Page Menu
Home
DevCentral
Search
Configure Global Search
Log In
Files
F4013835
D3248.id.diff
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Size
27 KB
Referenced Files
None
Subscribers
None
D3248.id.diff
View Options
diff --git a/_modules/node.py b/_modules/node.py
--- a/_modules/node.py
+++ b/_modules/node.py
@@ -23,6 +23,12 @@
]
+WITH_NGINX_ROLES = [
+ "webserver-core",
+ "paas-docker",
+]
+
+
def _get_all_nodes():
return __pillar__.get("nodes", {})
@@ -192,6 +198,13 @@
return any(role in DEPLOY_ROLES for role in get_list("roles", nodename))
+def has_nginx(nodename=None):
+ """
+ A function to determine if this server role should include nginx.
+ """
+ return any(role in WITH_NGINX_ROLES for role in get_list("roles", nodename))
+
+
def get_wwwroot(nodename=None):
"""
A function to determine the wwwroot folder to use.
diff --git a/_tests/scripts/bats/test_edit_acme_dns_accounts.sh b/_tests/scripts/bats/test_edit_acme_dns_accounts.sh
--- a/_tests/scripts/bats/test_edit_acme_dns_accounts.sh
+++ b/_tests/scripts/bats/test_edit_acme_dns_accounts.sh
@@ -1,6 +1,6 @@
#!/usr/bin/env bats
-SCRIPT="../roles/paas-docker/letsencrypt/files/edit-acme-dns-accounts.py"
+SCRIPT="../roles/core/certificates/files/edit-acme-dns-accounts.py"
# -------------------------------------------------------------
# Arguments parsing
diff --git a/_tests/scripts/python/test_edit_acme_dns_accounts.py b/_tests/scripts/python/test_edit_acme_dns_accounts.py
--- a/_tests/scripts/python/test_edit_acme_dns_accounts.py
+++ b/_tests/scripts/python/test_edit_acme_dns_accounts.py
@@ -7,7 +7,7 @@
os.environ["ACME_ACCOUNTS"] = "/path/to/acmedns.json"
-path = "roles/paas-docker/letsencrypt/files/edit-acme-dns-accounts.py"
+path = "roles/core/certificates/files/edit-acme-dns-accounts.py"
script = SourceFileLoader("script", "../" + path).load_module()
diff --git a/pillar/certificates/certificates.sls b/pillar/certificates/certificates.sls
deleted file mode 100644
--- a/pillar/certificates/certificates.sls
+++ /dev/null
@@ -1,15 +0,0 @@
-# -------------------------------------------------------------
-# Salt — Let's encrypt certificates
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-# Project: Nasqueron
-# Created: 2017-04-27
-# License: Trivial work, not eligible to copyright
-# -------------------------------------------------------------
-
-# -------------------------------------------------------------
-# Certificates
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
-certificates_letsencrypt:
- eglide:
- - www.eglide.org
diff --git a/pillar/top.sls b/pillar/top.sls
--- a/pillar/top.sls
+++ b/pillar/top.sls
@@ -11,7 +11,6 @@
- core.users
- core.groups
- core.network
- - certificates.certificates
- nodes.nodes
- nodes.forests
- hotfixes.roles
diff --git a/roles/core/certificates/files/730.letsencrypt b/roles/core/certificates/files/730.letsencrypt
new file mode 100755
--- /dev/null
+++ b/roles/core/certificates/files/730.letsencrypt
@@ -0,0 +1,39 @@
+#!/bin/sh
+
+# -------------------------------------------------------------
+# Fetch ports
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# Author : FreeBSD contributors
+# License: BSD-2-Clause
+# Source file: roles/core/certificates/files/730.letsencrypt
+# -------------------------------------------------------------
+#
+# <auto-generated>
+# This file is managed by our rOPS SaltStack repository.
+#
+# Changes to this file may cause incorrect behavior
+# and will be lost if the state is redeployed.
+# </auto-generated>
+# -------------------------------------------------------------
+
+
+# If there is a global system configuration file, suck it in.
+#
+if [ -r /etc/defaults/periodic.conf ]
+then
+ . /etc/defaults/periodic.conf
+ source_periodic_confs
+fi
+
+case "$daily_letsencrypt_enable" in
+ [Yy][Ee][Ss])
+ echo ""
+ echo "Running Let's Encrypt renewal:"
+
+ letsencrypt-renewal && rc=0 || rc=3;;
+
+ *) rc=0;;
+esac
+
+exit $rc
diff --git a/roles/paas-docker/letsencrypt/files/acme-dns-auth.py b/roles/core/certificates/files/acme-dns-auth.py
rename from roles/paas-docker/letsencrypt/files/acme-dns-auth.py
rename to roles/core/certificates/files/acme-dns-auth.py
--- a/roles/paas-docker/letsencrypt/files/acme-dns-auth.py
+++ b/roles/core/certificates/files/acme-dns-auth.py
@@ -1,11 +1,11 @@
-#!/usr/bin/env python
+#!/usr/bin/env python3
# -------------------------------------------------------------
# PaaS Docker
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Author: Joona Hoikkala
# License: MIT
-# Source file: roles/paas-docker/letsencrypt/files/acme-dns-auth.py
+# Source file: roles/core/certificates/files/acme-dns-auth.py
# -------------------------------------------------------------
#
# <auto-generated>
@@ -21,7 +21,7 @@
import sys
ACMEDNS_URL = "https://acme.nasqueron.org"
-STORAGE_PATH = "/etc/letsencrypt/acmedns.json"
+STORAGE_PATH = "/usr/local/etc/acmedns.json"
ALLOW_FROM = []
FORCE_REGISTER = False
diff --git a/roles/webserver-core/letsencrypt/files/check-letsencrypt-certificates.py b/roles/core/certificates/files/check-letsencrypt-certificates.py
rename from roles/webserver-core/letsencrypt/files/check-letsencrypt-certificates.py
rename to roles/core/certificates/files/check-letsencrypt-certificates.py
--- a/roles/webserver-core/letsencrypt/files/check-letsencrypt-certificates.py
+++ b/roles/core/certificates/files/check-letsencrypt-certificates.py
@@ -1,16 +1,14 @@
#!/usr/bin/env python3
-# -*- coding: utf-8 -*-
# -------------------------------------------------------------
# Let's encrypt — Certificates web server configuration checker
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2016-06-05
# Description: Check if /.well-known/acme-challenge works
# for the mapping directory webserver for each
-# certificate to renew.
+# certificate to renew. HTTP only.
# License: BSD-2-Clause
-# Source file: roles/webserver-core/letsencrypt/files/check-letsencrypt-certificates.py
+# Source file: roles/core/certificates/files/check-letsencrypt-certificates.py
# -------------------------------------------------------------
# -------------------------------------------------------------
@@ -30,6 +28,7 @@
from urllib.error import HTTPError
from urllib.request import urlopen
+
# -------------------------------------------------------------
# Configuration
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
diff --git a/roles/webserver-core/letsencrypt/files/cli.ini b/roles/core/certificates/files/cli.ini
rename from roles/webserver-core/letsencrypt/files/cli.ini
rename to roles/core/certificates/files/cli.ini
--- a/roles/webserver-core/letsencrypt/files/cli.ini
+++ b/roles/core/certificates/files/cli.ini
@@ -2,9 +2,8 @@
# Let's encrypt
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2017-04-27
# License: Trivial work, not eligible to copyright
-# Source file: roles/webserver-core/letsencrypt/files/cli.ini
+# Source file: roles/core/certificates/files/cli.ini
# -------------------------------------------------------------
#
# <auto-generated>
@@ -16,7 +15,6 @@
# Configuration
server = https://acme-v02.api.letsencrypt.org/directory
-authenticator = webroot
webroot-path = /var/letsencrypt-auto
# Automation
diff --git a/roles/paas-docker/letsencrypt/files/edit-acme-dns-accounts.py b/roles/core/certificates/files/edit-acme-dns-accounts.py
rename from roles/paas-docker/letsencrypt/files/edit-acme-dns-accounts.py
rename to roles/core/certificates/files/edit-acme-dns-accounts.py
--- a/roles/paas-docker/letsencrypt/files/edit-acme-dns-accounts.py
+++ b/roles/core/certificates/files/edit-acme-dns-accounts.py
@@ -1,16 +1,21 @@
#!/usr/bin/env python3
-# -*- coding: utf-8 -*-
# -------------------------------------------------------------
# Let's encrypt — ACME DNS server accounts editor
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2020-02-22
-# Description: Edit /srv/letsencrypt/etc/acmedns.json to import
-# credentials for a specific subdomain to verify.
