wmdeit-cf-wmdelib/certbot.cf

139 lines
3.4 KiB
CFEngine3
Raw Normal View History

2023-09-24 16:16:22 +00:00
#
# Create SSL certificates using Letsencrypt
#
bundle agent certbot
{
vars:
"webroot" string => "$(wr)";
"renew" string => "$(rn)";
freebsd::
"certbot_dir" string => "/usr/local/etc/letsencrypt";
"exe" string => "/usr/local/bin/certbot";
2023-10-24 23:18:26 +00:00
"pkgs" slist => {"py39-certbot"};
2023-09-24 16:16:22 +00:00
debian::
"certbot_dir" string => "/etc/letsencrypt";
"exe" string => "/usr/bin/certbot";
2023-10-24 23:18:26 +00:00
"pkgs" slist => {"certbot"};
centos::
"certbot_dir" string => "/etc/letsencrypt";
"exe" string => "/usr/bin/certbot";
"pkgs" slist => {"epel-release","certbot"};
fedora::
"certbot_dir" string => "/etc/letsencrypt";
"exe" string => "/usr/bin/certbot";
"pkgs" slist => {"certbot"};
2023-09-24 16:16:22 +00:00
defaults:
"wr" string => "standalone";
"rn" string => "";
reports:
}
bundle agent install_certbot
{
2023-10-24 23:18:26 +00:00
methods:
"any" usebundle => wmde_install_packages( @(certbot.pkgs),"certbot"),
handle => "certbot_installed";
2023-09-27 21:05:52 +00:00
files:
freebsd::
"/etc/cron.d/certbot"
create => "true",
2023-10-02 06:09:38 +00:00
copy_from => local_cp("$(sys.workdir)/inputs/$(def.wmde_libdir)/templates/certbot-cron.mustache");
2023-09-27 21:05:52 +00:00
# content => '#
# Managed by CFEngine
#
#SHELL=/bin/sh
#PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
#0 */12 * * * root certbot -q renew --no-random-sleep-on-renew
#';
2023-09-24 16:16:22 +00:00
}
bundle agent certbot_cert(site,webroot)
2023-09-24 16:16:22 +00:00
{
vars:
2023-10-31 16:20:11 +00:00
"domain" string => "$(site[domain])";
2023-10-29 00:07:43 +00:00
"keytype" string => "rsa";
2023-10-11 09:28:28 +00:00
"ds" slist => {"$(site[domain])"};
"domains" slist => sort(mergedata(@(ds),getvalues(@(site[aliases]))));
2023-10-31 16:20:11 +00:00
"domains_txt" string => string_mustache("{{#-top-}}{{.}} {{/-top-}}",@(domains));
2023-09-24 16:16:22 +00:00
"site_json" string => storejson(@(site));
"args" string => string_mustache(
2023-10-29 00:07:43 +00:00
"--key-type $(keytype) --cert-name {{domain}} -d {{domain}} {{#aliases}} -d {{.}} {{/aliases}}",
2023-09-24 16:16:22 +00:00
@(site)
);
"webroot_arg" string => ifelse( strcmp("$(webroot)","standalone"),
"--standalone",
"--webroot -w $(webroot)");
2023-10-31 16:20:11 +00:00
"cert_test_cmd" string => "$(def.wmde_lib)/scripts/get-domains-from-cert.sh $(certbot.certbot_dir)/live/$(site[domain])/cert.pem";
"current_domains_txt" string => execresult("/bin/sh $(cert_test_cmd)","useshell"),
if => isvariable ("site[domain]");
2023-09-24 16:16:22 +00:00
files:
2023-10-31 16:20:11 +00:00
# "$(sys.workdir)/data/agent/certbot/$(site[domain])-cert-created"
# create => "true",
# content => "$(args)",
# classes => if_repaired(certbot_repaired);
2023-09-24 16:16:22 +00:00
classes:
2023-10-31 16:20:11 +00:00
# "no_cert_file"
# comment => "run certbot because no cert dir exists",
# not => fileexists("$(certbot.certbot_dir)/live/$(site[domain])");
2023-09-24 16:16:22 +00:00
2023-10-31 16:20:11 +00:00
# "run_certbot"
# or => {no_cert_file, certbot_repaired};
"run_certbot"
expression => not (strcmp("$(current_domains_txt) ","$(domains_txt)"));
2023-09-24 16:16:22 +00:00
defaults:
"webroot" string => "standalone";
"domain" string => "$(site[domain])";
2023-09-24 16:16:22 +00:00
methods:
"any" usebundle => install_certbot;
commands:
run_certbot::
"$(certbot.exe)"
depends_on => {"certbot_installed"},
handle => "certbot_dry_run_ok",
args => "certonly --dry-run --agree-tos -n $(webroot_arg) --expand --email $(site[email]) $(args)";
run_certbot::
"$(certbot.exe)"
depends_on => {"certbot_installed","certbot_dry_run_ok"},
args => "certonly --agree-tos -n $(webroot_arg) --expand --email $(site[email]) $(args)";
reports:
2023-10-31 16:20:11 +00:00
# "CURRENT DOMAINS FOR $(site[domain]) : $(current_domains)";
# "EXEC IST: $(cert_test_cmd)";
# "IS '$(domains_txt)' == '$(current_domains_txt) ' ?";
# run_certbot_new::
# "WE MUST RUN CERTBOT FOR $(domains_txt)";
# !run_certbot_new::
# "WE SHOULD NOT RUN CERTBOT FOR $(domains_txt)";
2023-09-24 16:16:22 +00:00
}