HomeDevCentral
Diffusion Nasqueron Operations 1e9a54c10365

Deploy Certbot everywhere
1e9a54c10365
Actions

Description

Deploy Certbot everywhere

Summary:
Currently, certbot was deployed:

  • as a system package on webserver-core
  • as a Docker container and wrapper, with DNS hook on paas-docker
  • not at all elsewhere

This change merges the different units as a part of the roles/core/certificates
unit to have a consistent installation through all machines, Docker included.

Don't try to issue certificate, as to use DNS registration, we currently
need a manual intervention to add a CNAME DNS records for the _acme_challenge.
verification subdomain.

Certificates are renewed with a daily script running certbot renew, installed
through periodic on FreeBSD or as a systemd timer on Linux with systemd nodes.

Ref T1505.

Test Plan: Deploy on Hervil

Reviewers: DorianWinty

Reviewed By: DorianWinty

Maniphest Tasks: T1505

Differential Revision: https://devcentral.nasqueron.org/D3248

Details

Provenance
derecksonAuthored on Dec 16 2023, 00:51
derecksonPushed on Jul 25 2024, 20:41
Reviewer
DorianWinty
Differential Revision
D3248: Deploy Certbot everywhere
Parents
rOPSfc0d46d845df: Configure pg_HBA for dovecot user
Branches
Unknown
Tags
Unknown
Tasks
T1505: Automate Let's Encrypt TLS certificates management for every server

Changes (40)

PathSize
_modules/
_tests/
scripts/
bats/
python/
pillar/
roles/
core/
certificates/
files/
userland-software/
files/
730.letsencrypt
720.portsnap
certificates/
files/
salt/
files/
certificates/
rc/
files/
core/
certificates/
files/
paas-docker/
letsencrypt/
files/
core/
certificates/
files/
webserver-core/
letsencrypt/
files/
paas-docker/
wrappers/
files/
webserver-core/
nginx/

rOPS1e9a54c10365

View Options

_modules/node.py

Loading...
View Options

_tests/scripts/bats/test_edit_acme_dns_accounts.sh

Loading...
View Options

_tests/scripts/python/test_edit_acme_dns_accounts.py

Loading...
View Options

pillar/certificates

Loading...
View Options

pillar/certificates/certificates.sls

Loading...
View Options

pillar/top.sls

Loading...
View Options

roles/core/certificates/files/730.letsencrypt

Loading...
View Options

roles/core/certificates/files/acme-dns-auth.py

Loading...
View Options

roles/core/certificates/files/check-letsencrypt-certificates.py

Loading...
View Options

roles/core/certificates/files/cli.ini

Loading...
View Options

roles/core/certificates/files/edit-acme-dns-accounts.py

Loading...
View Options

roles/core/certificates/files/letsencrypt-renew.service

Loading...
View Options

roles/core/certificates/files/letsencrypt-renew.timer

Loading...
View Options

roles/core/certificates/files/letsencrypt-renewal-without-nginx.sh

Loading...
View Options

roles/core/certificates/files/letsencrypt-renewal.sh

Loading...
View Options

roles/core/certificates/init.sls

Loading...
View Options

roles/core/certificates/letsencrypt.sls

Loading...
View Options

roles/core/rc/files/periodic.conf

Loading...
View Options

roles/paas-docker/init.sls

Loading...
View Options

roles/paas-docker/letsencrypt

Loading...
View Options

roles/paas-docker/letsencrypt/files

Loading...
View Options

roles/paas-docker/letsencrypt/files/acme-dns-auth.py

Loading...
View Options

roles/paas-docker/letsencrypt/files/edit-acme-dns-accounts.py

Loading...
View Options

roles/paas-docker/letsencrypt/init.sls

Loading...
View Options

roles/paas-docker/wrappers/files/certbot.sh

Loading...
View Options

roles/paas-docker/wrappers/init.sls

Loading...
View Options

roles/webserver-core/init.sls

Loading...
View Options

roles/webserver-core/letsencrypt

Loading...
View Options

roles/webserver-core/letsencrypt/certificates.sls

Loading...
View Options

roles/webserver-core/letsencrypt/files

Loading...
View Options

roles/webserver-core/letsencrypt/files/check-letsencrypt-certificates.py

Loading...
View Options

roles/webserver-core/letsencrypt/files/cli.ini

Loading...
View Options

roles/webserver-core/letsencrypt/files/letsencrypt-renew.service

Loading...
View Options

roles/webserver-core/letsencrypt/files/letsencrypt-renew.timer

Loading...
View Options

roles/webserver-core/letsencrypt/files/letsencrypt-renewal.sh

Loading...
View Options

roles/webserver-core/letsencrypt/init.sls

Loading...
View Options

roles/webserver-core/letsencrypt/service.sls

Loading...
View Options

roles/webserver-core/letsencrypt/software.sls

Loading...
View Options

roles/webserver-core/map.jinja

Loading...
View Options

roles/webserver-core/nginx/config.sls

Loading...
Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator