No OneTemporary
Actions

Size

30 KB

Referenced Files

None

Subscribers

None

View Options

	diff --git a/roles/core/certificates/acmesh.sls b/roles/core/certificates/acmesh.sls
	index b1d5dc4..012b2c4 100644
	--- a/roles/core/certificates/acmesh.sls
	+++ b/roles/core/certificates/acmesh.sls
	@@ -1,59 +1,59 @@
	# -------------------------------------------------------------
	# Salt - Deploy acme.sh
	# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
	# Project: Nasqueron
	# License: Trivial work, not eligible to copyright
	# -------------------------------------------------------------

	{% from "map.jinja" import dirs with context %}

	{% set certificates = pillar.get("certificates", []) %}
	{% set certificates_options = pillar.get("certificates_options", {}) %}

	acme.sh:
	pkg.installed

	/var/certificates:
	file.directory:
	- user: acme
	- mode: 711

	/var/certificates/general:
	file.directory:
	- user: acme
	- mode: 700

	{% for domain in certificates %}
	{% set options = certificates_options.get(domain, {}) %}

	/var/certificates/{{ domain }}:
	file.directory:
	- user: acme

	{% if "shared_group" in options %}
	- group: {{ options.shared_group }}
	- mode: 750
	{% else %}
	- mode: 700
	{% endif %}

	{% endfor %}

	/usr/local/etc/newsyslog.conf.d/acme.sh.conf:
	file.managed:
	- - source: salt://roles/core/certificates/files/syslog/acme.sh.conf
	+ - source: salt://roles/core/certificates/files/acmesh/syslog.conf

	acmesh_newsyslog_run:
	cmd.run:
	- name: newsyslog -NC
	- creates: /var/log/acme.sh.log

	/usr/local/etc/cron.d/acmesh:
	file.managed:
	- source: salt://roles/core/certificates/files/acmesh/acme.sh.cron
	- makedirs: True

	{{ dirs.bin }}/acmesh-nginxCheck:
	file.managed:
	- - source: salt://roles/core/certificates/files/acmesh-nginxCheck.sh
	+ - source: salt://roles/core/certificates/files/acmesh/nginxCheck.sh
	- mode: 755
	diff --git a/roles/core/certificates/files/acmesh-nginxCheck.sh b/roles/core/certificates/files/acmesh/nginxCheck.sh
	similarity index 92%
	rename from roles/core/certificates/files/acmesh-nginxCheck.sh
	rename to roles/core/certificates/files/acmesh/nginxCheck.sh
	index 9e02170..7342e42 100644
	--- a/roles/core/certificates/files/acmesh-nginxCheck.sh
	+++ b/roles/core/certificates/files/acmesh/nginxCheck.sh
	@@ -1,29 +1,29 @@
	#!/bin/sh

	# -------------------------------------------------------------
	# Let's encrypt
	# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
	# Project: Nasqueron
	# License: Trivial work, not eligible to copyright
	-# Source file: roles/core/certificates/files/acmesh-nginxCheck.sh
	+# Source file: roles/core/certificates/files/acmesh/nginxCheck.sh
	# -------------------------------------------------------------
	#
	# <auto-generated>
	# This file is managed by our rOPS SaltStack repository.
	#
	# Changes to this file may cause incorrect behavior
	# and will be lost if the state is redeployed.
	# </auto-generated>

	nginx_test() {
	nginx_output="$(nginx -t 2>&1)"
	nginx_return_code="$?"

	if [ "$nginx_return_code" -eq 0 ] && echo "${nginx_output}" \| grep warn >&2; then
	return 2;
	else
	return "$nginx_return_code";
	fi;
	}

	nginx_test && nginx -s reload
	diff --git a/roles/core/certificates/files/syslog/acme.sh.conf b/roles/core/certificates/files/acmesh/syslog.conf
	similarity index 90%
	rename from roles/core/certificates/files/syslog/acme.sh.conf
	rename to roles/core/certificates/files/acmesh/syslog.conf
	index ed6ca8e..86e9fbe 100644
	--- a/roles/core/certificates/files/syslog/acme.sh.conf
	+++ b/roles/core/certificates/files/acmesh/syslog.conf
	@@ -1,17 +1,17 @@
	# -------------------------------------------------------------
	# acme.sh newsyslog config
	# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
	# Project: Nasqueron
	# License: Trivial work, not eligible to copyright
	-# Source file: roles/core/certificates/files/acmesh/acme.sh.conf
	+# Source file: roles/core/certificates/files/acmesh/syslog.conf
	# -------------------------------------------------------------
	#
	# <auto-generated>
	# This file is managed by our rOPS SaltStack repository.
	#
	# Changes to this file may cause incorrect behavior
	# and will be lost if the state is redeployed.
	# </auto-generated>

	# logfilename [owner:group] mode count size when flags [/pid_file] [sig_num]
	/var/log/acme.sh.log acme:acme 640 90 * @T00 BC
	diff --git a/roles/core/certificates/files/acme-dns-auth.py b/roles/core/certificates/files/certbot/acme-dns/acme-dns-auth.py
	similarity index 98%
	rename from roles/core/certificates/files/acme-dns-auth.py
	rename to roles/core/certificates/files/certbot/acme-dns/acme-dns-auth.py
	index 150676e..25f8b60 100755
	--- a/roles/core/certificates/files/acme-dns-auth.py
	+++ b/roles/core/certificates/files/certbot/acme-dns/acme-dns-auth.py
	@@ -1,169 +1,169 @@
	#!/usr/bin/env python3

	# -------------------------------------------------------------
	# PaaS Docker
	# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
	# Author: Joona Hoikkala
	# License: MIT
	-# Source file: roles/core/certificates/files/acme-dns-auth.py
	+# Source file: roles/core/certificates/files/certbot/acme-dns/acme-dns-auth.py
	# -------------------------------------------------------------
	#
	# <auto-generated>
	# This file is managed by our rOPS SaltStack repository.
	#
	# Changes to this file may cause incorrect behavior
	# and will be lost if the state is redeployed.
	# </auto-generated>

	import json
	import os
	import requests
	import sys

	ACMEDNS_URL = "https://acme.nasqueron.org"
	STORAGE_PATH = "/usr/local/etc/acmedns.json"
	ALLOW_FROM = []
	FORCE_REGISTER = False

	DOMAIN = os.environ["CERTBOT_DOMAIN"]
	if DOMAIN.startswith("*."):
	DOMAIN = DOMAIN[2:]
	VALIDATION_DOMAIN = "_acme-challenge." + DOMAIN
	VALIDATION_TOKEN = os.environ["CERTBOT_VALIDATION"]


	class AcmeDnsClient(object):
	"""
	Handles the communication with ACME-DNS API
	"""

	def __init__(self, acmedns_url):
	self.acmedns_url = acmedns_url

	def register_account(self, allowfrom):
	"""Registers a new ACME-DNS account"""

	if allowfrom:
	# Include allowed networks to the registration call
	reg_data = {"allowfrom": allowfrom}
	res = requests.post(
	self.acmedns_url + "/register", data=json.dumps(reg_data)
	)
	else:
	res = requests.post(self.acmedns_url + "/register")
	if res.status_code == 201:
	# The request was successful
	return res.json()
	else:
	# Encountered an error
	msg = (
	"Encountered an error while trying to register a new "
	"acme-dns account. HTTP status {}, Response body: {}"
	)
	print(msg.format(res.status_code, res.text))
	sys.exit(1)

	def update_txt_record(self, account, txt):
	"""Updates the TXT challenge record to ACME-DNS subdomain."""
	update = {"subdomain": account["subdomain"], "txt": txt}
	headers = {
	"X-Api-User": account["username"],
	"X-Api-Key": account["password"],
	"Content-Type": "application/json",
	}
	res = requests.post(
	self.acmedns_url + "/update", headers=headers, data=json.dumps(update)
	)
	if res.status_code == 200:
	# Successful update
	return
	else:
	msg = (
	"Encountered an error while trying to update TXT record in "
	"acme-dns. \n"
	"------- Request headers:\n{}\n"
	"------- Request body:\n{}\n"
	"------- Response HTTP status: {}\n"
	"------- Response body: {}"
	)
	s_headers = json.dumps(headers, indent=2, sort_keys=True)
	s_update = json.dumps(update, indent=2, sort_keys=True)
	s_body = json.dumps(res.json(), indent=2, sort_keys=True)
	print(msg.format(s_headers, s_update, res.status_code, s_body))
	sys.exit(1)


	class Storage(object):
	def __init__(self, storagepath):
	self.storagepath = storagepath
	self._data = self.load()

