# #Lego # bundle agent lego { vars: "pkgs" slist => { "lego" }; "exe" string => "/usr/bin/lego"; "data_dir" string => "/etc/lego"; debian:: "exe" string => "/usr/bin/lego"; "data_dir" string => "/etc/lego"; "pkgs" slist => { "lego","cron" }; freebsd:: "exe" string => "/usr/local/bin/lego"; "data_dir" string => "/usr/local/etc/lego"; } bundle agent install_lego { methods: "any" usebundle => wmde_install_packages( @(lego.pkgs),"lego"); files: "$(lego.data_dir)/." create => "true", perms => m("750"), depends_on => {"lego_pkgs_installed"}, handle => "lego_installed"; } bundle agent lego_dns_certs(sites) { vars: "idx" slist => getindices(@(sites)); methods: "$(idx)" usebundle => lego_dns_cert(@(sites[$(idx)])); } bundle agent lego_dns_cert(site) { vars: # command to read all domains a certificate contains "cert_test_cmd" string => "$(def.wmde_lib)/scripts/get-domains-from-cert.sh $(lego.data_dir)/certificates/$(site[domain]).crt"; "ds" slist => {"$(site[domain])"}; "domains" slist => sort(mergedata(@(ds),getvalues(@(site[aliases])))); "domains_txt" string => string_mustache("{{#-top-}}{{.}} {{/-top-}}",@(domains)); "args" string => string_mustache( "-d {{domain}} {{#aliases}} -d {{.}} {{/aliases}}", @(site) ); "current_domains_txt" string => execresult("/bin/sh $(cert_test_cmd)","useshell"), if => isvariable ("site[domain]"), handle=>"lego_current_domains_ready"; "site_domain" string => string_replace(string_replace("$(site[domain])", "-", "_"), ".", "_"); "site_options" data => mergedata( "site", parsejson('{ "lego_bin": "$(lego.exe)", "lego_data_dir": "$(lego.data_dir)" }') ), handle => "site_options_ready"; classes: "run_lego" expression => not (strcmp("$(current_domains_txt) ","$(domains_txt)")), depends_on => {"lego_current_domains_ready"}; files: "/etc/cron.d/lego_$(site_domain)" create => "true", content => "# Managed by CFEngine $(site[dnsapi][key]) 0 0 * * * root $(lego.exe) --path $(lego.data_dir) --email $(site[email]) --dns $(site[dnsapi][provider]) $(args) $(site[lego_renew_raw]) renew $(site[lego_renew_raw2]) ", depends_on => {"lego_installed"}; systemd:: "/etc/systemd/system/lego_$(site_domain).timer" perms => mog('644','root','root'), copy_from => local_cp("$(sys.workdir)/inputs/wmdelib/templates/lego.timer.txt"), depends_on => { "lego_installed" }, classes => if_repaired( "systemd_timer_units" ), handle => "systemd_timer_$(site_domain)_copied"; "/etc/systemd/system/lego_$(site_domain).service" perms => mog('644','root','root'), edit_template => "$(sys.workdir)/inputs/wmdelib/templates/lego.service.txt", template_data => @{site_options}, template_method => "mustache", depends_on => { "lego_installed", "site_options_ready" }, classes => if_repaired( "systemd_service_units" ), handle => "systemd_service_$(site_domain)_copied"; "/etc/lego/hosting.de.env" content => "$(site[dnsapi][key])", perms => mog( "0600", "root", "root"), depends_on => { "lego_installed" }; commands: run_lego:: "$(site[dnsapi][key]) $(lego.exe) --path $(lego.data_dir) --accept-tos $(site[lego_raw]) --email $(site[email]) --dns $(site[dnsapi][provider]) $(args) run" contain => wmde_cmd_useshell, depends_on => {"lego_installed"}; systemd_timer_units|systemd_service_units:: "/usr/bin/systemctl" args => "daemon-reload"; services: systemd:: "lego_$(site_domain).timer" service_policy => "start", service_method => generic_systemd_at_boot, depends_on => { "systemd_timer_$(site_domain)_copied" }; reports: # "COMMAND: $(cert_test_cmd)"; # "CMP: $(current_domains_txt) $(domains_txt)"; # "LEG IS INSTALLED" depends_on => {"lego_installed"}; # run_lego:: # "$(lego.exe)"; # "--path $(lego.data_dir) --accept-tos --email $(site[email]) --dns $(site[dnsapi][provider]) $(args) run"; # depends_on => {"lego_installed"}, # run_lego:: # "MUST RUN LEGO"; # !run_lego:: # "MUST NOT RUN LEGO"; }