From 0c29fad404b27fe83b24d4d6220bac76d0db721a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Wed, 5 Jun 2024 15:49:27 +0200 Subject: [PATCH 1/3] Remove superfluous license header MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Greg Karékinian --- .../kosmos-base/recipes/letsencrypt.rb | 21 ------------------- 1 file changed, 21 deletions(-) diff --git a/site-cookbooks/kosmos-base/recipes/letsencrypt.rb b/site-cookbooks/kosmos-base/recipes/letsencrypt.rb index e13c3db..22b0939 100644 --- a/site-cookbooks/kosmos-base/recipes/letsencrypt.rb +++ b/site-cookbooks/kosmos-base/recipes/letsencrypt.rb @@ -2,27 +2,6 @@ # Cookbook Name:: kosmos-base # Recipe:: letsencrypt # -# The MIT License (MIT) -# -# Copyright:: 2019, Kosmos Developers -# -# Permission is hereby granted, free of charge, to any person obtaining a copy -# of this software and associated documentation files (the "Software"), to deal -# in the Software without restriction, including without limitation the rights -# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -# copies of the Software, and to permit persons to whom the Software is -# furnished to do so, subject to the following conditions: -# -# The above copyright notice and this permission notice shall be included in -# all copies or substantial portions of the Software. -# -# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -# THE SOFTWARE. unless platform?('ubuntu') raise "This recipe only supports Ubuntu installs" From cfb379741e32f5dbb147ee4aca9e61177aa95003 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Wed, 5 Jun 2024 15:50:28 +0200 Subject: [PATCH 2/3] Add imap and smtp subdomains to mail server cert MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit closes #543 Co-authored-by: Greg Karékinian --- site-cookbooks/kosmos_email/recipes/default.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/site-cookbooks/kosmos_email/recipes/default.rb b/site-cookbooks/kosmos_email/recipes/default.rb index bb80c24..462ea1a 100644 --- a/site-cookbooks/kosmos_email/recipes/default.rb +++ b/site-cookbooks/kosmos_email/recipes/default.rb @@ -7,6 +7,7 @@ domain = node["email"]["domain"] hostname = node["email"]["hostname"] root_dir = node["email"]["root_directory"] ip_addr = node["knife_zero"]["host"] +extra_hostnames = ["smtp.#{domain}", "imap.#{domain}"] node.override["set_fqdn"] = hostname include_recipe "hostname" @@ -23,6 +24,7 @@ directory root_dir do end tls_cert_for hostname do + domain ([hostname]+extra_hostnames) auth "gandi_dns" action :create end From ff313525c86c91bbe9dcf194d1249ba56d198d03 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A2u=20Cao?= Date: Wed, 5 Jun 2024 16:43:20 +0200 Subject: [PATCH 3/3] Reload postfix and dovecot on cert renewal MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit closes #552 Co-authored-by: Greg Karékinian --- .../kosmos-base/resources/tls_cert_for.rb | 16 +++++++++++++++- site-cookbooks/kosmos_email/recipes/default.rb | 1 + 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/site-cookbooks/kosmos-base/resources/tls_cert_for.rb b/site-cookbooks/kosmos-base/resources/tls_cert_for.rb index 0f56f29..c633166 100644 --- a/site-cookbooks/kosmos-base/resources/tls_cert_for.rb +++ b/site-cookbooks/kosmos-base/resources/tls_cert_for.rb @@ -3,6 +3,7 @@ provides :tls_cert_for property :domain, [String, Array], name_property: true property :auth, [String, NilClass], default: nil +property :deploy_hook, [String, NilClass], default: nil property :acme_domain, [String, NilClass], default: nil default_action :create @@ -36,6 +37,19 @@ action :create do sensitive true end + if new_resource.deploy_hook + deploy_hook_path = "/etc/letsencrypt/renewal-hooks/#{domains.first}" + + file deploy_hook_path do + content new_resource.deploy_hook + mode 0755 + owner "root" + group "root" + end + elsif node.run_list.roles.include?("openresty_proxy") + deploy_hook_path = "/etc/letsencrypt/renewal-hooks/post/openresty" + end + # Generate a Let's Encrypt cert (only if no cert has been generated before). # The systemd timer will take care of renewing execute "letsencrypt cert for #{domains.join(', ')}" do @@ -47,7 +61,7 @@ action :create do --manual-auth-hook '#{hook_auth_command}' \ --manual-cleanup-hook '#{hook_cleanup_command}' \ --email ops@kosmos.org \ - #{node.run_list.roles.include?("openresty_proxy") ? '--deploy-hook /etc/letsencrypt/renewal-hooks/post/openresty' : nil } \ + #{"--deploy-hook #{deploy_hook_path}" if defined?(deploy_hook_path)} \ #{domains.map {|d| "-d #{d}" }.join(" ")} CMD not_if do diff --git a/site-cookbooks/kosmos_email/recipes/default.rb b/site-cookbooks/kosmos_email/recipes/default.rb index 462ea1a..01f85a3 100644 --- a/site-cookbooks/kosmos_email/recipes/default.rb +++ b/site-cookbooks/kosmos_email/recipes/default.rb @@ -26,6 +26,7 @@ end tls_cert_for hostname do domain ([hostname]+extra_hostnames) auth "gandi_dns" + deploy_hook "systemctl reload postfix.service && systemctl reload dovecot.service" action :create end