Merge pull request 'Improve mail server TLS certificate management' (#556) from chore/mail_server_cert into master

Reviewed-on: #556
Reviewed-by: Greg <greg@noreply.kosmos.org>

site-cookbooks/kosmos-base/recipes/letsencrypt.rb

@@ -2,27 +2,6 @@
 # Cookbook Name:: kosmos-base
 # Recipe:: letsencrypt
 #
-# The MIT License (MIT)
-#
-# Copyright:: 2019, Kosmos Developers
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to deal
-# in the Software without restriction, including without limitation the rights
-# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-# copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in
-# all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-# THE SOFTWARE.
 
 unless platform?('ubuntu')
   raise "This recipe only supports Ubuntu installs"

site-cookbooks/kosmos-base/resources/tls_cert_for.rb

@@ -3,6 +3,7 @@ provides :tls_cert_for
 
 property :domain, [String, Array], name_property: true
 property :auth, [String, NilClass], default: nil
+property :deploy_hook, [String, NilClass], default: nil
 property :acme_domain, [String, NilClass], default: nil
 
 default_action :create
@@ -36,6 +37,19 @@ action :create do
       sensitive true
     end
 
+    if new_resource.deploy_hook
+      deploy_hook_path = "/etc/letsencrypt/renewal-hooks/#{domains.first}"
+
+      file deploy_hook_path do
+        content new_resource.deploy_hook
+        mode 0755
+        owner "root"
+        group "root"
+      end
+    elsif node.run_list.roles.include?("openresty_proxy")
+      deploy_hook_path = "/etc/letsencrypt/renewal-hooks/post/openresty"
+    end
+
     # Generate a Let's Encrypt cert (only if no cert has been generated before).
     # The systemd timer will take care of renewing
     execute "letsencrypt cert for #{domains.join(', ')}" do
@@ -47,7 +61,7 @@ action :create do
         --manual-auth-hook '#{hook_auth_command}' \
         --manual-cleanup-hook '#{hook_cleanup_command}' \
         --email ops@kosmos.org \
-        #{node.run_list.roles.include?("openresty_proxy") ? '--deploy-hook /etc/letsencrypt/renewal-hooks/post/openresty' : nil } \
+        #{"--deploy-hook #{deploy_hook_path}" if defined?(deploy_hook_path)} \
         #{domains.map {|d| "-d #{d}" }.join(" ")}
       CMD
       not_if do

site-cookbooks/kosmos_email/recipes/default.rb

@@ -7,6 +7,7 @@ domain   = node["email"]["domain"]
 hostname = node["email"]["hostname"]
 root_dir = node["email"]["root_directory"]
 ip_addr  = node["knife_zero"]["host"]
+extra_hostnames = ["smtp.#{domain}", "imap.#{domain}"]
 
 node.override["set_fqdn"] = hostname
 include_recipe "hostname"
@@ -23,7 +24,9 @@ directory root_dir do
 end
 
 tls_cert_for hostname do
+  domain ([hostname]+extra_hostnames)
   auth "gandi_dns"
+  deploy_hook "systemctl reload postfix.service && systemctl reload dovecot.service"
   action :create
 end