	def load(self):
	"""Reads the storage content from the disk to a dict structure"""
	data = dict()
	filedata = ""
	try:
	with open(self.storagepath, "r") as fh:
	filedata = fh.read()
	except IOError:
	if os.path.isfile(self.storagepath):
	# Only error out if file exists, but cannot be read
	print("ERROR: Storage file exists but cannot be read")
	sys.exit(1)
	try:
	data = json.loads(filedata)
	except ValueError:
	if len(filedata) > 0:
	# Storage file is corrupted
	print("ERROR: Storage JSON is corrupted")
	sys.exit(1)
	return data

	def save(self):
	"""Saves the storage content to disk"""
	serialized = json.dumps(self._data)
	try:
	with os.fdopen(
	os.open(self.storagepath, os.O_WRONLY \| os.O_CREAT, 0o600), "w"
	) as fh:
	fh.truncate()
	fh.write(serialized)
	except IOError:
	print("ERROR: Could not write storage file.")
	sys.exit(1)

	def put(self, key, value):
	"""Puts the configuration value to storage and sanitize it"""
	# If wildcard domain, remove the wildcard part as this will use the
	# same validation record name as the base domain
	if key.startswith("*."):
	key = key[2:]
	self._data[key] = value

	def fetch(self, key):
	"""Gets configuration value from storage"""
	try:
	return self._data[key]
	except KeyError:
	return None


	if __name__ == "__main__":
	# Init
	client = AcmeDnsClient(ACMEDNS_URL)
	storage = Storage(STORAGE_PATH)

	# Check if an account already exists in storage
	account = storage.fetch(DOMAIN)
	if FORCE_REGISTER or not account:
	# Create and save the new account
	account = client.register_account(ALLOW_FROM)
	storage.put(DOMAIN, account)
	storage.save()

	# Display the notification for the user to update the main zone
	print("Please add the following CNAME record to your main DNS zone:\n")
	print("{} CNAME {}.".format(VALIDATION_DOMAIN, account["fulldomain"]))

	# Update the TXT record in acme-dns instance
	client.update_txt_record(account, VALIDATION_TOKEN)
	diff --git a/roles/core/certificates/files/edit-acme-dns-accounts.py b/roles/core/certificates/files/certbot/acme-dns/edit-acme-dns-accounts.py
	similarity index 96%
	rename from roles/core/certificates/files/edit-acme-dns-accounts.py
	rename to roles/core/certificates/files/certbot/acme-dns/edit-acme-dns-accounts.py
	index 8fdce03..4ccdb57 100755
	--- a/roles/core/certificates/files/edit-acme-dns-accounts.py
	+++ b/roles/core/certificates/files/certbot/acme-dns/edit-acme-dns-accounts.py
	@@ -1,115 +1,115 @@
	#!/usr/bin/env python3

	# -------------------------------------------------------------
	# Let's encrypt — ACME DNS server accounts editor
	# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
	# Project: Nasqueron
	# Description: Edit acmedns.json to import credentials
	# for a specific subdomain to verify.
	# License: BSD-2-Clause
	-# Source file: roles/core/certificates/files/edit-acme-dns-accounts.py
	+# Source file: roles/core/certificates/files/certbot/acme-dns/edit-acme-dns-accounts.py
	# -------------------------------------------------------------
	#
	# <auto-generated>
	# This file is managed by our rOPS SaltStack repository.
	#
	# Changes to this file may cause incorrect behavior
	# and will be lost if the state is redeployed.
	# </auto-generated>

	import json
	import os
	import sys


	def get_acme_accounts_path():
	try:
	return os.environ["ACME_ACCOUNTS"]
	except KeyError:
	return "/usr/local/etc/acmedns.json"


	ACME_ACCOUNTS_PATH = get_acme_accounts_path()


	class AcmeAccounts:
	def __init__(self, path):
	self.path = path
	self.accounts = {}

	def read_from_file(self):
	with open(self.path) as fd:
	self.accounts = json.load(fd)

	return self

	def write_to_file(self):
	with open(self.path, "w") as fd:
	json.dump(self.accounts, fd)

	return self

	def add(self, domain, account_parameters):
	self.accounts[domain] = account_parameters

	return self

	def remove(self, domain):
	try:
	del self.accounts[domain]
	return True
	except KeyError:
	return False

	def merge_with(self, other_accounts: "AcmeAccounts"):
	self.accounts.update(other_accounts.accounts)

	return self


	def usage():
	print(f"Usage: {sys.argv[0]} <command> [parameters]", file=sys.stderr)
	exit(1)


	def import_other_file(file_to_import):
	if file_to_import == ACME_ACCOUNTS_PATH:
	print(f"You're trying to import {ACME_ACCOUNTS_PATH} to itself")
	exit(2)

	accounts_to_import = AcmeAccounts(file_to_import).read_from_file()

