Page MenuHomeDevCentral
Files F12241417

No OneTemporary
Actions

View Options

diff --git a/roles/mailserver/init.sls b/pillar/core/certificates/hervil.sls
similarity index 60%
copy from roles/mailserver/init.sls
copy to pillar/core/certificates/hervil.sls
index 8da2735..7d6e890 100644
--- a/roles/mailserver/init.sls
+++ b/pillar/core/certificates/hervil.sls
@@ -1,12 +1,15 @@
# -------------------------------------------------------------
-# Salt — Mail
+# Let's Encrypt Certificates
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
-include:
- - .dovecot
- - .dkim
- - .postfix
- - .vimbadmin
+certificates:
+ - hervil.nasqueron.org
+ - mail.nasqueron.org
+ - admin.mail.nasqueron.org
+
+certificates_options:
+ mail.nasqueron.org:
+ shared_group: mail
diff --git a/pillar/tower.sls b/pillar/tower.sls
index 7fa653b..65cfc1a 100644
--- a/pillar/tower.sls
+++ b/pillar/tower.sls
@@ -1,21 +1,22 @@
# -------------------------------------------------------------
# Salt configuration for Nasqueron servers
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# License: Trivial work, not eligible to copyright
# Description: External pillar to configure pillar stanza
# by pillar, grain or option value
# Reference: https://github.com/jgraichen/salt-tower
# -------------------------------------------------------------
base:
+ - core/certificates/{{ minion_id }}.sls
- dns/{{ minion_id }}/*.sls
- paas/alkane/{{ minion_id }}/*.sls
- paas/docker/{{ minion_id }}/*.sls
- saas/nextcloud/{{ minion_id }}/*.sls
- webserver/{{ minion_id }}/*.sls
# Servers with the devserver role have no cluster associated
- dbserver/{{ minion_id }}.sls
diff --git a/roles/core/certificates/acmesh.sls b/roles/core/certificates/acmesh.sls
index ca95d0d..b1d5dc4 100644
--- a/roles/core/certificates/acmesh.sls
+++ b/roles/core/certificates/acmesh.sls
@@ -1,36 +1,59 @@
# -------------------------------------------------------------
# Salt - Deploy acme.sh
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
{% from "map.jinja" import dirs with context %}
+{% set certificates = pillar.get("certificates", []) %}
+{% set certificates_options = pillar.get("certificates_options", {}) %}
+
acme.sh:
pkg.installed
+/var/certificates:
+ file.directory:
+ - user: acme
+ - mode: 711
+
/var/certificates/general:
file.directory:
- user: acme
- mode: 700
- - makedirs: True
+
+{% for domain in certificates %}
+{% set options = certificates_options.get(domain, {}) %}
+
+/var/certificates/{{ domain }}:
+ file.directory:
+ - user: acme
+
+ {% if "shared_group" in options %}
+ - group: {{ options.shared_group }}
+ - mode: 750
+ {% else %}
+ - mode: 700
+ {% endif %}
+
+{% endfor %}
/usr/local/etc/newsyslog.conf.d/acme.sh.conf:
file.managed:
- source: salt://roles/core/certificates/files/syslog/acme.sh.conf
acmesh_newsyslog_run:
cmd.run:
- name: newsyslog -NC
- creates: /var/log/acme.sh.log
/usr/local/etc/cron.d/acmesh:
file.managed:
- source: salt://roles/core/certificates/files/acmesh/acme.sh.cron
- makedirs: True
{{ dirs.bin }}/acmesh-nginxCheck:
file.managed:
- source: salt://roles/core/certificates/files/acmesh-nginxCheck.sh
- mode: 755
diff --git a/roles/core/init.sls b/roles/core/init.sls
index 808bc26..9c8b3a8 100644
--- a/roles/core/init.sls
+++ b/roles/core/init.sls
@@ -1,34 +1,34 @@
# -------------------------------------------------------------
# Salt — Core units
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
include:
- .rc
- - .certificates
- .hostname
- .login
- .network
- .memory
- .monitoring
- .motd
- .ntp
- .pf
- .rsyslog
- .salt
- .sshd
- .sudo
- .storage
- .sysctl
- .timezone
- .userland-software
- .users
# Depends on users or groups
+ - .certificates
- .deploy
- .userland-home
# Depends on software (git)
- .src
diff --git a/roles/mailserver/coordination/init.sls b/roles/mailserver/coordination/init.sls
new file mode 100644
index 0000000..b04f5de
--- /dev/null
+++ b/roles/mailserver/coordination/init.sls
@@ -0,0 +1,20 @@
+# -------------------------------------------------------------
+# Salt — Coordination among mail services
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# -------------------------------------------------------------
+
+# -------------------------------------------------------------
+# Common group for mail services
+#
+# Allows reading common TLS certificates and keys.
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+mail_group:
+ group.present:
+ - name: mail
+ - addusers:
+ - dovecot
+ - postfix
+ - acme
diff --git a/roles/mailserver/init.sls b/roles/mailserver/init.sls
index 8da2735..93b622b 100644
--- a/roles/mailserver/init.sls
+++ b/roles/mailserver/init.sls
@@ -1,12 +1,15 @@
# -------------------------------------------------------------
# Salt — Mail
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# License: Trivial work, not eligible to copyright
# -------------------------------------------------------------
include:
- .dovecot
- .dkim
- .postfix
- .vimbadmin
+
+ # Depends on all software installed
+ - .coordination

File Metadata

Mime Type
text/x-diff
Expires
Sun, Oct 12, 05:05 (17 h, 19 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
3054659
Default Alt Text
(5 KB)

Event Timeline

Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator