH_NGINX_ROLES for role in get_list("roles", nodename)) + + def get_wwwroot(nodename=None): """ A function to determine the wwwroot folder to use. diff --git a/_tests/scripts/bats/test_edit_acme_dns_accounts.sh b/_tests/scripts/bats/test_edit_acme_dns_accounts.sh --- a/_tests/scripts/bats/test_edit_acme_dns_accounts.sh +++ b/_tests/scripts/bats/test_edit_acme_dns_accounts.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bats -SCRIPT="../roles/paas-docker/letsencrypt/files/edit-acme-dns-accounts.py" +SCRIPT="../roles/core/certificates/files/edit-acme-dns-accounts.py" # ------------------------------------------------------------- # Arguments parsing diff --git a/_tests/scripts/python/test_edit_acme_dns_accounts.py b/_tests/scripts/python/test_edit_acme_dns_accounts.py --- a/_tests/scripts/python/test_edit_acme_dns_accounts.py +++ b/_tests/scripts/python/test_edit_acme_dns_accounts.py @@ -7,7 +7,7 @@ os.environ["ACME_ACCOUNTS"] = "/path/to/acmedns.json" -path = "roles/paas-docker/letsencrypt/files/edit-acme-dns-accounts.py" +path = "roles/core/certificates/files/edit-acme-dns-accounts.py" script = SourceFileLoader("script", "../" + path).load_module() diff --git a/pillar/certificates/certificates.sls b/pillar/certificates/certificates.sls deleted file mode 100644 --- a/pillar/certificates/certificates.sls +++ /dev/null @@ -1,15 +0,0 @@ -# ------------------------------------------------------------- -# Salt — Let's encrypt certificates -# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -# Project: Nasqueron -# Created: 2017-04-27 -# License: Trivial work, not eligible to copyright -# ------------------------------------------------------------- - -# ------------------------------------------------------------- -# Certificates -# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -certificates_letsencrypt: - eglide: - - www.eglide.org diff --git a/pillar/top.sls b/pillar/top.sls --- a/pillar/top.sls +++ b/pillar/top.sls @@ -11,7 +11,6 @@ - core.users - core.groups - core.network - - certificates.certificates - nodes.nodes - nodes.forests - hotfixes.roles diff --git a/roles/core/certificates/files/730.letsencrypt b/roles/core/certificates/files/730.letsencrypt new file mode 100755 --- /dev/null +++ b/roles/core/certificates/files/730.letsencrypt @@ -0,0 +1,39 @@ +#!/bin/sh + +# ------------------------------------------------------------- +# Fetch ports +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +# Project: Nasqueron +# Author : FreeBSD contributors +# License: BSD-2-Clause +# Source file: roles/core/certificates/files/730.letsencrypt +# ------------------------------------------------------------- +# +# <auto-generated> +# This file is managed by our rOPS SaltStack repository. +# +# Changes to this file may cause incorrect behavior +# and will be lost if the state is redeployed. +# </auto-generated> +# ------------------------------------------------------------- + + +# If there is a global system configuration file, suck it in. +# +if [ -r /etc/defaults/periodic.conf ] +then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +case "$daily_letsencrypt_enable" in + [Yy][Ee][Ss]) + echo "" + echo "Running Let's Encrypt renewal:" + + letsencrypt-renewal && rc=0 || rc=3;; + + *) rc=0;; +esac + +exit $rc diff --git a/roles/paas-docker/letsencrypt/files/acme-dns-auth.py b/roles/core/certificates/files/acme-dns-auth.py rename from roles/paas-docker/letsencrypt/files/acme-dns-auth.py rename to roles/core/certificates/files/acme-dns-auth.py --- a/roles/paas-docker/letsencrypt/files/acme-dns-auth.py +++ b/roles/core/certificates/files/acme-dns-auth.py @@ -1,11 +1,11 @@ -#!/usr/bin/env python +#!