	AcmeAccounts(ACME_ACCOUNTS_PATH).read_from_file().merge_with(
	accounts_to_import
	).write_to_file()


	commands = {
	"import": {
	"required_argc": 3,
	"command_usage": "import <file>",
	"callable": import_other_file,
	},
	}


	if __name__ == "__main__":
	argc = len(sys.argv)

	if argc < 2 or sys.argv[1] in ["-h", "--help", "/?", "/help"]:
	usage()

	command = sys.argv[1]

	if command not in commands:
	print(f"Unknown command: {command}", file=sys.stderr)
	usage()

	command = commands[command]

	if argc < command["required_argc"]:
	print(f"Usage: {sys.argv[0]} {command['command_usage']}", file=sys.stderr)
	exit(1)

	# We're good, time to invoke our command
	command["callable"](*sys.argv[2:])
	diff --git a/roles/core/certificates/files/cli.ini b/roles/core/certificates/files/certbot/cli.ini
	similarity index 91%
	rename from roles/core/certificates/files/cli.ini
	rename to roles/core/certificates/files/certbot/cli.ini
	index 0339422..59300f2 100644
	--- a/roles/core/certificates/files/cli.ini
	+++ b/roles/core/certificates/files/certbot/cli.ini
	@@ -1,25 +1,25 @@
	# -------------------------------------------------------------
	# Let's encrypt
	# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
	# Project: Nasqueron
	# License: Trivial work, not eligible to copyright
	-# Source file: roles/core/certificates/files/cli.ini
	+# Source file: roles/core/certificates/files/certbot/cli.ini
	# -------------------------------------------------------------
	#
	# <auto-generated>
	# This file is managed by our rOPS SaltStack repository.
	#
	# Changes to this file may cause incorrect behavior
	# and will be lost if the state is redeployed.
	# </auto-generated>

	# Configuration
	server = https://acme-v02.api.letsencrypt.org/directory
	webroot-path = /var/letsencrypt-auto

	# Automation
	email = ops-tls@nasqueron.org
	agree-tos = True
	keep-until-expiring = True
	eff-email = False
	expand = True
	diff --git a/roles/core/certificates/files/730.letsencrypt b/roles/core/certificates/files/certbot/periodic/730.letsencrypt
	similarity index 92%
	rename from roles/core/certificates/files/730.letsencrypt
	rename to roles/core/certificates/files/certbot/periodic/730.letsencrypt
	index e68f24d..7180669 100755
	--- a/roles/core/certificates/files/730.letsencrypt
	+++ b/roles/core/certificates/files/certbot/periodic/730.letsencrypt
	@@ -1,39 +1,39 @@
	#!/bin/sh

	# -------------------------------------------------------------
	# Fetch ports
	# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
	# Project: Nasqueron
	# Author : FreeBSD contributors
	# License: BSD-2-Clause
	-# Source file: roles/core/certificates/files/730.letsencrypt
	+# Source file: roles/core/certificates/files/certbot/periodic/730.letsencrypt
	# -------------------------------------------------------------
	#
	# <auto-generated>
	# This file is managed by our rOPS SaltStack repository.
	#
	# Changes to this file may cause incorrect behavior
	# and will be lost if the state is redeployed.
	# </auto-generated>
	# -------------------------------------------------------------


	# If there is a global system configuration file, suck it in.
	#
	if [ -r /etc/defaults/periodic.conf ]
	then
	. /etc/defaults/periodic.conf
	source_periodic_confs
	fi

	case "$daily_letsencrypt_enable" in
	[Yy][Ee][Ss])
	echo ""
	echo "Running Let's Encrypt renewal:"

	letsencrypt-renewal && rc=0 \|\| rc=3;;

