Page MenuHomeDevCentral

D3248.diff
No OneTemporary

D3248.diff

diff --git a/_modules/node.py b/_modules/node.py
--- a/_modules/node.py
+++ b/_modules/node.py
@@ -23,6 +23,12 @@
]
+WITH_NGINX_ROLES = [
+ "webserver-core",
+ "paas-docker",
+]
+
+
def _get_all_nodes():
return __pillar__.get("nodes", {})
@@ -192,6 +198,13 @@
return any(role in DEPLOY_ROLES for role in get_list("roles", nodename))
+def has_nginx(nodename=None):
+ """
+ A function to determine if this server role should include nginx.
+ """
+ return any(role in WITH_NGINX_ROLES for role in get_list("roles", nodename))
+
+
def get_wwwroot(nodename=None):
"""
A function to determine the wwwroot folder to use.
diff --git a/_tests/scripts/bats/test_edit_acme_dns_accounts.sh b/_tests/scripts/bats/test_edit_acme_dns_accounts.sh
--- a/_tests/scripts/bats/test_edit_acme_dns_accounts.sh
+++ b/_tests/scripts/bats/test_edit_acme_dns_accounts.sh
@@ -1,6 +1,6 @@
#!/usr/bin/env bats
-SCRIPT="../roles/paas-docker/letsencrypt/files/edit-acme-dns-accounts.py"
+SCRIPT="../roles/core/certificates/files/edit-acme-dns-accounts.py"
# -------------------------------------------------------------
# Arguments parsing
diff --git a/_tests/scripts/python/test_edit_acme_dns_accounts.py b/_tests/scripts/python/test_edit_acme_dns_accounts.py
--- a/_tests/scripts/python/test_edit_acme_dns_accounts.py
+++ b/_tests/scripts/python/test_edit_acme_dns_accounts.py
@@ -7,7 +7,7 @@
os.environ["ACME_ACCOUNTS"] = "/path/to/acmedns.json"
-path = "roles/paas-docker/letsencrypt/files/edit-acme-dns-accounts.py"
+path = "roles/core/certificates/files/edit-acme-dns-accounts.py"
script = SourceFileLoader("script", "../" + path).load_module()
diff --git a/pillar/certificates/certificates.sls b/pillar/certificates/certificates.sls
deleted file mode 100644
--- a/pillar/certificates/certificates.sls
+++ /dev/null
@@ -1,15 +0,0 @@
-# -------------------------------------------------------------
-# Salt — Let's encrypt certificates
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-# Project: Nasqueron
-# Created: 2017-04-27
-# License: Trivial work, not eligible to copyright
-# -------------------------------------------------------------
-
-# -------------------------------------------------------------
-# Certificates
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
-certificates_letsencrypt:
- eglide:
- - www.eglide.org
diff --git a/pillar/top.sls b/pillar/top.sls
--- a/pillar/top.sls
+++ b/pillar/top.sls
@@ -11,7 +11,6 @@
- core.users
- core.groups
- core.network
- - certificates.certificates
- nodes.nodes
- nodes.forests
- hotfixes.roles
diff --git a/roles/core/certificates/files/730.letsencrypt b/roles/core/certificates/files/730.letsencrypt
new file mode 100755
--- /dev/null
+++ b/roles/core/certificates/files/730.letsencrypt
@@ -0,0 +1,39 @@
+#!/bin/sh
+
+# -------------------------------------------------------------
+# Fetch ports
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# Author : FreeBSD contributors
+# License: BSD-2-Clause
+# Source file: roles/core/certificates/files/730.letsencrypt
+# -------------------------------------------------------------
+#
+# <auto-generated>
+# This file is managed by our rOPS SaltStack repository.
+#
+# Changes to this file may cause incorrect behavior
+# and will be lost if the state is redeployed.
+# </auto-generated>
+# -------------------------------------------------------------
+
+
+# If there is a global system configuration file, suck it in.
