From 7636f6ed195eac0dd83ee6ec6a2c97b1d906437b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Greg=20Kar=C3=A9kinian?= <greg@karekinian.com>
Date: Wed, 25 Nov 2020 16:26:11 +0100
Subject: [PATCH] Move the Gandi DNS certbot hook to kosmos-ejabberd

---
 site-cookbooks/kosmos-base/recipes/letsencrypt.rb     |  8 --------
 site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb | 11 +++++++++--
 .../templates}/gandi_dns_certbot_hook.sh.erb          |  0
 3 files changed, 9 insertions(+), 10 deletions(-)
 rename site-cookbooks/{kosmos-base/templates/default => kosmos-ejabberd/templates}/gandi_dns_certbot_hook.sh.erb (100%)

diff --git a/site-cookbooks/kosmos-base/recipes/letsencrypt.rb b/site-cookbooks/kosmos-base/recipes/letsencrypt.rb
index ac5016e..d047bba 100644
--- a/site-cookbooks/kosmos-base/recipes/letsencrypt.rb
+++ b/site-cookbooks/kosmos-base/recipes/letsencrypt.rb
@@ -63,14 +63,6 @@ systemctl reload nginx
   group "root"
 end
 
-# gandi_api_data_bag_item = data_bag_item('credentials', 'gandi_api_5apps')
-
-# TODO only write to machines that actually need it (e.g. via role)
-# template "/root/gandi_dns_certbot_hook.sh" do
-#   variables gandi_api_key: gandi_api_data_bag_item["key"]
-#   mode 0770
-# end
-
 # include_recipe 'kosmos-base::systemd_emails'
 
 # TODO Check the deployed certs expiration dates instead of overwriting supplied systemd services
diff --git a/site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb b/site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb
index bfff01b..6b29885 100644
--- a/site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb
+++ b/site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb
@@ -54,10 +54,17 @@ file "/etc/letsencrypt/renewal-hooks/post/ejabberd" do
   group "root"
 end
 
+gandi_api_data_bag_item = data_bag_item('credentials', 'gandi_api_5apps')
+
+template "/root/gandi_dns_certbot_hook.sh" do
+  variables gandi_api_key: gandi_api_data_bag_item["key"]
+  mode 0770
+end
+
 # Generate a Let's Encrypt cert (only if no cert has been generated before).
 # The systemd timer will take care of renewing
 execute "letsencrypt cert for kosmos xmpp" do
-  command "/usr/bin/certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@kosmos.org -d kosmos.org -d xmpp.kosmos.org -d chat.kosmos.org -d kosmos.chat -n"
+  command "certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@kosmos.org -d kosmos.org -d xmpp.kosmos.org -d chat.kosmos.org -d kosmos.chat -d uploads.xmpp.kosmos.org -n"
   not_if do
     File.exist?("/etc/letsencrypt/live/kosmos.org/fullchain.pem")
   end
@@ -66,7 +73,7 @@ end
 # Generate a Let's Encrypt cert (only if no cert has been generated before).
 # The systemd timer will take care of renewing
 execute "letsencrypt cert for 5apps xmpp" do
-  command "/usr/bin/certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@5apps.com -d 5apps.com -d muc.5apps.com -d xmpp.5apps.com -n"
+  command "certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@5apps.com -d 5apps.com -d muc.5apps.com -d xmpp.5apps.com -d uploads.xmpp.5apps.com -n"
   not_if do
     File.exist?("/etc/letsencrypt/live/5apps.com/fullchain.pem")
   end
diff --git a/site-cookbooks/kosmos-base/templates/default/gandi_dns_certbot_hook.sh.erb b/site-cookbooks/kosmos-ejabberd/templates/gandi_dns_certbot_hook.sh.erb
similarity index 100%
rename from site-cookbooks/kosmos-base/templates/default/gandi_dns_certbot_hook.sh.erb
rename to site-cookbooks/kosmos-ejabberd/templates/gandi_dns_certbot_hook.sh.erb