Extract the post hooks to their own script in Certbot's config dir

2019-03-14 15:21:50 +01:00 · 2019-03-14 15:21:50 +01:00 · 65482f09c3
commit 65482f09c3
parent 36e046ea73
2 changed files with 35 additions and 36 deletions
--- a/site-cookbooks/5apps-xmpp_server/recipes/letsencrypt.rb
+++ b/site-cookbooks/5apps-xmpp_server/recipes/letsencrypt.rb
@ -2,6 +2,38 @@

 include_recipe "kosmos-base::letsencrypt"

+prosody_post_hook = <<-EOF
+#!/usr/bin/env bash
+
+# Copy the prosody certificates and restart the server if it has been renewed
+# This is necessary because the prosody user doesn't have access to the
+# letsencrypt live folder
+for domain in $RENEWED_DOMAINS; do
+  case $domain in
+  # Do not copy over when renewing other 5apps.com domains
+  5apps.com)
+    cp "${RENEWED_LINEAGE}/fullchain.pem" /etc/prosody/certs/5apps.com.crt
+    cp "${RENEWED_LINEAGE}/privkey.pem" /etc/prosody/certs/5apps.com.key
+    cp "${RENEWED_LINEAGE}/fullchain.pem" /etc/prosody/certs/muc.5apps.com.crt
+    cp "${RENEWED_LINEAGE}/privkey.pem" /etc/prosody/certs/muc.5apps.com.key
+    cp "${RENEWED_LINEAGE}/fullchain.pem" /etc/prosody/certs/xmpp.5apps.com.crt
+    cp "${RENEWED_LINEAGE}/privkey.pem" /etc/prosody/certs/xmpp.5apps.com.key
+    chown prosody:prosody /etc/prosody/certs/*
+    chmod 600 /etc/prosody/certs/*.key
+    chmod 640 /etc/prosody/certs/*.crt
+    systemctl restart prosody
+    ;;
+  esac
+done
+EOF
+
+file "/etc/letsencrypt/renewal-hooks/post/prosody" do
+  content prosody_post_hook
+  mode 0755
+  owner "root"
+  group "root"
+end
+
 gandi_api_data_bag_item = data_bag_item('credentials', 'gandi_api_5apps')

 template "/root/letsencrypt_hook.sh" do
@ -17,4 +49,3 @@ execute "letsencrypt cert for 5apps xmpp" do
    File.exist?("/etc/prosody/certs/5apps.com.crt")
  end
 end
-
--- a/site-cookbooks/kosmos-base/recipes/letsencrypt.rb
+++ b/site-cookbooks/kosmos-base/recipes/letsencrypt.rb
@ -15,45 +15,13 @@ end

 package "certbot"

-letsencrypt_renew_hook = <<-EOF
+file "/etc/letsencrypt/renewal-hooks/post/nginx" do
+  content <<-EOF
 #!/usr/bin/env bash
-
 # Reloading nginx is enough to read the new certificates
 systemctl reload nginx
-
-# Copy the prosody certificates and restart the server if it has been renewed
-# This is necessary because the prosody user doesn't have access to the
-# letsencrypt live folder
-for domain in $RENEWED_DOMAINS; do
-  case $domain in
-  # Do not copy over when renewing other 5apps.com domains
-  5apps.com)
-    cp "${RENEWED_LINEAGE}/fullchain.pem" /etc/prosody/certs/5apps.com.crt
-    cp "${RENEWED_LINEAGE}/privkey.pem" /etc/prosody/certs/5apps.com.key
-    cp "${RENEWED_LINEAGE}/fullchain.pem" /etc/prosody/certs/muc.5apps.com.crt
-    cp "${RENEWED_LINEAGE}/privkey.pem" /etc/prosody/certs/muc.5apps.com.key
-    cp "${RENEWED_LINEAGE}/fullchain.pem" /etc/prosody/certs/xmpp.5apps.com.crt
-    cp "${RENEWED_LINEAGE}/privkey.pem" /etc/prosody/certs/xmpp.5apps.com.key
-    chown prosody:prosody /etc/prosody/certs/*
-    chmod 600 /etc/prosody/certs/*.key
-    chmod 640 /etc/prosody/certs/*.crt
-    systemctl restart prosody
-    ;;
-  esac
-done
-EOF
-
-file "/usr/local/bin/letsencrypt_renew_hook" do
-  content letsencrypt_renew_hook
+  EOF
  mode 0755
  owner "root"
  group "root"
 end
-
-cron "renew Let's Encrypt certificates" do
-  minute "0"
-  hour "4"
-  mailto "logs@5apps.com"
-  # The hook is only executed if a cert has been renewed
-  command "/usr/bin/certbot renew --deploy-hook letsencrypt_renew_hook -n 1> /dev/null"
-end