From 1240ed9da8b6ca1b59ed20708ad4052f8fda7178 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= <greg@karekinian.com>
Date: Thu, 5 Dec 2019 15:47:10 +0100
Subject: [PATCH] Move the dirsrv cert generation to a certbot deploy hook

---
 site-cookbooks/kosmos-dirsrv/metadata.rb      |  1 +
 .../kosmos-dirsrv/resources/instance.rb       | 40 ++++++++++++-------
 2 files changed, 27 insertions(+), 14 deletions(-)

diff --git a/site-cookbooks/kosmos-dirsrv/metadata.rb b/site-cookbooks/kosmos-dirsrv/metadata.rb
index 7bcc0a0..5e7a819 100644
--- a/site-cookbooks/kosmos-dirsrv/metadata.rb
+++ b/site-cookbooks/kosmos-dirsrv/metadata.rb
@@ -12,3 +12,4 @@ depends "apt"
 depends "ulimit"
 depends "backup"
 depends "kosmos-nginx"
+depends "kosmos-base"
diff --git a/site-cookbooks/kosmos-dirsrv/resources/instance.rb b/site-cookbooks/kosmos-dirsrv/resources/instance.rb
index 47bc738..e9a59a7 100644
--- a/site-cookbooks/kosmos-dirsrv/resources/instance.rb
+++ b/site-cookbooks/kosmos-dirsrv/resources/instance.rb
@@ -80,6 +80,32 @@ action :create do
     end
 
     include_recipe "kosmos-nginx"
+    include_recipe "kosmos-base::letsencrypt"
+
+    dirsrv_hook = <<-EOF
+    #!/usr/bin/env bash
+
+    set -e
+
+    # Copy the dirsrv certificate and restart the server if it has been renewed
+    # This is necessary because dirsrv uses a different format for the certificates
+    for domain in $RENEWED_DOMAINS; do
+      case $domain in
+      #{new_resource.hostname})
+        openssl pkcs12 -export -in "${RENEWED_LINEAGE}/fullchain.pem" -inkey "${RENEWED_LINEAGE}/privkey.pem" -out #{Chef::Config[:file_cache_path]}/#{new_resource.hostname}.p12 -name 'Server-Cert' -passout pass:
+        pk12util -i #{Chef::Config[:file_cache_path]}/#{new_resource.hostname}.p12 -d #{inst_dir} -W ''
+        systemctl restart #{service_name}
+        ;;
+      esac
+    done
+    EOF
+
+    file "/etc/letsencrypt/renewal-hooks/deploy/dirsrrv" do
+      content dirsrv_hook
+      mode 0755
+      owner "root"
+      group "root"
+    end
 
     template "#{node['nginx']['dir']}/sites-available/#{new_resource.hostname}" do
       source 'nginx_conf_empty.erb'
@@ -88,20 +114,6 @@ action :create do
     end
 
     nginx_certbot_site new_resource.hostname do
-      notifies :run, "execute[generate p12 cert]", :immediately
-    end
-
-    # Merge the full chain and private key into one cert, to import into the
-    # dirsrv dir
-    execute "generate p12 cert" do
-      command "openssl pkcs12 -export -in /etc/letsencrypt/live/#{new_resource.hostname}/fullchain.pem -inkey /etc/letsencrypt/live/#{new_resource.hostname}/privkey.pem -out #{Chef::Config[:file_cache_path]}/#{new_resource.hostname}.p12 -name 'Server-Cert' -passout pass:"
-      action :nothing
-      notifies :run, "execute[import p12 cert]", :immediately
-    end
-
-    execute "import p12 cert" do
-      command "pk12util -i #{Chef::Config[:file_cache_path]}/#{new_resource.hostname}.p12 -d #{inst_dir} -W ''"
-      action :nothing
       notifies :run, "execute[add tls config]", :immediately
     end