	*) rc=0;;
	esac

	exit $rc
	diff --git a/roles/core/certificates/files/letsencrypt-renewal.sh b/roles/core/certificates/files/certbot/renewal/standard.sh
	similarity index 91%
	rename from roles/core/certificates/files/letsencrypt-renewal.sh
	rename to roles/core/certificates/files/certbot/renewal/standard.sh
	index e919663..7c64491 100644
	--- a/roles/core/certificates/files/letsencrypt-renewal.sh
	+++ b/roles/core/certificates/files/certbot/renewal/standard.sh
	@@ -1,29 +1,29 @@
	#!/bin/sh

	# -------------------------------------------------------------
	# Let's encrypt
	# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
	# Project: Nasqueron
	# License: Trivial work, not eligible to copyright
	-# Source file: roles/core/certificates/files/letsencrypt-renewal.sh
	+# Source file: roles/core/certificates/files/certbot/renewal/standard.sh
	# -------------------------------------------------------------
	#
	# <auto-generated>
	# This file is managed by our rOPS SaltStack repository.
	#
	# Changes to this file may cause incorrect behavior
	# and will be lost if the state is redeployed.
	# </auto-generated>

	nginx_test() {
	nginx_output="$(nginx -t 2>&1)"
	nginx_return_code="$?"

	if [ "$nginx_return_code" -eq 0 ] && echo "${nginx_output}" \| grep warn >&2; then
	return 2;
	else
	return "$nginx_return_code";
	fi;
	}

	certbot renew && nginx_test && nginx -s reload
	diff --git a/roles/core/certificates/files/letsencrypt-renewal-without-nginx.sh b/roles/core/certificates/files/certbot/renewal/without-nginx.sh
	similarity index 86%
	rename from roles/core/certificates/files/letsencrypt-renewal-without-nginx.sh
	rename to roles/core/certificates/files/certbot/renewal/without-nginx.sh
	index 4e6837a..4af7a10 100644
	--- a/roles/core/certificates/files/letsencrypt-renewal-without-nginx.sh
	+++ b/roles/core/certificates/files/certbot/renewal/without-nginx.sh
	@@ -1,18 +1,18 @@
	#!/bin/sh

	# -------------------------------------------------------------
	# Let's encrypt
	# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
	# Project: Nasqueron
	# License: Trivial work, not eligible to copyright
	-# Source file: roles/core/certificates/files/letsencrypt-renewal-without-nginx.sh
	+# Source file: roles/core/certificates/files/certbot/renewal/without-nginx.sh
	# -------------------------------------------------------------
	#
	# <auto-generated>
	# This file is managed by our rOPS SaltStack repository.
	#
	# Changes to this file may cause incorrect behavior
	# and will be lost if the state is redeployed.
	# </auto-generated>

	certbot renew
	diff --git a/roles/core/certificates/files/check-letsencrypt-certificates.py b/roles/core/certificates/files/certbot/utilities/check-letsencrypt-certificates.py
	similarity index 90%
	rename from roles/core/certificates/files/check-letsencrypt-certificates.py
	rename to roles/core/certificates/files/certbot/utilities/check-letsencrypt-certificates.py
	index 450fd69..37d1c84 100644
	--- a/roles/core/certificates/files/check-letsencrypt-certificates.py
	+++ b/roles/core/certificates/files/certbot/utilities/check-letsencrypt-certificates.py
	@@ -1,108 +1,115 @@
	#!/usr/bin/env python3

	# -------------------------------------------------------------
	# Let's encrypt — Certificates web server configuration checker
	# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
	# Project: Nasqueron
	# Description: Check if /.well-known/acme-challenge works
	# for the mapping directory webserver for each
	# certificate to renew. HTTP only.
	# License: BSD-2-Clause
	-# Source file: roles/core/certificates/files/check-letsencrypt-certificates.py
	+# Source file: roles/core/certificates/files/certbot/utilities/check-letsencrypt-certificates.py
	# -------------------------------------------------------------
	+#
	+# <auto-generated>
	+# This file is managed by our rOPS SaltStack repository.
	+#
	+# Changes to this file may cause incorrect behavior
	+# and will be lost if the state is redeployed.
	+# </auto-generated>

	# -------------------------------------------------------------
	# Table of contents
	# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
	#
	# :: Configuration
	# :: Checker code
	# :: Run task
	#
	# -------------------------------------------------------------


	import os
	import random
	import string
	from urllib.error import HTTPError
	from urllib.request import urlopen


