Support proxy domain validation for Garage web domains

Also rename the data bag item

data_bags/credentials/gandi_api.json

@@ -0,0 +1,24 @@
+{
+  "id": "gandi_api",
+  "key": {
+    "encrypted_data": "d3/rJMX6B9GuzUt0/mIk/lgQ3qGyQdbNXH6UEm3ZX7DeSl+rbW9FPJCRWg==\n",
+    "iv": "15YVAYla7PqqVOab\n",
+    "auth_tag": "xQSq+ld6SDOAER07N4ZkUQ==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "access_token": {
+    "encrypted_data": "geQwcNosiJZmqbbMpD/I+a2yueBzpV6C8Rb7vrCD8kR161ZRjvqLe+g/1XpT\n2/65wKYDMTrdto1I030=\n",
+    "iv": "1sj58eyooOZ8FTYn\n",
+    "auth_tag": "yBNfgWXaToc06VDLly/HUw==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  },
+  "domains": {
+    "encrypted_data": "p5rIQTyCE+0d4HIuA4GKEAFekh7qEC4xe9Rm/kP0DyzY83FO0/4uKIvYoZRB\n",
+    "iv": "LWlx98NSS1/ngCH1\n",
+    "auth_tag": "FID+x/LjTZ3cgQV5U2xZLA==\n",
+    "version": 3,
+    "cipher": "aes-256-gcm"
+  }
+}

data_bags/credentials/gandi_api_5apps.json

@@ -1,17 +0,0 @@
-{
-  "id": "gandi_api_5apps",
-  "key": {
-    "encrypted_data": "AGYIkLdbnU3+O6OxGsFyLpZtTw531s2dbRC4Lik+8NYp3l4P0UMM2Pqf0g==\n",
-    "iv": "kPRHGpLwNIC3MpES\n",
-    "auth_tag": "wKth2tA+JxILFIKppHLDJg==\n",
-    "version": 3,
-    "cipher": "aes-256-gcm"
-  },
-  "access_token": {
-    "encrypted_data": "+tKKFcWV0CZ5wEB/No5hou5+p1llsUkq7AXBvfnA7xsgbpa2q8AX/2UFf9Cf\nGtd9om1CeJJtz+o4ceA=\n",
-    "iv": "hLJSV77DQtqXZDbV\n",
-    "auth_tag": "8xgyudyDk4hq16LRkykGhQ==\n",
-    "version": 3,
-    "cipher": "aes-256-gcm"
-  }
-}

site-cookbooks/kosmos-base/resources/tls_cert_for.rb

@@ -18,7 +18,7 @@ action :create do
 
   case new_resource.auth
   when "gandi_dns"
-    gandi_api_credentials = data_bag_item('credentials', 'gandi_api_5apps')
+    gandi_api_credentials = data_bag_item('credentials', 'gandi_api')
 
     hook_path = "/root/gandi_dns_certbot_hook.sh"
     hook_auth_command = "#{hook_path} auth"

site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb

@@ -33,7 +33,7 @@ file "/etc/letsencrypt/renewal-hooks/post/ejabberd" do
   group "root"
 end
 
-gandi_api_credentials = data_bag_item('credentials', 'gandi_api_5apps')
+gandi_api_credentials = data_bag_item('credentials', 'gandi_api')
 
 template "/root/gandi_dns_certbot_hook.sh" do
   variables access_token: gandi_api_credentials["access_token"]

site-cookbooks/kosmos_garage/recipes/nginx_web.rb

@@ -3,6 +3,8 @@
 # Recipe:: nginx_web
 #
 
+gandi_api_credentials = data_bag_item('credentials', 'gandi_api')
+
 file "#{node['openresty']['dir']}/conf.d/garage.conf" do
   content <<-EOF
 upstream garage_web {
@@ -40,8 +42,12 @@ end
 #
 
 node['garage']['s3_web_domains'].each do |domain_name|
+  second_level_domain = domain_name.match(/(?:.*\.)?([^.]+\.[^.]+)$/) { $1 }
+  proxy_validation = !gandi_api_credentials["domains"].include?(second_level_domain)
+
   tls_cert_for domain_name do
     auth "gandi_dns"
+    acme_domain "letsencrypt.kosmos.org" if proxy_validation
     action :create
   end
 

site-cookbooks/sockethub/recipes/proxy.rb

@@ -24,10 +24,10 @@ file "/etc/letsencrypt/renewal-hooks/post/nginx" do
   group "root"
 end
 
-gandi_api_data_bag_item = data_bag_item('credentials', 'gandi_api_5apps')
+gandi_api_credentials = data_bag_item('credentials', 'gandi_api')
 
 template "/root/gandi_dns_certbot_hook.sh" do
-  variables gandi_api_key: gandi_api_data_bag_item["key"]
+  variables gandi_api_key: gandi_api_credentials["key"]
   mode 0770
 end