X-Git-Url: https://git.openstreetmap.org./chef.git/blobdiff_plain/eecaf26698348adf3d3b64ea680ad82f959a5ae4..828106968b104d9a74f87dfabd724ad7e8e1cf5b:/cookbooks/letsencrypt/recipes/default.rb

diff --git a/cookbooks/letsencrypt/recipes/default.rb b/cookbooks/letsencrypt/recipes/default.rb
index c41732cf6..3e492f6af 100644
--- a/cookbooks/letsencrypt/recipes/default.rb
+++ b/cookbooks/letsencrypt/recipes/default.rb
@@ -19,13 +19,12 @@
 
 include_recipe "accounts"
 include_recipe "apache"
+include_recipe "chef::knife"
+include_recipe "ruby"
 
 keys = data_bag_item("chef", "keys")
 
-package %w[
-  certbot
-  ruby
-]
+package "certbot"
 
 directory "/etc/letsencrypt" do
   owner "letsencrypt"
@@ -115,6 +114,13 @@ remote_directory "/srv/acme.openstreetmap.org/bin" do
   files_mode "755"
 end
 
+template "/srv/acme.openstreetmap.org/bin/upload" do
+  source "upload.erb"
+  owner "root"
+  group "root"
+  mode "755"
+end
+
 directory "/srv/acme.openstreetmap.org/requests" do
   owner "root"
   group "root"
@@ -148,7 +154,7 @@ certificates.each do |name, details|
     user "letsencrypt"
     group "letsencrypt"
     subscribes :run, "template[/srv/acme.openstreetmap.org/requests/#{name}]"
-    not_if { ENV["TEST_KITCHEN"] }
+    not_if { kitchen? }
   end
 end
 
@@ -167,6 +173,13 @@ Dir.glob("*", :base => "/srv/acme.openstreetmap.org/requests") do |name|
   end
 end
 
+template "/srv/acme.openstreetmap.org/bin/check-certificate" do
+  source "check-certificate.erb"
+  owner "root"
+  group "root"
+  mode "755"
+end
+
 template "/srv/acme.openstreetmap.org/bin/check-certificates" do
   source "check-certificates.erb"
   owner "root"
@@ -175,20 +188,44 @@ template "/srv/acme.openstreetmap.org/bin/check-certificates" do
   variables :certificates => certificates
 end
 
-cron_d "letencrypt-renew" do
-  minute "00"
-  hour "*/12"
+systemd_service "letsencrypt-renew" do
+  description "Renew letsencrypt certificates"
+  exec_start "/srv/acme.openstreetmap.org/bin/renew"
   user "letsencrypt"
-  command "/srv/acme.openstreetmap.org/bin/renew"
-  mailto "admins@openstreetmap.org"
+  sandbox :enable_network => true
+  read_write_paths [
+    "/srv/acme.openstreetmap.org/config",
+    "/srv/acme.openstreetmap.org/html",
+    "/srv/acme.openstreetmap.org/logs",
+    "/srv/acme.openstreetmap.org/work"
+  ]
+end
+
+systemd_timer "letsencrypt-renew" do
+  description "Renew letsencrypt certificates"
+  on_boot_sec "1h"
+  on_unit_inactive_sec "12h"
+end
+
+service "letsencrypt-renew.timer" do
+  action [:enable, :start]
 end
 
-cron_d "letencrypt-check" do
-  minute "30"
-  hour "*/12"
+systemd_service "letsencrypt-check" do
+  description "Check letsencrypt certificates"
+  exec_start "/srv/acme.openstreetmap.org/bin/check-certificates"
   user "letsencrypt"
-  command "/srv/acme.openstreetmap.org/bin/check-certificates"
-  mailto "admins@openstreetmap.org"
+  sandbox :enable_network => true
+end
+
+systemd_timer "letsencrypt-check" do
+  description "Check letsencrypt certificates"
+  on_boot_sec "2h"
+  on_unit_inactive_sec "12h"
+end
+
+service "letsencrypt-check.timer" do
+  action [:enable, :start]
 end
 
 template "/etc/logrotate.d/letsencrypt" do