	# -------------------------------------------------------------
	# Configuration
	# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


	dirs = {
	"/usr/local/etc/letsencrypt/renewal",
	"/srv/data/letsencrypt/etc/renewal",
	}


	# -------------------------------------------------------------
	# Checker code
	# -------------------------------------------------------------


	def check_directories(directories):
	for directory in directories:
	if os.path.isdir(directory):
	check_directory(directory)


	def check_directory(directory):
	for file in os.listdir(directory):
	if file.endswith(".conf"):
	fullpath = os.path.join(directory, file)
	check_certificate(fullpath)


	def check_certificate(file):
	lines = [line.rstrip("\n") for line in open(file)]
	skip = True
	for line in lines:
	if not skip:
	check_mapping_line(line)
	if line == "[[webroot_map]]":
	skip = False


	def check_mapping_line(line):
	params = line.split(" = ")
	check_mapping(params[0], params[1])


	def get_challenge():
	chars = string.ascii_letters + string.digits
	return "".join([random.choice(chars) for _ in range(32)])


	def check_mapping(domain, directory):
	challenge = get_challenge()
	write_challenge_file(directory, challenge)
	check_challenge(domain, challenge)


	def write_challenge_file(directory, challenge):
	challenge_file = os.path.join(directory, ".well-known", "acme-challenge", "qa")
	with open(challenge_file, "w") as file:
	file.write(challenge)


	def check_challenge(domain, challenge):
	url = "http://" + domain + "/.well-known/acme-challenge/qa"
	try:
	content = urlopen(url).read()
	if not content == challenge:
	print(domain, "DOES NOT MATCH")
	except HTTPError as err:
	print(domain, err.code)


	# -------------------------------------------------------------
	# Run task
	# -------------------------------------------------------------


	check_directories(dirs)
	diff --git a/roles/core/certificates/files/delete-certbot-certificate.sh b/roles/core/certificates/files/certbot/utilities/delete-certbot-certificate.sh
	similarity index 84%
	rename from roles/core/certificates/files/delete-certbot-certificate.sh
	rename to roles/core/certificates/files/certbot/utilities/delete-certbot-certificate.sh
	index f17464c..04e13ad 100755
	--- a/roles/core/certificates/files/delete-certbot-certificate.sh
	+++ b/roles/core/certificates/files/certbot/utilities/delete-certbot-certificate.sh
	@@ -1,61 +1,69 @@
	#!/bin/sh

	# -------------------------------------------------------------
	# Remove a Let's Encrypt
	# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
	# Project: Nasqueron
	# License: BSD-2-Clause
	+# Source file: roles/core/certificates/files/certbot/utilities/delete-certbot-certificate.sh
	# -------------------------------------------------------------
	+#
	+# <auto-generated>
	+# This file is managed by our rOPS SaltStack repository.
	+#
	+# Changes to this file may cause incorrect behavior
	+# and will be lost if the state is redeployed.
	+# </auto-generated>

	set -e

	# -------------------------------------------------------------
	# Ensure user is root
	#
	# Note: POSIX shells don't always define $UID or $EUID.
	# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

	if [ "${EUID:-$(id -u)}" -ne 0 ]; then
	echo "This command must be run as root." >&2
	exit 1
	fi

	# -------------------------------------------------------------
	# Parse arguments
	# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

	if [ $# -eq 0 ]; then
	echo "Usage: $(basename "$0") <certificate>" >&2
	exit 1
	fi

	CERTIFICATE=$1

	# -------------------------------------------------------------
	# Determine etc directory path
	# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

	. /etc/os-release

	if [ "$ID" = "freebsd" ]; then
	ETC=/usr/local/etc
	else
	ETC=/etc
	fi

	# -------------------------------------------------------------
	# Determine if the certificate exists
	# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

	if [ ! -f "$ETC/letsencrypt/live/$CERTIFICATE/chain.pem" ]; then
	echo "The certificate cannot be found." >&2
	exit 2
	fi