/usr/bin/env python3 # ------------------------------------------------------------- # PaaS Docker # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # Author: Joona Hoikkala # License: MIT -# Source file: roles/paas-docker/letsencrypt/files/acme-dns-auth.py +# Source file: roles/core/certificates/files/acme-dns-auth.py # ------------------------------------------------------------- # # <auto-generated> @@ -21,7 +21,7 @@ import sys ACMEDNS_URL = "https://acme.nasqueron.org" -STORAGE_PATH = "/etc/letsencrypt/acmedns.json" +STORAGE_PATH = "/usr/local/etc/acmedns.json" ALLOW_FROM = [] FORCE_REGISTER = False diff --git a/roles/webserver-core/letsencrypt/files/check-letsencrypt-certificates.py b/roles/core/certificates/files/check-letsencrypt-certificates.py rename from roles/webserver-core/letsencrypt/files/check-letsencrypt-certificates.py rename to roles/core/certificates/files/check-letsencrypt-certificates.py --- a/roles/webserver-core/letsencrypt/files/check-letsencrypt-certificates.py +++ b/roles/core/certificates/files/check-letsencrypt-certificates.py @@ -1,16 +1,14 @@ #!/usr/bin/env python3 -# -*- coding: utf-8 -*- # ------------------------------------------------------------- # Let's encrypt — Certificates web server configuration checker # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # Project: Nasqueron -# Created: 2016-06-05 # Description: Check if /.well-known/acme-challenge works # for the mapping directory webserver for each -# certificate to renew. +# certificate to renew. HTTP only. # License: BSD-2-Clause -# Source file: roles/webserver-core/letsencrypt/files/check-letsencrypt-certificates.py +# Source file: roles/core/certificates/files/check-letsencrypt-certificates.py # ------------------------------------------------------------- # ------------------------------------------------------------- @@ -30,6 +28,7 @@ from urllib.error import HTTPError from urllib.request import urlopen + # ------------------------------------------------------------- # Configuration # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/roles/webserver-core/letsencrypt/files/cli.ini b/roles/core/certificates/files/cli.ini rename from roles/webserver-core/letsencrypt/files/cli.ini rename to roles/core/certificates/files/cli.ini --- a/roles/webserver-core/letsencrypt/files/cli.ini +++ b/roles/core/certificates/files/cli.ini @@ -2,9 +2,8 @@ # Let's encrypt # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # Project: Nasqueron -# Created: 2017-04-27 # License: Trivial work, not eligible to copyright -# Source file: roles/webserver-core/letsencrypt/files/cli.ini +# Source file: roles/core/certificates/files/cli.ini # ------------------------------------------------------------- # # <auto-generated> diff --git a/roles/paas-docker/letsencrypt/files/edit-acme-dns-accounts.py b/roles/core/certificates/files/edit-acme-dns-accounts.py rename from roles/paas-docker/letsencrypt/files/edit-acme-dns-accounts.py rename to roles/core/certificates/files/edit-acme-dns-accounts.py --- a/roles/paas-docker/letsencrypt/files/edit-acme-dns-accounts.py +++ b/roles/core/certificates/files/edit-acme-dns-accounts.py @@ -1,16 +1,21 @@ #!/usr/bin/env python3 -# -*- coding: utf-8 -*- # ------------------------------------------------------------- # Let's encrypt — ACME DNS server accounts editor # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # Project: Nasqueron -# Created: 2020-02-22 -# Description: Edit /srv/letsencrypt/etc/acmedns.json to import -# credentials for a specific subdomain to verify. +# Description: Edit acmedns.json to import credentials +# for a specific subdomain to verify. # License: BSD-2-Clause +# Source file: roles/core/certificates/files/edit-acme-dns-accounts.py # ------------------------------------------------------------- - +# +# <auto-generated> +# This file is managed by our rOPS SaltStack repository. +# +# Changes to this file may cause incorrect behavior +# and will be lost if the state is redeployed. +# </auto-generated> import json import os @@ -21,7 +26,7 @@ try: return os.environ["ACME_ACCOUNTS"] except KeyError: - return "/srv/letsencrypt/etc/acmedns.json" + return "/usr/local/etc/acmedns.json" ACME_ACCOUNTS_PATH = get_acme_accounts_path() diff --git a/roles/webserver-core/letsencrypt/files/letsencrypt-renew.service b/roles/core/certificates/files/letsencrypt-renew.service rename from roles/webserver-core/letsencrypt/files/letsencrypt-renew.service rename to roles/core/certificates/files/letsencrypt-renew.service --- a/roles/webserver-core/letsencrypt/files/letsencrypt-renew.service +++ b/roles/core/certificates/files/letsencrypt-renew.service @@ -2,9 +2,8 @@ # Let's encrypt # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # Project: Nasqueron -# Created: 2016-08-24 # License: Trivial work, not eligible to copyright -# Source file: roles/webserver-core/letsencrypt/files/letsencrypt.service +# Source file: roles/core/certificates/files/letsencrypt-renew.service # ------------------------------------------------------------- # # <auto-generated> @@ -16,7 +15,11 @@ [Unit] Description=Renew Let's encrypt certificates. +Wants=letsencrypt-renew.timer [Service] Type=oneshot ExecStart=/usr/local/sbin/letsencrypt-renewal + +[Install] +WantedBy=multi-user.target diff --git a/roles/webserver-core/letsencrypt/files/letsencrypt-renew.timer b/roles/core/certificates/files/letsencrypt-renew.timer rename from roles/webserver-core/letsencrypt/files/letsencrypt-renew.timer rename to roles/core/certificates/files/letsencrypt-renew.timer --- a/roles/webserver-core/letsencrypt/files/letsencrypt-renew.timer +++ b/roles/core/certificates/files/letsencrypt-renew.timer @@ -2,9 +2,8 @@ # Let's encrypt # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # Project: Nasqueron -# Created: 2016-08-24 # License: Trivial work, not eligible to copyright -# Source file: roles/webserver-core/letsencrypt/files/letsencrypt.timer +# Source file: roles/core/certificates/files/letsencrypt-renew.timer # ------------------------------------------------------------- # # <auto-generated> @@ -15,10 +14,10 @@ # </auto-generated> [Unit] -Description=Runs letsencrypt-renewal every month +Description=Check and renew Let's Encrypt certificates [Timer] -OnCalendar=*-*-26 12:15:00 +OnCalendar=*-*-* 12:15:00 Persistent=yes [Install] diff --git a/roles/webserver-core/letsencrypt/files/letsencrypt-renew.service b/roles/core/certificates/files/letsencrypt-renewal-without-nginx.sh rename from roles/webserver-core/letsencrypt/files/letsencrypt-renew.service rename to roles/core/certificates/files/letsencrypt-renewal-without-nginx.sh --- a/roles/webserver-core/letsencrypt/files/letsencrypt-renew.service +++ b/roles/core/certificates/files/letsencrypt-renewal-without-nginx.sh @@ -1,10 +1,11 @@ +#!/bin/sh + # ------------------------------------------------------------- # Let's encrypt # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # Project: Nasqueron -# Created: 2016-08-24 # License: Trivial work, not eligible to copyright -# Source file: roles/webserver-core/letsencrypt/files/letsencrypt.service +# Source file: roles/core/certificates/files/letsencrypt-renewal-without-nginx.sh # ------------------------------------------------------------- # # <auto-generated> @@ -14,9 +15,4 @@ # and will be lost if the state is redeployed. # </auto-generated> -[Unit] -Description=Renew Let's encrypt certificates. - -[Service] -Type=oneshot -ExecStart=/usr/local/sbin/letsencrypt-renewal +certbot renew diff --git a/roles/webserver-core/letsencrypt/files/letsencrypt-renewal.sh b/roles/core/certificates/files/letsencrypt-renewal.sh old mode 100755 new mode 100644 rename from roles/webserver-core/letsencrypt/files/letsencrypt-renewal.sh rename to roles/core/certificates/files/letsencrypt-renewal.sh --- a/roles/webserver-core/letsencrypt/files/letsencrypt-renewal.sh +++ b/roles/core/certificates/files/letsencrypt-renewal.sh @@ -4,9 +4,8 @@ # Let's encrypt # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # Project: Nasqueron -# Created: 2016-08-24 # License: Trivial work, not eligible to copyright -# Source file: roles/webserver-core/letsencrypt/files/letsencrypt-renewal.sh +# Source file: roles/core/certificates/files/letsencrypt-renewal.sh # ------------------------------------------------------------- # # <auto-generated> @@ -27,5 +26,4 @@ fi; } - -certbot renew && nginx_test && service nginx restart +certbot renew && nginx_test && nginx -s reload diff --git a/roles/core/certificates/init.sls b/roles/core/certificates/init.sls --- a/roles/core/certificates/init.sls +++ b/roles/core/certificates/init.sls @@ -7,3 +7,4 @@ include: - .nasqueron + - .letsencrypt diff --git a/roles/core/certificates/letsencrypt.sls b/roles/core/certificates/letsencrypt.sls new file mode 100644 --- /dev/null +++ b/roles/core/certificates/letsencrypt.sls @@ -0,0 +1,97 @@ +# ------------------------------------------------------------- +# Salt - Deploy certificates +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +# Project: Nasqueron +# License: Trivial work, not eligible to copyright +# ------------------------------------------------------------- + +{% from "map.jinja" import dirs with context %} + +{% set has_nginx = salt['node']['has_nginx']() %} + +# ------------------------------------------------------------- +# Software +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + +letsencrypt_software: + pkg.installed: + - name: {{ packages.certbot }} + +# ------------------------------------------------------------- +# Working directory and configuration +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + +/var/letsencrypt-auto: + file.directory: + - user: root + - dir_mode: 711 + +{{ dirs.etc }}/letsencrypt/cli.ini: + file.managed: + - source: salt://roles/core/certificates/files/cli.ini + - makedirs: True + +# ------------------------------------------------------------- +# Extra utilities +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + +{{ dirs.bin }}/check-letsencrypt-certificates: + file.managed: + - source: salt://roles/core/certificates/files/check-letsencrypt-certificates.py + - mode: 755 + +{{ dirs.etc }}/letsencrypt/acme-dns-auth: + file.managed: + - source: salt://roles/core/certificates/files/acme-dns-auth.py + - mode: 755 + - makedirs: True + +{{ dirs.bin }}/edit-acme-dns-accounts: + file.managed: + - source: salt://roles/core/certificates/files/edit-acme-dns-accounts.py + - mode: 755 + +# ------------------------------------------------------------- +# Check and renew certificates daily +# +# FreeBSD ... periodic +# Linux ..... systemd timer +# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + +{% if has_nginx %} +{% set renewal_script = "letsencrypt-renewal.sh" %} +{% else %} +{% set renewal_script = "letsencrypt-renewal-without-nginx.sh" %} +{% endif %} + +/usr/local/sbin/letsencrypt-renewal: + file.managed: + - source: salt://roles/core/certificates/files/{{ renewal_script }} + - mode: 755 + +{% if grains["os_family"] == "FreeBSD" %} + +/etc/periodic/daily/730.letsencrypt: + file.managed: + - source: salt://roles/core/certificates/files/730.letsencrypt + +{% elif services["manager"] == "systemd" %} + +/etc/systemd/system/letsencrypt-renew.timer: + file.managed: + - source: salt://roles/core/certificates/files/letsencrypt-renew.timer + +/etc/systemd/system/letsencrypt-renew.service: + file.managed: + - source: salt://roles/core/certificates/files/letsencrypt-renew.service + +letsencrypt_renew_enable: + service.enabled: + - name: letsencrypt-renew + +letsencrypt_renew_timer_start: + service.running: + - name: letsencrypt-renew.timer + - enable: True + +{% endif %} diff --git a/roles/core/rc/files/periodic.conf b/roles/core/rc/files/periodic.conf --- a/roles/core/rc/files/periodic.conf +++ b/roles/core/rc/files/periodic.conf @@ -3,9 +3,11 @@ # 480.status-ntpd daily_status_ntpd_enable="YES" + +# 730.letsencrypt +daily_letsencrypt_enable="YES" + {% if use_zfs %} # 800.scrub-zfs daily_scrub_zfs_enable="YES" {% endif %} -# 500.certbot -weekly_certbot_enable="YES" diff --git a/roles/paas-docker/init.sls b/roles/paas-docker/init.sls --- a/roles/paas-docker/init.sls +++ b/roles/paas-docker/init.sls @@ -18,7 +18,6 @@ - .wwwroot-content - .nginx - .monitoring - - .letsencrypt - .wrappers {% if salt['node.has']('flags:install_docker_devel_tools') %} - .devel diff --git a/roles/paas-docker/letsencrypt/init.sls b/roles/paas-docker/letsencrypt/init.sls deleted file mode 100644 --- a/roles/paas-docker/letsencrypt/init.sls +++ /dev/null @@ -1,56 +0,0 @@ -# ------------------------------------------------------------- -# Salt — Provision Docker engine -# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -# Project: Nasqueron -# Created: 2018-03-16 -# License: Trivial work, not eligible to copyright -# ------------------------------------------------------------- - -{% set has_selinux = salt['grains.get']('selinux:enabled', False) %} - -# ------------------------------------------------------------- -# See also -# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -# Wrapper script -# - wrappers/init.sls -# - wrappers/files/certbot.sh -# -# Image -# - /pillar/paas/docker.sls -# -# Nginx configuration -# - nginx/files/includes/letsencrypt - -# ------------------------------------------------------------- -# Data directory -# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -/srv/letsencrypt: - file.directory - -{% if has_selinux %} -selinux_context_letsencrypt_home: - selinux.fcontext_policy_present: - - name: /srv/letsencrypt - - sel_type: container_file_t - -selinux_context_letsencrypt_home_applied: - selinux.fcontext_policy_applied: - - name: /srv/letsencrypt -{% endif %} - -# ------------------------------------------------------------- -# Plug-ins -# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -/srv/letsencrypt/etc/acme-dns-auth: - file.managed: - - source: salt://roles/paas-docker/letsencrypt/files/acme-dns-auth.py - - mode: 755 - - makedirs: True - -/usr/local/bin/edit-acme-dns-accounts: - file.managed: - - source: salt://roles/paas-docker/letsencrypt/files/edit-acme-dns-accounts.py - - mode: 755 diff --git a/roles/paas-docker/wrappers/files/certbot.sh b/roles/paas-docker/wrappers/files/certbot.sh deleted file mode 100755 --- a/roles/paas-docker/wrappers/files/certbot.sh +++ /dev/null @@ -1,32 +0,0 @@ -#!/bin/sh - -# ------------------------------------------------------------- -# PaaS Docker -# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -# Project: Nasqueron -# Created: 2018-03-15 -# License: Trivial work, not eligible to copyright -# Source file: roles/paas-docker/wrappers/files/certbot.sh -# ------------------------------------------------------------- -# -# <auto-generated> -# This file is managed by our rOPS SaltStack repository. -# -# Changes to this file may cause incorrect behavior -# and will be lost if the state is redeployed. -# </auto-generated> - -if [ "$1" = "acme-dns-certonly" ]; then - COMMAND=certonly - EXTRA_ARGS="--manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth --preferred-challenges dns --debug-challenge" -else - COMMAND=$1 -fi -shift - -docker run -it --rm \ - -v /srv/letsencrypt/etc:/etc/letsencrypt \ - -v /srv/letsencrypt/var:/var/lib/letsencrypt \ - -v /srv/letsencrypt/log:/var/log/letsencrypt \ - -v /srv/letsencrypt/www:/www \ - certbot/certbot:latest "$COMMAND" $@ $EXTRA_ARGS diff --git a/roles/paas-docker/wrappers/init.sls b/roles/paas-docker/wrappers/init.sls --- a/roles/paas-docker/wrappers/init.sls +++ b/roles/paas-docker/wrappers/init.sls @@ -12,7 +12,7 @@ # Wrapper binaries # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -{% for command in ['certbot', 'jenkins', 'phpbb', 'mysql', 'openfire', 'geoipupdate'] %} +{% for command in ['jenkins', 'phpbb', 'mysql', 'openfire', 'geoipupdate'] %} {{ dirs.bin }}/{{ command }}: file.managed: - source: salt://roles/paas-docker/wrappers/files/{{ command }}.sh diff --git a/roles/webserver-core/init.sls b/roles/webserver-core/init.sls --- a/roles/webserver-core/init.sls +++ b/roles/webserver-core/init.sls @@ -9,6 +9,3 @@ include: - .nginx - .tools - {% if 'paas-docker' not in salt['node.get_list']('roles') %} - - .letsencrypt - {% endif %} diff --git a/roles/webserver-core/letsencrypt/certificates.sls b/roles/webserver-core/letsencrypt/certificates.sls deleted file mode 100644 --- a/roles/webserver-core/letsencrypt/certificates.sls +++ /dev/null @@ -1,20 +0,0 @@ -# ------------------------------------------------------------- -# Salt — Let's encrypt certificates -# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -# Project: Nasqueron -# Created: 2017-04-27 -# License: Trivial work, not eligible to copyright -# ------------------------------------------------------------- - -{% from "map.jinja" import dirs with context %} - -# ------------------------------------------------------------- -# Certificates -# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -{% for domain in salt['pillar.get']("certificates_letsencrypt:" + grains['id'], []) %} -certificate_{{ domain }}: - cmd.run: - - name: certbot certonly -d {{ domain }} - - creates: {{ dirs.etc }}/letsencrypt/live/{{ domain }}/fullchain.pem -{% endfor %} diff --git a/roles/webserver-core/letsencrypt/init.sls b/roles/webserver-core/letsencrypt/init.sls deleted file mode 100644 --- a/roles/webserver-core/letsencrypt/init.sls +++ /dev/null @@ -1,12 +0,0 @@ -# ------------------------------------------------------------- -# Salt — Let's encrypt certificates -# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -# Project: Nasqueron -# Created: 2017-04-27 -# License: Trivial work, not eligible to copyright -# ------------------------------------------------------------- - -include: - - .software - - .service - - .certificates diff --git a/roles/webserver-core/letsencrypt/service.sls b/roles/webserver-core/letsencrypt/service.sls deleted file mode 100644 --- a/roles/webserver-core/letsencrypt/service.sls +++ /dev/null @@ -1,44 +0,0 @@ -# ------------------------------------------------------------- -# Salt — Let's encrypt certificates -# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -# Project: Nasqueron -# Created: 2017-04-27 -# Description: Provide a renewal service -# License: Trivial work, not eligible to copyright -# ------------------------------------------------------------- - -{% from "map.jinja" import services with context %} - -# ------------------------------------------------------------- -# Renew script -# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -/usr/local/sbin/letsencrypt-renewal: - file.managed: - - source: salt://roles/webserver-core/letsencrypt/files/letsencrypt-renewal.sh - - mode: 755 - -# ------------------------------------------------------------- -# Unit configuration -# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -{% if services['manager'] == 'systemd' %} - -letsencrypt_renew_unit: - file.managed: - - name: /etc/systemd/system/letsencrypt-renew.service - - source: salt://roles/webserver-core/letsencrypt/files/letsencrypt-renew.service - - mode: 644 - module.run: - - service.force_reload: - - name: letsencrypt-renew - - onchanges: - - file: letsencrypt_renew_unit - -letsencrypt_renew_enable: - service.enabled: - - name: letsencrypt-renew - - watch: - - module: letsencrypt_renew_unit - -{% endif %} diff --git a/roles/webserver-core/letsencrypt/software.sls b/roles/webserver-core/letsencrypt/software.sls deleted file mode 100644 --- a/roles/webserver-core/letsencrypt/software.sls +++ /dev/null @@ -1,44 +0,0 @@ -# ------------------------------------------------------------- -# Salt — Let's encrypt certificates -# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -# Project: Nasqueron -# Created: 2017-04-27 -# License: Trivial work, not eligible to copyright -# ------------------------------------------------------------- - -{% from "map.jinja" import dirs, packages with context %} - -# ------------------------------------------------------------- -# Software -# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -letsencrypt_software: - pkg.installed: - - name: {{ packages.certbot }} - -# ------------------------------------------------------------- -# Working directory -# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -/var/letsencrypt-auto: - file.directory: - - user: root - - dir_mode: 711 - -# ------------------------------------------------------------- -# Configuration file -# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -{{ dirs.etc }}/letsencrypt/cli.ini: - file.managed: - - source: salt://roles/webserver-core/letsencrypt/files/cli.ini - - makedirs: True - -# ------------------------------------------------------------- -# Extra utilities -# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -{{ dirs.bin }}/check-letsencrypt-certificates: - file.managed: - - source: salt://roles/webserver-core/letsencrypt/files/check-letsencrypt-certificates.py - - mode: 755