+#
+if [ -r /etc/defaults/periodic.conf ]
+then
+ . /etc/defaults/periodic.conf
+ source_periodic_confs
+fi
+
+case "$daily_letsencrypt_enable" in
+ [Yy][Ee][Ss])
+ echo ""
+ echo "Running Let's Encrypt renewal:"
+
+ letsencrypt-renewal && rc=0 || rc=3;;
+
+ *) rc=0;;
+esac
+
+exit $rc
diff --git a/roles/paas-docker/letsencrypt/files/acme-dns-auth.py b/roles/core/certificates/files/acme-dns-auth.py
rename from roles/paas-docker/letsencrypt/files/acme-dns-auth.py
rename to roles/core/certificates/files/acme-dns-auth.py
--- a/roles/paas-docker/letsencrypt/files/acme-dns-auth.py
+++ b/roles/core/certificates/files/acme-dns-auth.py
@@ -1,11 +1,11 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
# -------------------------------------------------------------
# PaaS Docker
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Author: Joona Hoikkala
# License: MIT
-# Source file: roles/paas-docker/letsencrypt/files/acme-dns-auth.py
+# Source file: roles/core/certificates/files/acme-dns-auth.py
# -------------------------------------------------------------
#
# <auto-generated>
@@ -21,7 +21,7 @@
import sys
ACMEDNS_URL = "https://acme.nasqueron.org"
-STORAGE_PATH = "/etc/letsencrypt/acmedns.json"
+STORAGE_PATH = "/usr/local/etc/acmedns.json"
ALLOW_FROM = []
FORCE_REGISTER = False
diff --git a/roles/webserver-core/letsencrypt/files/check-letsencrypt-certificates.py b/roles/core/certificates/files/check-letsencrypt-certificates.py
rename from roles/webserver-core/letsencrypt/files/check-letsencrypt-certificates.py
rename to roles/core/certificates/files/check-letsencrypt-certificates.py
--- a/roles/webserver-core/letsencrypt/files/check-letsencrypt-certificates.py
+++ b/roles/core/certificates/files/check-letsencrypt-certificates.py
@@ -1,16 +1,14 @@
#!/usr/bin/env python3
-# -*- coding: utf-8 -*-
# -------------------------------------------------------------
# Let's encrypt — Certificates web server configuration checker
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2016-06-05
# Description: Check if /.well-known/acme-challenge works
# for the mapping directory webserver for each
-# certificate to renew.
+# certificate to renew. HTTP only.
# License: BSD-2-Clause
-# Source file: roles/webserver-core/letsencrypt/files/check-letsencrypt-certificates.py
+# Source file: roles/core/certificates/files/check-letsencrypt-certificates.py
# -------------------------------------------------------------
# -------------------------------------------------------------
@@ -30,6 +28,7 @@
from urllib.error import HTTPError
from urllib.request import urlopen
+
# -------------------------------------------------------------
# Configuration
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
diff --git a/roles/webserver-core/letsencrypt/files/cli.ini b/roles/core/certificates/files/cli.ini
rename from roles/webserver-core/letsencrypt/files/cli.ini
rename to roles/core/certificates/files/cli.ini
--- a/roles/webserver-core/letsencrypt/files/cli.ini
+++ b/roles/core/certificates/files/cli.ini
@@ -2,9 +2,8 @@
# Let's encrypt
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-04-27
# License: Trivial work, not eligible to copyright
-# Source file: roles/webserver-core/letsencrypt/files/cli.ini
+# Source file: roles/core/certificates/files/cli.ini
# -------------------------------------------------------------
#
# <auto-generated>
@@ -16,7 +15,6 @@
# Configuration
server = https://acme-v02.api.letsencrypt.org/directory
-authenticator = webroot
webroot-path = /var/letsencrypt-auto
# Automation
diff --git a/roles/paas-docker/letsencrypt/files/edit-acme-dns-accounts.py b/roles/core/certificates/files/edit-acme-dns-accounts.py
rename from roles/paas-docker/letsencrypt/files/edit-acme-dns-accounts.py
rename to roles/core/certificates/files/edit-acme-dns-accounts.py
--- a/roles/paas-docker/letsencrypt/files/edit-acme-dns-accounts.py
+++ b/roles/core/certificates/files/edit-acme-dns-accounts.py
@@ -1,16 +1,21 @@
#!/usr/bin/env python3
-# -*- coding: utf-8 -*-
# -------------------------------------------------------------
# Let's encrypt — ACME DNS server accounts editor
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2020-02-22
-# Description: Edit /srv/letsencrypt/etc/acmedns.json to import
-# credentials for a specific subdomain to verify.
