X-Git-Url: https://git.openstreetmap.org./chef.git/blobdiff_plain/77cd975164d60c089b6a42b2e9bd128c0e037025..a379aac9967d9c28dae172c6e3141cc559cc63fb:/cookbooks/letsencrypt/recipes/default.rb?ds=sidebyside diff --git a/cookbooks/letsencrypt/recipes/default.rb b/cookbooks/letsencrypt/recipes/default.rb index f08fdf3ac..382a0a58c 100644 --- a/cookbooks/letsencrypt/recipes/default.rb +++ b/cookbooks/letsencrypt/recipes/default.rb @@ -1,14 +1,14 @@ # -# Cookbook Name:: letsencrypt +# Cookbook:: letsencrypt # Recipe:: default # -# Copyright 2017, OpenStreetMap Foundation +# Copyright:: 2017, OpenStreetMap Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # -# http://www.apache.org/licenses/LICENSE-2.0 +# https://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, @@ -17,41 +17,45 @@ # limitations under the License. # -include_recipe "apache::ssl" +include_recipe "accounts" +include_recipe "apache" +include_recipe "chef::knife" keys = data_bag_item("chef", "keys") -package "certbot" -package "ruby" +package %w[ + certbot + ruby +] directory "/etc/letsencrypt" do owner "letsencrypt" group "letsencrypt" - mode 0o755 + mode "755" end directory "/var/lib/letsencrypt" do owner "letsencrypt" group "letsencrypt" - mode 0o755 + mode "755" end directory "/var/log/letsencrypt" do owner "letsencrypt" group "letsencrypt" - mode 0o700 + mode "700" end directory "/srv/acme.openstreetmap.org" do owner "letsencrypt" group "letsencrypt" - mode 0o755 + mode "755" end directory "/srv/acme.openstreetmap.org/html" do owner "letsencrypt" group "letsencrypt" - mode 0o755 + mode "755" end ssl_certificate "acme.openstreetmap.org" do @@ -67,59 +71,66 @@ end directory "/srv/acme.openstreetmap.org/config" do owner "letsencrypt" group "letsencrypt" - mode 0o755 + mode "755" end directory "/srv/acme.openstreetmap.org/work" do owner "letsencrypt" group "letsencrypt" - mode 0o755 + mode "755" end directory "/srv/acme.openstreetmap.org/logs" do owner "letsencrypt" group "letsencrypt" - mode 0o700 + mode "700" end directory "/srv/acme.openstreetmap.org/.chef" do owner "letsencrypt" group "letsencrypt" - mode 0o2775 + mode "2775" end file "/srv/acme.openstreetmap.org/.chef/client.pem" do content keys["letsencrypt"].join("\n") owner "letsencrypt" group "letsencrypt" - mode 0o660 + mode "660" end cookbook_file "/srv/acme.openstreetmap.org/.chef/knife.rb" do source "knife.rb" owner "letsencrypt" group "letsencrypt" - mode 0o660 + mode "660" end remote_directory "/srv/acme.openstreetmap.org/bin" do source "bin" owner "root" group "root" - mode 0o755 + mode "755" files_owner "root" files_group "root" - files_mode 0o755 + files_mode "755" end directory "/srv/acme.openstreetmap.org/requests" do owner "root" group "root" - mode 0o755 + mode "755" end certificates = search(:node, "letsencrypt:certificates").each_with_object({}) do |n, c| - c.merge!(n[:letsencrypt][:certificates]) + n[:letsencrypt][:certificates].each do |name, details| + c[name] ||= details.merge(:nodes => []) + + c[name][:nodes] << { + :name => n[:fqdn], + :address => n.external_ipaddress || n.internal_ipaddress + } + end end certificates.each do |name, details| @@ -127,7 +138,7 @@ certificates.each do |name, details| source "request.erb" owner "root" group "letsencrypt" - mode 0o754 + mode "754" variables details end @@ -138,12 +149,76 @@ certificates.each do |name, details| user "letsencrypt" group "letsencrypt" subscribes :run, "template[/srv/acme.openstreetmap.org/requests/#{name}]" + not_if { kitchen? } + end +end + +Dir.glob("*", :base => "/srv/acme.openstreetmap.org/requests") do |name| + next if certificates.include?(name) + + file "/srv/acme.openstreetmap.org/requests/#{name}" do + action :delete + end + + execute "certbot-delete-#{name}" do + command "/usr/bin/certbot delete --config-dir /srv/acme.openstreetmap.org/config --work-dir /srv/acme.openstreetmap.org/work --logs-dir /srv/acme.openstreetmap.org/logs --cert-name #{name}" + cwd "/srv/acme.openstreetmap.org" + user "letsencrypt" + group "letsencrypt" end end -template "/etc/cron.d/letsencrypt" do - source "cron.erb" +template "/srv/acme.openstreetmap.org/bin/check-certificates" do + source "check-certificates.erb" + owner "root" + group "root" + mode "755" + variables :certificates => certificates +end + +systemd_service "letsencrypt-renew" do + description "Renew letsencrypt certificates" + exec_start "/srv/acme.openstreetmap.org/bin/renew" + user "letsencrypt" + sandbox :enable_network => true + read_write_paths [ + "/srv/acme.openstreetmap.org/config", + "/srv/acme.openstreetmap.org/html", + "/srv/acme.openstreetmap.org/logs", + "/srv/acme.openstreetmap.org/work" + ] +end + +systemd_timer "letsencrypt-renew" do + description "Renew letsencrypt certificates" + on_boot_sec "1h" + on_unit_inactive_sec "12h" +end + +service "letsencrypt-renew.timer" do + action [:enable, :start] +end + +systemd_service "letsencrypt-check" do + description "Check letsencrypt certificates" + exec_start "/srv/acme.openstreetmap.org/bin/check-certificates" + user "letsencrypt" + sandbox :enable_network => true +end + +systemd_timer "letsencrypt-check" do + description "Check letsencrypt certificates" + on_boot_sec "2h" + on_unit_inactive_sec "12h" +end + +service "letsencrypt-check.timer" do + action [:enable, :start] +end + +template "/etc/logrotate.d/letsencrypt" do + source "logrotate.erb" owner "root" group "root" - mode 0o644 + mode "644" end