Create a resource to get a Let's Encrypt cert with DNS validation

2023-07-12 20:35:15 +02:00
parent d077dfdcf2
commit c1e2145ba1
3 changed files with 120 additions and 10 deletions
--- a/site-cookbooks/kosmos-base/resources/tls_cert_for.rb
+++ b/site-cookbooks/kosmos-base/resources/tls_cert_for.rb
@@ -0,0 +1,46 @@
+resource_name :tls_cert_for
+provides :tls_cert_for
+
+property :domain, [String, Array], name_property: true
+property :auth, [String, NilClass], default: nil
+
+default_action :create
+
+action :create do
+  include_recipe 'kosmos-base::letsencrypt'
+
+  domains = Array(new_resource.domain)
+
+  case new_resource.auth
+  when "gandi_dns"
+    gandi_api_data_bag_item = data_bag_item('credentials', 'gandi_api_5apps')
+
+    hook_path = "/root/gandi_dns_certbot_hook.sh"
+    template hook_path do
+      cookbook "kosmos-base"
+      variables gandi_api_key: gandi_api_data_bag_item["key"]
+      mode 0770
+    end
+
+    # Generate a Let's Encrypt cert (only if no cert has been generated before).
+    # The systemd timer will take care of renewing
+    execute "letsencrypt cert for #{domains.join(', ')}" do
+      command <<-CMD
+      certbot certonly --manual -n \
+        --preferred-challenges dns \
+        --manual-public-ip-logging-ok \
+        --agree-tos \
+        --manual-auth-hook '#{hook_path} auth' \
+        --manual-cleanup-hook '#{hook_path} cleanup' \
+        --deploy-hook /etc/letsencrypt/renewal-hooks/post/openresty \
+        --email ops@kosmos.org \
+        #{domains.map {|d| "-d #{d}" }.join(" ")}
+      CMD
+      not_if do
+        ::File.exist?("/etc/letsencrypt/live/#{domains.first}/fullchain.pem")
+      end
+    end
+  else
+    # regular http auth
+  end
+end