	# -------------------------------------------------------------
	# Delete certificate and renewal information
	# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

	rm -rf "$ETC/letsencrypt/live/$CERTIFICATE"
	rm -rf "$ETC/letsencrypt/archive/$CERTIFICATE"
	rm "$ETC/letsencrypt/renewal/$CERTIFICATE.conf"
	diff --git a/roles/core/certificates/letsencrypt.sls b/roles/core/certificates/letsencrypt.sls
	index bd30074..f3628ef 100644
	--- a/roles/core/certificates/letsencrypt.sls
	+++ b/roles/core/certificates/letsencrypt.sls
	@@ -1,95 +1,95 @@
	# -------------------------------------------------------------
	# Salt - Deploy certificates
	# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
	# Project: Nasqueron
	# License: Trivial work, not eligible to copyright
	# -------------------------------------------------------------

	{% from "map.jinja" import dirs, packages with context %}

	{% set has_nginx = salt['node']['has_nginx']() %}
	{% set has_selinux = salt["grains.get"]("selinux:enabled", False) %}

	# -------------------------------------------------------------
	# Software
	# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

	letsencrypt_software:
	pkg.installed:
	- name: {{ packages.certbot }}

	# -------------------------------------------------------------
	# Working directory and configuration
	# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

	/var/letsencrypt-auto:
	file.directory:
	- user: root
	- dir_mode: 711

	{% if has_selinux %}
	selinux_context_certbot_www:
	selinux.fcontext_policy_present:
	- name: /var/letsencrypt-auto
	- sel_type: httpd_sys_content_t

	selinux_context_certbot_www_applied:
	selinux.fcontext_policy_applied:
	- name: /var/letsencrypt-auto
	{% endif %}

	{{ dirs.etc }}/letsencrypt/cli.ini:
	file.managed:
	- - source: salt://roles/core/certificates/files/cli.ini
	+ - source: salt://roles/core/certificates/files/certbot/cli.ini
	- makedirs: True

	# -------------------------------------------------------------
	# Extra utilities
	# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

	{{ dirs.bin }}/check-letsencrypt-certificates:
	file.managed:
	- - source: salt://roles/core/certificates/files/check-letsencrypt-certificates.py
	+ - source: salt://roles/core/certificates/files/certbot/utilities/check-letsencrypt-certificates.py
	- mode: 755

	{{ dirs.etc }}/letsencrypt/acme-dns-auth:
	file.managed:
	- - source: salt://roles/core/certificates/files/acme-dns-auth.py
	+ - source: salt://roles/core/certificates/files/certbot/acme-dns/acme-dns-auth.py
	- mode: 755
	- makedirs: True

	{{ dirs.bin }}/edit-acme-dns-accounts:
	file.managed:
	- - source: salt://roles/core/certificates/files/edit-acme-dns-accounts.py
	+ - source: salt://roles/core/certificates/files/certbot/acme-dns/edit-acme-dns-accounts.py
	- mode: 755

	{{ dirs.bin }}/delete-certbot-certificate:
	file.managed:
	- - source: salt://roles/core/certificates/files/delete-certbot-certificate.sh
	+ - source: salt://roles/core/certificates/files/certbot/utilities/delete-certbot-certificate.sh
	- mode: 755

	# -------------------------------------------------------------
	# Check and renew certificates daily
	#
	# FreeBSD ... periodic
	# Linux ..... systemd timer
	# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

	{% if has_nginx %}
	-{% set renewal_script = "letsencrypt-renewal.sh" %}
	+{% set renewal_script = "standard.sh" %}
	{% else %}
	-{% set renewal_script = "letsencrypt-renewal-without-nginx.sh" %}
	+{% set renewal_script = "without-nginx.sh" %}
	{% endif %}

	/usr/local/sbin/letsencrypt-renewal:
	file.managed:
	- - source: salt://roles/core/certificates/files/{{ renewal_script }}
	+ - source: salt://roles/core/certificates/files/certbot/renewal/{{ renewal_script }}
	- mode: 755

	{% if grains["os_family"] == "FreeBSD" %}

	/usr/local/etc/periodic/daily/730.letsencrypt:
	file.managed:
	- - source: salt://roles/core/certificates/files/730.letsencrypt
	+ - source: salt://roles/core/certificates/files/certbot/periodic/730.letsencrypt

	{% endif %}

File Metadata

Mime Type: text/x-diff
Expires: Wed, Mar 18, 13:31 (9 h, 34 m)
Storage Engine: blob
Storage Format: Raw Data
Storage Handle: 3540037
Default Alt Text: (30 KB)

No OneTemporaryActions

View Options

File Metadata

Event Timeline

No OneTemporary
Actions