X-Git-Url: https://git.openstreetmap.org./chef.git/blobdiff_plain/18e12b0e123fc3e5f344682f884feabc12da0f5a..2ecb8ca90ac730ada6e083aebd8f3265033f46d5:/cookbooks/letsencrypt/recipes/default.rb diff --git a/cookbooks/letsencrypt/recipes/default.rb b/cookbooks/letsencrypt/recipes/default.rb index 92c8311de..c41732cf6 100644 --- a/cookbooks/letsencrypt/recipes/default.rb +++ b/cookbooks/letsencrypt/recipes/default.rb @@ -1,8 +1,8 @@ # -# Cookbook Name:: letsencrypt +# Cookbook:: letsencrypt # Recipe:: default # -# Copyright 2017, OpenStreetMap Foundation +# Copyright:: 2017, OpenStreetMap Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,6 +17,7 @@ # limitations under the License. # +include_recipe "accounts" include_recipe "apache" keys = data_bag_item("chef", "keys") @@ -29,31 +30,31 @@ package %w[ directory "/etc/letsencrypt" do owner "letsencrypt" group "letsencrypt" - mode 0o755 + mode "755" end directory "/var/lib/letsencrypt" do owner "letsencrypt" group "letsencrypt" - mode 0o755 + mode "755" end directory "/var/log/letsencrypt" do owner "letsencrypt" group "letsencrypt" - mode 0o700 + mode "700" end directory "/srv/acme.openstreetmap.org" do owner "letsencrypt" group "letsencrypt" - mode 0o755 + mode "755" end directory "/srv/acme.openstreetmap.org/html" do owner "letsencrypt" group "letsencrypt" - mode 0o755 + mode "755" end ssl_certificate "acme.openstreetmap.org" do @@ -69,62 +70,65 @@ end directory "/srv/acme.openstreetmap.org/config" do owner "letsencrypt" group "letsencrypt" - mode 0o755 + mode "755" end directory "/srv/acme.openstreetmap.org/work" do owner "letsencrypt" group "letsencrypt" - mode 0o755 + mode "755" end directory "/srv/acme.openstreetmap.org/logs" do owner "letsencrypt" group "letsencrypt" - mode 0o700 + mode "700" end directory "/srv/acme.openstreetmap.org/.chef" do owner "letsencrypt" group "letsencrypt" - mode 0o2775 + mode "2775" end file "/srv/acme.openstreetmap.org/.chef/client.pem" do content keys["letsencrypt"].join("\n") owner "letsencrypt" group "letsencrypt" - mode 0o660 + mode "660" end cookbook_file "/srv/acme.openstreetmap.org/.chef/knife.rb" do source "knife.rb" owner "letsencrypt" group "letsencrypt" - mode 0o660 + mode "660" end remote_directory "/srv/acme.openstreetmap.org/bin" do source "bin" owner "root" group "root" - mode 0o755 + mode "755" files_owner "root" files_group "root" - files_mode 0o755 + files_mode "755" end directory "/srv/acme.openstreetmap.org/requests" do owner "root" group "root" - mode 0o755 + mode "755" end certificates = search(:node, "letsencrypt:certificates").each_with_object({}) do |n, c| n[:letsencrypt][:certificates].each do |name, details| c[name] ||= details.merge(:nodes => []) - c[name][:nodes] << { :name => n[:fqdn], :address => n[:ipaddress] } + c[name][:nodes] << { + :name => n[:fqdn], + :address => n.external_ipaddress || n.internal_ipaddress + } end end @@ -133,7 +137,7 @@ certificates.each do |name, details| source "request.erb" owner "root" group "letsencrypt" - mode 0o754 + mode "754" variables details end @@ -144,6 +148,22 @@ certificates.each do |name, details| user "letsencrypt" group "letsencrypt" subscribes :run, "template[/srv/acme.openstreetmap.org/requests/#{name}]" + not_if { ENV["TEST_KITCHEN"] } + end +end + +Dir.glob("*", :base => "/srv/acme.openstreetmap.org/requests") do |name| + next if certificates.include?(name) + + file "/srv/acme.openstreetmap.org/requests/#{name}" do + action :delete + end + + execute "certbot-delete-#{name}" do + command "/usr/bin/certbot delete --config-dir /srv/acme.openstreetmap.org/config --work-dir /srv/acme.openstreetmap.org/work --logs-dir /srv/acme.openstreetmap.org/logs --cert-name #{name}" + cwd "/srv/acme.openstreetmap.org" + user "letsencrypt" + group "letsencrypt" end end @@ -151,13 +171,29 @@ template "/srv/acme.openstreetmap.org/bin/check-certificates" do source "check-certificates.erb" owner "root" group "root" - mode 0o755 + mode "755" variables :certificates => certificates end -template "/etc/cron.d/letsencrypt" do - source "cron.erb" +cron_d "letencrypt-renew" do + minute "00" + hour "*/12" + user "letsencrypt" + command "/srv/acme.openstreetmap.org/bin/renew" + mailto "admins@openstreetmap.org" +end + +cron_d "letencrypt-check" do + minute "30" + hour "*/12" + user "letsencrypt" + command "/srv/acme.openstreetmap.org/bin/check-certificates" + mailto "admins@openstreetmap.org" +end + +template "/etc/logrotate.d/letsencrypt" do + source "logrotate.erb" owner "root" group "root" - mode 0o644 + mode "644" end