+# Description: Edit acmedns.json to import credentials
+# for a specific subdomain to verify.
# License: BSD-2-Clause
+# Source file: roles/core/certificates/files/edit-acme-dns-accounts.py
# -------------------------------------------------------------
-
+#
+# <auto-generated>
+# This file is managed by our rOPS SaltStack repository.
+#
+# Changes to this file may cause incorrect behavior
+# and will be lost if the state is redeployed.
+# </auto-generated>
import json
import os
@@ -21,7 +26,7 @@
try:
return os.environ["ACME_ACCOUNTS"]
except KeyError:
- return "/srv/letsencrypt/etc/acmedns.json"
+ return "/usr/local/etc/acmedns.json"
ACME_ACCOUNTS_PATH = get_acme_accounts_path()
diff --git a/roles/webserver-core/letsencrypt/files/letsencrypt-renew.service b/roles/core/certificates/files/letsencrypt-renew.service
rename from roles/webserver-core/letsencrypt/files/letsencrypt-renew.service
rename to roles/core/certificates/files/letsencrypt-renew.service
--- a/roles/webserver-core/letsencrypt/files/letsencrypt-renew.service
+++ b/roles/core/certificates/files/letsencrypt-renew.service
@@ -2,9 +2,8 @@
# Let's encrypt
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2016-08-24
# License: Trivial work, not eligible to copyright
-# Source file: roles/webserver-core/letsencrypt/files/letsencrypt.service
+# Source file: roles/core/certificates/files/letsencrypt-renew.service
# -------------------------------------------------------------
#
# <auto-generated>
@@ -16,7 +15,11 @@
[Unit]
Description=Renew Let's encrypt certificates.
+Wants=letsencrypt-renew.timer
[Service]
Type=oneshot
ExecStart=/usr/local/sbin/letsencrypt-renewal
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/webserver-core/letsencrypt/files/letsencrypt-renew.timer b/roles/core/certificates/files/letsencrypt-renew.timer
rename from roles/webserver-core/letsencrypt/files/letsencrypt-renew.timer
rename to roles/core/certificates/files/letsencrypt-renew.timer
--- a/roles/webserver-core/letsencrypt/files/letsencrypt-renew.timer
+++ b/roles/core/certificates/files/letsencrypt-renew.timer
@@ -2,9 +2,8 @@
# Let's encrypt
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2016-08-24
# License: Trivial work, not eligible to copyright
-# Source file: roles/webserver-core/letsencrypt/files/letsencrypt.timer
+# Source file: roles/core/certificates/files/letsencrypt-renew.timer
# -------------------------------------------------------------
#
# <auto-generated>
@@ -15,10 +14,10 @@
# </auto-generated>
[Unit]
-Description=Runs letsencrypt-renewal every month
+Description=Check and renew Let's Encrypt certificates
[Timer]
-OnCalendar=*-*-26 12:15:00
+OnCalendar=*-*-* 12:15:00
Persistent=yes
[Install]
diff --git a/roles/webserver-core/letsencrypt/files/letsencrypt-renew.service b/roles/core/certificates/files/letsencrypt-renewal-without-nginx.sh
rename from roles/webserver-core/letsencrypt/files/letsencrypt-renew.service
rename to roles/core/certificates/files/letsencrypt-renewal-without-nginx.sh
--- a/roles/webserver-core/letsencrypt/files/letsencrypt-renew.service
+++ b/roles/core/certificates/files/letsencrypt-renewal-without-nginx.sh
@@ -1,10 +1,11 @@
+#!/bin/sh
+
# -------------------------------------------------------------
# Let's encrypt
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2016-08-24
# License: Trivial work, not eligible to copyright
-# Source file: roles/webserver-core/letsencrypt/files/letsencrypt.service
+# Source file: roles/core/certificates/files/letsencrypt-renewal-without-nginx.sh
# -------------------------------------------------------------
#
# <auto-generated>
@@ -14,9 +15,4 @@
# and will be lost if the state is redeployed.
# </auto-generated>
-[Unit]
-Description=Renew Let's encrypt certificates.
-
-[Service]
-Type=oneshot
-ExecStart=/usr/local/sbin/letsencrypt-renewal
+certbot renew
diff --git a/roles/webserver-core/letsencrypt/files/letsencrypt-renewal.sh b/roles/core/certificates/files/letsencrypt-renewal.sh
old mode 100755
new mode 100644
rename from roles/webserver-core/letsencrypt/files/letsencrypt-renewal.sh
rename to roles/core/certificates/files/letsencrypt-renewal.sh
--- a/roles/webserver-core/letsencrypt/files/letsencrypt-renewal.sh
+++ b/roles/core/certificates/files/letsencrypt-renewal.sh
@@ -4,9 +4,8 @@
# Let's encrypt
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2016-08-24
# License: Trivial work, not eligible to copyright
-# Source file: roles/webserver-core/letsencrypt/files/letsencrypt-renewal.sh
+# Source file: roles/core/certificates/files/letsencrypt-renewal.sh
# -------------------------------------------------------------
#
# <auto-generated>
@@ -27,5 +26,4 @@
fi;
}
-
-certbot renew && nginx_test && service nginx restart
+certbot renew && nginx_test && nginx -s reload
diff --git a/roles/core/certificates/init.sls b/roles/core/certificates/init.sls
--- a/roles/core/certificates/init.sls
+++ b/roles/core/certificates/init.sls
@@ -7,3 +7,4 @@
include:
- .nasqueron
+ - .letsencrypt
diff --git a/roles/core/certificates/letsencrypt.sls b/roles/core/certificates/letsencrypt.sls
new file mode 100644
--- /dev/null
+++ b/roles/core/certificates/letsencrypt.sls
@@ -0,0 +1,97 @@
+# -------------------------------------------------------------
+# Salt - Deploy certificates
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# -------------------------------------------------------------
+
+{% from "map.jinja" import dirs, packages with context %}
+
+{% set has_nginx = salt['node']['has_nginx']() %}
+
+# -------------------------------------------------------------
+# Software
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+letsencrypt_software:
+ pkg.installed:
+ - name: {{ packages.certbot }}
+
+# -------------------------------------------------------------
+# Working directory and configuration
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+/var/letsencrypt-auto:
+ file.directory:
+ - user: root
+ - dir_mode: 711
+
+{{ dirs.etc }}/letsencrypt/cli.ini:
+ file.managed:
+ - source: salt://roles/core/certificates/files/cli.ini
+ - makedirs: True
+
+# -------------------------------------------------------------
+# Extra utilities
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+{{ dirs.bin }}/check-letsencrypt-certificates:
+ file.managed:
+ - source: salt://roles/core/certificates/files/check-letsencrypt-certificates.py
+ - mode: 755
+
+{{ dirs.etc }}/letsencrypt/acme-dns-auth:
+ file.managed:
+ - source: salt://roles/core/certificates/files/acme-dns-auth.py
+ - mode: 755
+ - makedirs: True
+
+{{ dirs.bin }}/edit-acme-dns-accounts:
+ file.managed:
+ - source: salt://roles/core/certificates/files/edit-acme-dns-accounts.py
+ - mode: 755
+
+# -------------------------------------------------------------
+# Check and renew certificates daily
+#
+# FreeBSD ... periodic
+# Linux ..... systemd timer
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+{% if has_nginx %}
+{% set renewal_script = "letsencrypt-renewal.sh" %}
+{% else %}
+{% set renewal_script = "letsencrypt-renewal-without-nginx.sh" %}
+{% endif %}
+
+/usr/local/sbin/letsencrypt-renewal:
+ file.managed:
+ - source: salt://roles/core/certificates/files/{{ renewal_script }}
+ - mode: 755
+
+{% if grains["os_family"] == "FreeBSD" %}
+
+/usr/local/etc/periodic/daily/730.letsencrypt:
+ file.managed:
+ - source: salt://roles/core/certificates/files/730.letsencrypt
+
+{% elif services["manager"] == "systemd" %}
+
+/etc/systemd/system/letsencrypt-renew.timer:
+ file.managed:
+ - source: salt://roles/core/certificates/files/letsencrypt-renew.timer
+
+/etc/systemd/system/letsencrypt-renew.service:
+ file.managed:
+ - source: salt://roles/core/certificates/files/letsencrypt-renew.service
+
+letsencrypt_renew_enable:
+ service.enabled:
+ - name: letsencrypt-renew
+
+letsencrypt_renew_timer_start:
+ service.running:
+ - name: letsencrypt-renew.timer
+ - enable: True
+
+{% endif %}
diff --git a/roles/core/rc/files/periodic.conf b/roles/core/rc/files/periodic.conf
--- a/roles/core/rc/files/periodic.conf
+++ b/roles/core/rc/files/periodic.conf
@@ -3,9 +3,11 @@
# 480.status-ntpd
daily_status_ntpd_enable="YES"
+
+# 730.letsencrypt
+daily_letsencrypt_enable="YES"
+
{% if use_zfs %}
# 800.scrub-zfs
daily_scrub_zfs_enable="YES"
{% endif %}
-# 500.certbot
-weekly_certbot_enable="YES"
diff --git a/roles/paas-docker/init.sls b/roles/paas-docker/init.sls
--- a/roles/paas-docker/init.sls
+++ b/roles/paas-docker/init.sls
@@ -18,7 +18,6 @@
- .wwwroot-content
- .nginx
- .monitoring
- - .letsencrypt
- .wrappers
{% if salt['node.has']('flags:install_docker_devel_tools') %}
- .devel
diff --git a/roles/paas-docker/letsencrypt/init.sls b/roles/paas-docker/letsencrypt/init.sls
deleted file mode 100644
--- a/roles/paas-docker/letsencrypt/init.sls
+++ /dev/null
@@ -1,56 +0,0 @@
-# -------------------------------------------------------------
-# Salt — Provision Docker engine
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-# Project: Nasqueron
-# Created: 2018-03-16
-# License: Trivial work, not eligible to copyright
-# -------------------------------------------------------------
-
-{% set has_selinux = salt['grains.get']('selinux:enabled', False) %}
-
-# -------------------------------------------------------------
-# See also
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
-# Wrapper script
-# - wrappers/init.sls
-# - wrappers/files/certbot.sh
-#
-# Image
-# - /pillar/paas/docker.sls
-#
-# Nginx configuration
-# - nginx/files/includes/letsencrypt
-
-# -------------------------------------------------------------
-# Data directory
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
-/srv/letsencrypt:
- file.directory
-
-{% if has_selinux %}
-selinux_context_letsencrypt_home:
- selinux.fcontext_policy_present:
- - name: /srv/letsencrypt
- - sel_type: container_file_t
-
-selinux_context_letsencrypt_home_applied:
- selinux.fcontext_policy_applied:
- - name: /srv/letsencrypt
-{% endif %}
-
-# -------------------------------------------------------------
-# Plug-ins
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
-/srv/letsencrypt/etc/acme-dns-auth:
- file.managed:
- - source: salt://roles/paas-docker/letsencrypt/files/acme-dns-auth.py
- - mode: 755
- - makedirs: True
-
-/usr/local/bin/edit-acme-dns-accounts:
- file.managed:
- - source: salt://roles/paas-docker/letsencrypt/files/edit-acme-dns-accounts.py
- - mode: 755
diff --git a/roles/paas-docker/wrappers/files/certbot.sh b/roles/paas-docker/wrappers/files/certbot.sh
deleted file mode 100755
--- a/roles/paas-docker/wrappers/files/certbot.sh
+++ /dev/null
@@ -1,32 +0,0 @@
-#!/bin/sh
-
-# -------------------------------------------------------------
-# PaaS Docker
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-# Project: Nasqueron
-# Created: 2018-03-15
-# License: Trivial work, not eligible to copyright
-# Source file: roles/paas-docker/wrappers/files/certbot.sh
-# -------------------------------------------------------------
-#
-# <auto-generated>
-# This file is managed by our rOPS SaltStack repository.
-#
-# Changes to this file may cause incorrect behavior
-# and will be lost if the state is redeployed.
-# </auto-generated>
-
-if [ "$1" = "acme-dns-certonly" ]; then
- COMMAND=certonly
- EXTRA_ARGS="--manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth --preferred-challenges dns --debug-challenge"
-else
- COMMAND=$1
-fi
-shift
-
-docker run -it --rm \
- -v /srv/letsencrypt/etc:/etc/letsencrypt \
- -v /srv/letsencrypt/var:/var/lib/letsencrypt \
- -v /srv/letsencrypt/log:/var/log/letsencrypt \
- -v /srv/letsencrypt/www:/www \
- certbot/certbot:latest "$COMMAND" $@ $EXTRA_ARGS
diff --git a/roles/paas-docker/wrappers/init.sls b/roles/paas-docker/wrappers/init.sls
--- a/roles/paas-docker/wrappers/init.sls
+++ b/roles/paas-docker/wrappers/init.sls
@@ -12,7 +12,7 @@
# Wrapper binaries
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-{% for command in ['certbot', 'jenkins', 'phpbb', 'mysql', 'openfire', 'geoipupdate'] %}
+{% for command in ['jenkins', 'phpbb', 'mysql', 'openfire', 'geoipupdate'] %}
{{ dirs.bin }}/{{ command }}:
file.managed:
- source: salt://roles/paas-docker/wrappers/files/{{ command }}.sh
diff --git a/roles/webserver-core/init.sls b/roles/webserver-core/init.sls
--- a/roles/webserver-core/init.sls
+++ b/roles/webserver-core/init.sls
@@ -9,6 +9,3 @@
include:
- .nginx
- .tools
- {% if 'paas-docker' not in salt['node.get_list']('roles') %}
- - .letsencrypt
- {% endif %}
diff --git a/roles/webserver-core/letsencrypt/certificates.sls b/roles/webserver-core/letsencrypt/certificates.sls
deleted file mode 100644
--- a/roles/webserver-core/letsencrypt/certificates.sls
+++ /dev/null
@@ -1,20 +0,0 @@
-# -------------------------------------------------------------
-# Salt — Let's encrypt certificates
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-# Project: Nasqueron
-# Created: 2017-04-27
-# License: Trivial work, not eligible to copyright
-# -------------------------------------------------------------
-
-{% from "map.jinja" import dirs with context %}
-
-# -------------------------------------------------------------
-# Certificates
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
-{% for domain in salt['pillar.get']("certificates_letsencrypt:" + grains['id'], []) %}
-certificate_{{ domain }}:
- cmd.run:
- - name: certbot certonly -d {{ domain }}
- - creates: {{ dirs.etc }}/letsencrypt/live/{{ domain }}/fullchain.pem
-{% endfor %}
diff --git a/roles/webserver-core/letsencrypt/init.sls b/roles/webserver-core/letsencrypt/init.sls
deleted file mode 100644
--- a/roles/webserver-core/letsencrypt/init.sls
+++ /dev/null
@@ -1,12 +0,0 @@
-# -------------------------------------------------------------
-# Salt — Let's encrypt certificates
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-# Project: Nasqueron
-# Created: 2017-04-27
-# License: Trivial work, not eligible to copyright
-# -------------------------------------------------------------
-
-include:
- - .software
- - .service
- - .certificates
diff --git a/roles/webserver-core/letsencrypt/service.sls b/roles/webserver-core/letsencrypt/service.sls
deleted file mode 100644
--- a/roles/webserver-core/letsencrypt/service.sls
+++ /dev/null
@@ -1,44 +0,0 @@
-# -------------------------------------------------------------
-# Salt — Let's encrypt certificates
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-# Project: Nasqueron
-# Created: 2017-04-27
-# Description: Provide a renewal service
-# License: Trivial work, not eligible to copyright
-# -------------------------------------------------------------
-
-{% from "map.jinja" import services with context %}
-
-# -------------------------------------------------------------
-# Renew script
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
-/usr/local/sbin/letsencrypt-renewal:
- file.managed:
- - source: salt://roles/webserver-core/letsencrypt/files/letsencrypt-renewal.sh
- - mode: 755
-
-# -------------------------------------------------------------
-# Unit configuration
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
-{% if services['manager'] == 'systemd' %}
-
-letsencrypt_renew_unit:
- file.managed:
- - name: /etc/systemd/system/letsencrypt-renew.service
- - source: salt://roles/webserver-core/letsencrypt/files/letsencrypt-renew.service
- - mode: 644
- module.run:
- - service.force_reload:
- - name: letsencrypt-renew
- - onchanges:
- - file: letsencrypt_renew_unit
-
-letsencrypt_renew_enable:
- service.enabled:
- - name: letsencrypt-renew
- - watch:
- - module: letsencrypt_renew_unit
-
-{% endif %}
diff --git a/roles/webserver-core/letsencrypt/software.sls b/roles/webserver-core/letsencrypt/software.sls
deleted file mode 100644
--- a/roles/webserver-core/letsencrypt/software.sls
+++ /dev/null
@@ -1,44 +0,0 @@
-# -------------------------------------------------------------
-# Salt — Let's encrypt certificates
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-# Project: Nasqueron
-# Created: 2017-04-27
-# License: Trivial work, not eligible to copyright
-# -------------------------------------------------------------
-
-{% from "map.jinja" import dirs, packages with context %}
-
-# -------------------------------------------------------------
-# Software
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
-letsencrypt_software:
- pkg.installed:
- - name: {{ packages.certbot }}
-
-# -------------------------------------------------------------
-# Working directory
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
-/var/letsencrypt-auto:
- file.directory:
- - user: root
- - dir_mode: 711
-
-# -------------------------------------------------------------
-# Configuration file
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
-{{ dirs.etc }}/letsencrypt/cli.ini:
- file.managed:
- - source: salt://roles/webserver-core/letsencrypt/files/cli.ini
- - makedirs: True
-
-# -------------------------------------------------------------
-# Extra utilities
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
-{{ dirs.bin }}/check-letsencrypt-certificates:
- file.managed:
- - source: salt://roles/webserver-core/letsencrypt/files/check-letsencrypt-certificates.py
- - mode: 755
diff --git a/roles/webserver-core/map.jinja b/roles/webserver-core/map.jinja
--- a/roles/webserver-core/map.jinja
+++ b/roles/webserver-core/map.jinja
@@ -10,9 +10,3 @@
"pid_path": "/run/nginx.pid",
}
}, default="Debian") %}
-
-{% if salt["node.has_role"]("paas-docker") %}
-{% set certbot_dir = "/srv/letsencrypt/www" %}
-{% else %}
-{% set certbot_dir = "/var/letsencrypt-auto" %}
-{% endif %}
diff --git a/roles/webserver-core/nginx/config.sls b/roles/webserver-core/nginx/config.sls
--- a/roles/webserver-core/nginx/config.sls
+++ b/roles/webserver-core/nginx/config.sls
@@ -6,7 +6,7 @@
# -------------------------------------------------------------
{% from "map.jinja" import dirs with context %}
-{% from "roles/webserver-core/map.jinja" import options, certbot_dir with context %}
+{% from "roles/webserver-core/map.jinja" import options with context %}
{% set has_selinux = salt['grains.get']('selinux:enabled', False) %}
@@ -58,7 +58,7 @@
nginx_version: {{ salt["nginx.version"]() }}
nginx_dir: {{ dirs.etc }}/nginx
nginx_options: {{ options }}
- certbot_dir: {{ certbot_dir }}
+ certbot_dir: /var/letsencrypt-auto
# -------------------------------------------------------------
# Parameters for Diffie-Hellman

File Metadata

Mime Type
text/plain
Expires
Sat, Jan 18, 17:39 (16 h, 51 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
2357223
Default Alt Text
D3248.diff (27 KB)

Event Timeline