130 lines
3.1 KiB
CFEngine3
130 lines
3.1 KiB
CFEngine3
#
|
|
# Create SSL certificates using Letsencrypt
|
|
#
|
|
|
|
bundle agent certbot
|
|
{
|
|
vars:
|
|
"webroot" string => "$(wr)";
|
|
"renew" string => "$(rn)";
|
|
|
|
freebsd::
|
|
"certbot_dir" string => "/usr/local/etc/letsencrypt";
|
|
"exe" string => "/usr/local/bin/certbot";
|
|
"pkgs" slist => {"py39-certbot"};
|
|
debian::
|
|
"certbot_dir" string => "/etc/letsencrypt";
|
|
"exe" string => "/usr/bin/certbot";
|
|
"pkgs" slist => {"certbot"};
|
|
centos::
|
|
"certbot_dir" string => "/etc/letsencrypt";
|
|
"exe" string => "/usr/bin/certbot";
|
|
"pkgs" slist => {"epel-release","certbot"};
|
|
fedora::
|
|
"certbot_dir" string => "/etc/letsencrypt";
|
|
"exe" string => "/usr/bin/certbot";
|
|
"pkgs" slist => {"certbot"};
|
|
|
|
|
|
defaults:
|
|
"wr" string => "standalone";
|
|
"rn" string => "";
|
|
|
|
reports:
|
|
|
|
}
|
|
|
|
bundle agent install_certbot
|
|
{
|
|
|
|
methods:
|
|
"any" usebundle => wmde_install_packages( @(certbot.pkgs),"certbot"),
|
|
handle => "certbot_installed";
|
|
files:
|
|
freebsd::
|
|
"/etc/cron.d/certbot"
|
|
create => "true",
|
|
copy_from => local_cp("$(sys.workdir)/inputs/$(def.wmde_libdir)/templates/certbot-cron.mustache");
|
|
|
|
# content => '#
|
|
# Managed by CFEngine
|
|
#
|
|
#SHELL=/bin/sh
|
|
#PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
|
|
|
|
#0 */12 * * * root certbot -q renew --no-random-sleep-on-renew
|
|
|
|
#';
|
|
}
|
|
|
|
bundle agent certbot_cert(site,webroot)
|
|
{
|
|
|
|
vars:
|
|
|
|
|
|
"domain" string => "$(site[domain])";
|
|
"keytype" string => "rsa";
|
|
|
|
"ds" slist => {"$(site[domain])"};
|
|
|
|
"domains" slist => sort(mergedata(@(ds),getvalues(@(site[aliases]))));
|
|
"domains_txt" string => string_mustache("{{#-top-}}{{.}} {{/-top-}}",@(domains));
|
|
|
|
|
|
"site_json" string => storejson(@(site));
|
|
"args" string => string_mustache(
|
|
"--key-type $(keytype) --cert-name {{domain}} -d {{domain}} {{#aliases}} -d {{.}} {{/aliases}}",
|
|
@(site)
|
|
);
|
|
|
|
"webroot_arg" string => ifelse( strcmp("$(webroot)","standalone"),
|
|
"--standalone",
|
|
"--webroot -w $(webroot)");
|
|
|
|
"cert_test_cmd" string => "$(def.wmde_lib)/scripts/get-domains-from-cert.sh $(certbot.certbot_dir)/live/$(site[domain])/cert.pem";
|
|
|
|
"current_domains_txt" string => execresult("/bin/sh $(cert_test_cmd)","useshell"),
|
|
if => isvariable ("site[domain]");
|
|
|
|
files:
|
|
# "$(sys.workdir)/data/agent/certbot/$(site[domain])-cert-created"
|
|
# create => "true",
|
|
# content => "$(args)",
|
|
# classes => if_repaired(certbot_repaired);
|
|
|
|
classes:
|
|
# "no_cert_file"
|
|
# comment => "run certbot because no cert dir exists",
|
|
# not => fileexists("$(certbot.certbot_dir)/live/$(site[domain])");
|
|
|
|
# "run_certbot"
|
|
# or => {no_cert_file, certbot_repaired};
|
|
|
|
"run_certbot"
|
|
expression => not (strcmp("$(current_domains_txt) ","$(domains_txt)"));
|
|
|
|
defaults:
|
|
"webroot" string => "standalone";
|
|
"domain" string => "$(site[domain])";
|
|
|
|
methods:
|
|
"any" usebundle => install_certbot;
|
|
|
|
commands:
|
|
run_certbot::
|
|
"$(certbot.exe)"
|
|
depends_on => {"certbot_installed"},
|
|
handle => "certbot_dry_run_ok",
|
|
args => "certonly --dry-run --agree-tos -n $(webroot_arg) --expand --email $(site[email]) $(args)";
|
|
|
|
run_certbot::
|
|
"$(certbot.exe)"
|
|
depends_on => {"certbot_installed","certbot_dry_run_ok"},
|
|
args => "certonly --agree-tos -n $(webroot_arg) --expand --email $(site[email]) $(args)";
|
|
|
|
reports:
|
|
}
|
|
|
|
|