+# Description: Edit acmedns.json to import credentials
+# for a specific subdomain to verify.
# License: BSD-2-Clause
+# Source file: roles/core/certificates/files/edit-acme-dns-accounts.py
# -------------------------------------------------------------
-
+#
+# <auto-generated>
+# This file is managed by our rOPS SaltStack repository.
+#
+# Changes to this file may cause incorrect behavior
+# and will be lost if the state is redeployed.
+# </auto-generated>
import json
import os
@@ -21,7 +26,7 @@
try:
return os.environ["ACME_ACCOUNTS"]
except KeyError:
- return "/srv/letsencrypt/etc/acmedns.json"
+ return "/usr/local/etc/acmedns.json"
ACME_ACCOUNTS_PATH = get_acme_accounts_path()
diff --git a/roles/webserver-core/letsencrypt/files/letsencrypt-renew.service b/roles/core/certificates/files/letsencrypt-renew.service
rename from roles/webserver-core/letsencrypt/files/letsencrypt-renew.service
rename to roles/core/certificates/files/letsencrypt-renew.service
--- a/roles/webserver-core/letsencrypt/files/letsencrypt-renew.service
+++ b/roles/core/certificates/files/letsencrypt-renew.service
@@ -2,9 +2,8 @@
# Let's encrypt
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2016-08-24
# License: Trivial work, not eligible to copyright
-# Source file: roles/webserver-core/letsencrypt/files/letsencrypt.service
+# Source file: roles/core/certificates/files/letsencrypt-renew.service
# -------------------------------------------------------------
#
# <auto-generated>
@@ -16,7 +15,11 @@
[Unit]
Description=Renew Let's encrypt certificates.
+Wants=letsencrypt-renew.timer
[Service]
Type=oneshot
ExecStart=/usr/local/sbin/letsencrypt-renewal
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/webserver-core/letsencrypt/files/letsencrypt-renew.timer b/roles/core/certificates/files/letsencrypt-renew.timer
rename from roles/webserver-core/letsencrypt/files/letsencrypt-renew.timer
rename to roles/core/certificates/files/letsencrypt-renew.timer
--- a/roles/webserver-core/letsencrypt/files/letsencrypt-renew.timer
+++ b/roles/core/certificates/files/letsencrypt-renew.timer
@@ -2,9 +2,8 @@
# Let's encrypt
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2016-08-24
# License: Trivial work, not eligible to copyright
-# Source file: roles/webserver-core/letsencrypt/files/letsencrypt.timer
+# Source file: roles/core/certificates/files/letsencrypt-renew.timer
# -------------------------------------------------------------
#
# <auto-generated>
@@ -15,10 +14,10 @@
# </auto-generated>
[Unit]
-Description=Runs letsencrypt-renewal every month
+Description=Check and renew Let's Encrypt certificates
[Timer]
-OnCalendar=*-*-26 12:15:00
+OnCalendar=*-*-* 12:15:00
Persistent=yes
[Install]
diff --git a/roles/webserver-core/letsencrypt/files/letsencrypt-renew.service b/roles/core/certificates/files/letsencrypt-renewal-without-nginx.sh
rename from roles/webserver-core/letsencrypt/files/letsencrypt-renew.service
rename to roles/core/certificates/files/letsencrypt-renewal-without-nginx.sh
--- a/roles/webserver-core/letsencrypt/files/letsencrypt-renew.service
+++ b/roles/core/certificates/files/letsencrypt-renewal-without-nginx.sh
@@ -1,10 +1,11 @@
+#!/bin/sh
+
# -------------------------------------------------------------
# Let's encrypt
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2016-08-24
# License: Trivial work, not eligible to copyright
-# Source file: roles/webserver-core/letsencrypt/files/letsencrypt.service
+# Source file: roles/core/certificates/files/letsencrypt-renewal-without-nginx.sh
# -------------------------------------------------------------
#
# <auto-generated>
@@ -14,9 +15,4 @@
# and will be lost if the state is redeployed.
# </auto-generated>
-[Unit]
-Description=Renew Let's encrypt certificates.
-
-[Service]
-Type=oneshot
-ExecStart=/usr/local/sbin/letsencrypt-renewal
+certbot renew
diff --git a/roles/webserver-core/letsencrypt/files/letsencrypt-renewal.sh b/roles/core/certificates/files/letsencrypt-renewal.sh
old mode 100755
new mode 100644
rename from roles/webserver-core/letsencrypt/files/letsencrypt-renewal.sh
rename to roles/core/certificates/files/letsencrypt-renewal.sh
--- a/roles/webserver-core/letsencrypt/files/letsencrypt-renewal.sh
+++ b/roles/core/certificates/files/letsencrypt-renewal.sh
@@ -4,9 +4,8 @@
# Let's encrypt
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
-# Created: 2016-08-24
# License: Trivial work, not eligible to copyright
-# Source file: roles/webserver-core/letsencrypt/files/letsencrypt-renewal.sh
+# Source file: roles/core/certificates/files/letsencrypt-renewal.sh
# -------------------------------------------------------------
#
# <auto-generated>
@@ -27,5 +26,4 @@
fi;
}
-
-certbot renew && nginx_test && service nginx restart
+certbot renew && nginx_test && nginx -s reload
diff --git a/roles/core/certificates/init.sls b/roles/core/certificates/init.sls
--- a/roles/core/certificates/init.sls
+++ b/roles/core/certificates/init.sls
@@ -7,3 +7,4 @@
include:
- .nasqueron
+ - .letsencrypt
diff --git a/roles/core/certificates/letsencrypt.sls b/roles/core/certificates/letsencrypt.sls
new file mode 100644
--- /dev/null
+++ b/roles/core/certificates/letsencrypt.sls
@@ -0,0 +1,97 @@
+# -------------------------------------------------------------
+# Salt - Deploy certificates
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# -------------------------------------------------------------
+
+{% from "map.jinja" import dirs, packages with context %}
+
+{% set has_nginx = salt['node']['has_nginx']() %}
+
+# -------------------------------------------------------------
+# Software
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+letsencrypt_software:
+ pkg.installed:
+ - name: {{ packages.certbot }}
+
+# -------------------------------------------------------------
+# Working directory and configuration
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+/var/letsencrypt-auto:
+ file.directory:
+ - user: root
+ - dir_mode: 711
+
+{{ dirs.etc }}/letsencrypt/cli.ini:
+ file.managed:
+ - source: salt://roles/core/certificates/files/cli.ini
+ - makedirs: True
+
+# -------------------------------------------------------------
+# Extra utilities
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+{{ dirs.bin }}/check-letsencrypt-certificates:
+ file.managed:
+ - source: salt://roles/core/certificates/files/check-letsencrypt-certificates.py
+ - mode: 755
+
+{{ dirs.etc }}/letsencrypt/acme-dns-auth:
+ file.managed:
+ - source: salt://roles/core/certificates/files/acme-dns-auth.py
+ - mode: 755
+ - makedirs: True
+
+{{ dirs.bin }}/edit-acme-dns-accounts:
+ file.managed:
+ - source: salt://roles/core/certificates/files/edit-acme-dns-accounts.py
+ - mode: 755
+
+# -------------------------------------------------------------
+# Check and renew certificates daily
+#
+# FreeBSD ... periodic
+# Linux ..... systemd timer
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+{% if has_nginx %}
+{% set renewal_script = "letsencrypt-renewal.sh" %}
+{% else %}
+{% set renewal_script = "letsencrypt-renewal-without-nginx.sh" %}
+{% endif %}
+
+/usr/local/sbin/letsencrypt-renewal:
+ file.managed:
+ - source: salt://roles/core/certificates/files/{{ renewal_script }}
+ - mode: 755
+
+{% if grains["os_family"] == "FreeBSD" %}
+
+/usr/local/etc/periodic/daily/730.letsencrypt:
+ file.managed:
+ - source: salt://roles/core/certificates/files/730.letsencrypt
+
+{% elif services["manager"] == "systemd" %}
+
+/etc/systemd/system/letsencrypt-renew.timer:
+ file.managed:
+ - source: salt://roles/core/certificates/files/letsencrypt-renew.timer
+
+/etc/systemd/system/letsencrypt-renew.service:
+ file.managed:
+ - source: salt://roles/core/certificates/files/letsencrypt-renew.service
+
+letsencrypt_renew_enable:
+ service.enabled:
+ - name: letsencrypt-renew
+
+letsencrypt_renew_timer_start:
+ service.running:
+ - name: letsencrypt-renew.timer
+ - enable: True
+
+{% endif %}
diff --git a/roles/core/rc/files/periodic.conf b/roles/core/rc/files/periodic.conf
--- a/roles/core/rc/files/periodic.conf
+++ b/roles/core/rc/files/periodic.conf
@@ -3,9 +3,11 @@
# 480.status-ntpd
daily_status_ntpd_enable="YES"
+
+# 730.letsencrypt
+daily_letsencrypt_enable="YES"
+
{% if use_zfs %}
# 800.scrub-zfs
daily_scrub_zfs_enable="YES"
{% endif %}
-# 500.certbot
-weekly_certbot_enable="YES"
diff --git a/roles/paas-docker/init.sls b/roles/paas-docker/init.sls
--- a/roles/paas-docker/init.sls
+++ b/roles/paas-docker/init.sls
@@ -18,7 +18,6 @@
- .wwwroot-content
- .nginx
- .monitoring
- - .letsencrypt
- .wrappers
{% if salt['node.has']('flags:install_docker_devel_tools') %}
- .devel
diff --git a/roles/paas-docker/letsencrypt/init.sls b/roles/paas-docker/letsencrypt/init.sls
deleted file mode 100644
--- a/roles/paas-docker/letsencrypt/init.sls
+++ /dev/null
@@ -1,56 +0,0 @@
-# -------------------------------------------------------------
-# Salt — Provision Docker engine
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-# Project: Nasqueron
-# Created: 2018-03-16
-# License: Trivial work, not eligible to copyright
-# -------------------------------------------------------------
-
-{% set has_selinux = salt['grains.get']('selinux:enabled', False) %}
-
-# -------------------------------------------------------------
-# See also
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
-# Wrapper script
-# - wrappers/init.sls
-# - wrappers/files/certbot.sh
-#
-# Image
-# - /pillar/paas/docker.sls
-#
-# Nginx configuration
-# - nginx/files/includes/letsencrypt
-
-# -------------------------------------------------------------
-# Data directory
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
-/srv/letsencrypt:
- file.directory
-
-{% if has_selinux %}
-selinux_context_letsencrypt_home:
- selinux.fcontext_policy_present:
- - name: /srv/letsencrypt
- - sel_type: container_file_t
-
-selinux_context_letsencrypt_home_applied:
- selinux.fcontext_policy_applied:
- - name: /srv/letsencrypt
-{% endif %}
-
-# -------------------------------------------------------------
-# Plug-ins
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
-/srv/letsencrypt/etc/acme-dns-auth:
- file.managed:
- - source: salt://roles/paas-docker/letsencrypt/files/acme-dns-auth.py
- - mode: 755
- - makedirs: True
-
-/usr/local/bin/edit-acme-dns-accounts:
- file.managed:
- - source: salt://roles/paas-docker/letsencrypt/files/edit-acme-dns-accounts.py
- - mode: 755
diff --git a/roles/paas-docker/wrappers/files/certbot.sh b/roles/paas-docker/wrappers/files/certbot.sh
deleted file mode 100755
--- a/roles/paas-docker/wrappers/files/certbot.sh
+++ /dev/null
@@ -1,32 +0,0 @@
-#!/bin/sh
-
-# -------------------------------------------------------------
-# PaaS Docker
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-# Project: Nasqueron
-# Created: 2018-03-15
-# License: Trivial work, not eligible to copyright
-# Source file: roles/paas-docker/wrappers/files/certbot.sh
-# -------------------------------------------------------------
-#
-# <auto-generated>
-# This file is managed by our rOPS SaltStack repository.
-#
-# Changes to this file may cause incorrect behavior
-# and will be lost if the state is redeployed.
-# </auto-generated>
-
-if [ "$1" = "acme-dns-certonly" ]; then
- COMMAND=certonly
- EXTRA_ARGS="--manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth --preferred-challenges dns --debug-challenge"
-else
- COMMAND=$1
-fi
-shift
-
-docker run -it --rm \
- -v /srv/letsencrypt/etc:/etc/letsencrypt \
- -v /srv/letsencrypt/var:/var/lib/letsencrypt \
- -v /srv/letsencrypt/log:/var/log/letsencrypt \
- -v /srv/letsencrypt/www:/www \
- certbot/certbot:latest "$COMMAND" $@ $EXTRA_ARGS
diff --git a/roles/paas-docker/wrappers/init.sls b/roles/paas-docker/wrappers/init.sls
--- a/roles/paas-docker/wrappers/init.sls
+++ b/roles/paas-docker/wrappers/init.sls
@@ -12,7 +12,7 @@
# Wrapper binaries
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-{% for command in ['certbot', 'jenkins', 'phpbb', 'mysql', 'openfire', 'geoipupdate'] %}
+{% for command in ['jenkins', 'phpbb', 'mysql', 'openfire', 'geoipupdate'] %}
{{ dirs.bin }}/{{ command }}:
file.managed:
- source: salt://roles/paas-docker/wrappers/files/{{ command }}.sh
diff --git a/roles/webserver-core/init.sls b/roles/webserver-core/init.sls
--- a/roles/webserver-core/init.sls
+++ b/roles/webserver-core/init.sls
@@ -9,6 +9,3 @@
include:
- .nginx
- .tools
- {% if 'paas-docker' not in salt['node.get_list']('roles') %}
- - .letsencrypt
- {% endif %}
diff --git a/roles/webserver-core/letsencrypt/certificates.sls b/roles/webserver-core/letsencrypt/certificates.sls
deleted file mode 100644
--- a/roles/webserver-core/letsencrypt/certificates.sls
+++ /dev/null
@@ -1,20 +0,0 @@
-# -------------------------------------------------------------
-# Salt — Let's encrypt certificates
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-# Project: Nasqueron
-# Created: 2017-04-27
-# License: Trivial work, not eligible to copyright
-# -------------------------------------------------------------
-
-{% from "map.jinja" import dirs with context %}
-
-# -------------------------------------------------------------
-# Certificates
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
-{% for domain in salt['pillar.get']("certificates_letsencrypt:" + grains['id'], []) %}
-certificate_{{ domain }}:
- cmd.run:
- - name: certbot certonly -d {{ domain }}
- - creates: {{ dirs.etc }}/letsencrypt/live/{{ domain }}/fullchain.pem
-{% endfor %}
diff --git a/roles/webserver-core/letsencrypt/init.sls b/roles/webserver-core/letsencrypt/init.sls
deleted file mode 100644
--- a/roles/webserver-core/letsencrypt/init.sls
+++ /dev/null
@@ -1,12 +0,0 @@
-# -------------------------------------------------------------
-# Salt — Let's encrypt certificates
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-# Project: Nasqueron
-# Created: 2017-04-27
-# License: Trivial work, not eligible to copyright
-# -------------------------------------------------------------
-
-include:
- - .software
- - .service
- - .certificates
diff --git a/roles/webserver-core/letsencrypt/service.sls b/roles/webserver-core/letsencrypt/service.sls
deleted file mode 100644
--- a/roles/webserver-core/letsencrypt/service.sls
+++ /dev/null
@@ -1,44 +0,0 @@
-# -------------------------------------------------------------
-# Salt — Let's encrypt certificates
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-# Project: Nasqueron
-# Created: 2017-04-27
-# Description: Provide a renewal service
-# License: Trivial work, not eligible to copyright
-# -------------------------------------------------------------
-
-{% from "map.jinja" import services with context %}
-
-# -------------------------------------------------------------
-# Renew script
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
-/usr/local/sbin/letsencrypt-renewal:
- file.managed:
- - source: salt://roles/webserver-core/letsencrypt/files/letsencrypt-renewal.sh
- - mode: 755
-
-# -------------------------------------------------------------
-# Unit configuration
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
-{% if services['manager'] == 'systemd' %}
-
-letsencrypt_renew_unit:
- file.managed:
- - name: /etc/systemd/system/letsencrypt-renew.service
- - source: salt://roles/webserver-core/letsencrypt/files/letsencrypt-renew.service
- - mode: 644
- module.run:
- - service.force_reload:
- - name: letsencrypt-renew
- - onchanges:
- - file: letsencrypt_renew_unit
-
-letsencrypt_renew_enable:
- service.enabled:
- - name: letsencrypt-renew
- - watch:
- - module: letsencrypt_renew_unit
-
-{% endif %}
diff --git a/roles/webserver-core/letsencrypt/software.sls b/roles/webserver-core/letsencrypt/software.sls
deleted file mode 100644
--- a/roles/webserver-core/letsencrypt/software.sls
+++ /dev/null
@@ -1,44 +0,0 @@
-# -------------------------------------------------------------
-# Salt — Let's encrypt certificates
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-# Project: Nasqueron
-# Created: 2017-04-27
-# License: Trivial work, not eligible to copyright
-# -------------------------------------------------------------
-
-{% from "map.jinja" import dirs, packages with context %}
-
-# -------------------------------------------------------------
-# Software
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
-letsencrypt_software:
- pkg.installed:
- - name: {{ packages.certbot }}
-
-# -------------------------------------------------------------
-# Working directory
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
-/var/letsencrypt-auto:
- file.directory:
- - user: root
- - dir_mode: 711
-
-# -------------------------------------------------------------
-# Configuration file
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
-{{ dirs.etc }}/letsencrypt/cli.ini:
- file.managed:
- - source: salt://roles/webserver-core/letsencrypt/files/cli.ini
- - makedirs: True
-
-# -------------------------------------------------------------
-# Extra utilities
-# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
-{{ dirs.bin }}/check-letsencrypt-certificates:
- file.managed:
- - source: salt://roles/webserver-core/letsencrypt/files/check-letsencrypt-certificates.py
- - mode: 755
diff --git a/roles/webserver-core/map.jinja b/roles/webserver-core/map.jinja
--- a/roles/webserver-core/map.jinja
+++ b/roles/webserver-core/map.jinja
@@ -10,9 +10,3 @@
"pid_path": "/run/nginx.pid",
}
}, default="Debian") %}
-
-{% if salt["node.has_role"]("paas-docker") %}
-{% set certbot_dir = "/srv/letsencrypt/www" %}
-{% else %}
-{% set certbot_dir = "/var/letsencrypt-auto" %}
-{% endif %}
diff --git a/roles/webserver-core/nginx/config.sls b/roles/webserver-core/nginx/config.sls
--- a/roles/webserver-core/nginx/config.sls
+++ b/roles/webserver-core/nginx/config.sls
@@ -6,7 +6,7 @@
# -------------------------------------------------------------
{% from "map.jinja" import dirs with context %}
-{% from "roles/webserver-core/map.jinja" import options, certbot_dir with context %}
+{% from "roles/webserver-core/map.jinja" import options with context %}
{% set has_selinux = salt['grains.get']('selinux:enabled', False) %}
@@ -58,7 +58,7 @@
nginx_version: {{ salt["nginx.version"]() }}
nginx_dir: {{ dirs.etc }}/nginx
nginx_options: {{ options }}
- certbot_dir: {{ certbot_dir }}
+ certbot_dir: /var/letsencrypt-auto
# -------------------------------------------------------------
# Parameters for Diffie-Hellman
File Metadata
Details
Attached
Mime Type
text/plain
Expires
Sat, Jan 18, 19:27 (18 h, 22 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
2357223
Default Alt Text
D3248.id.diff (27 KB)
Attached To
Mode
D3248: Deploy Certbot everywhere
Attached
Detach File
Event Timeline
Log In to Comment