kosmos/chef
kosmos/chef
8
3
Fork 0
Code Issues 30 Pull Requests 3 Projects 2 Activity

Fix TLS cert updates for kosmos.chat #578

Merged
raucao merged 1 commits from chore/fix_cert_updates_kosmos-chat into master 2024-12-09 14:21:06 +00:00
Conversation 0 Commits 1 Files Changed 7 +35 -14
7 changed files with 35 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit e4112a3626 - Show all commits

18
data_bags/credentials/gandi_api.json
View File

@ -1,23 +1,23 @@
{
"id": "gandi_api",
"key": {
"encrypted_data": "d3/rJMX6B9GuzUt0/mIk/lgQ3qGyQdbNXH6UEm3ZX7DeSl+rbW9FPJCRWg==\n",
"iv": "15YVAYla7PqqVOab\n",
"auth_tag": "xQSq+ld6SDOAER07N4ZkUQ==\n",
"encrypted_data": "Ky1/PdywtEIl5vVXhzu3n2JetqOxnNjpjQ7yCao6qwIAn8oYxnv1c1hFAQ==\n",
"iv": "stAc2FxDvUqrh0kt\n",
"auth_tag": "rcK4Qt+f2O4Zo5IMmG0fkw==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"access_token": {
"encrypted_data": "geQwcNosiJZmqbbMpD/I+a2yueBzpV6C8Rb7vrCD8kR161ZRjvqLe+g/1XpT\n2/65wKYDMTrdto1I030=\n",
"iv": "1sj58eyooOZ8FTYn\n",
"auth_tag": "yBNfgWXaToc06VDLly/HUw==\n",
"encrypted_data": "J7zoLhEbPfPjnVWBmFmDdPKRer5GGw2o6Ad0uinznANugfaDiqjyYinOdEDF\nHlAqLmXv4J40rr3F+o4=\n",
"iv": "fAxFqVh9QqrfBsPW\n",
"auth_tag": "9ugi4frDLv8f7X0X1+k4DA==\n",
"version": 3,
"cipher": "aes-256-gcm"
},
"domains": {
"encrypted_data": "p5rIQTyCE+0d4HIuA4GKEAFekh7qEC4xe9Rm/kP0DyzY83FO0/4uKIvYoZRB\n",
"iv": "LWlx98NSS1/ngCH1\n",
"auth_tag": "FID+x/LjTZ3cgQV5U2xZLA==\n",
"encrypted_data": "X0KOKlJp5GYbKcq/jzmlaMmTXV1U7exWSqi3UxX9Sw==\n",
"iv": "9JucnYLlYdQ9N6pd\n",
"auth_tag": "sERYPDnVUJwVfSS8/xrPpQ==\n",
"version": 3,
"cipher": "aes-256-gcm"
}

10
site-cookbooks/kosmos-ejabberd/recipes/default.rb
View File

@ -84,6 +84,12 @@ hosts = [
sql_database: "ejabberd",
ldap_enabled: true,
ldap_password: ejabberd_credentials['kosmos_ldap_password'],
certfiles: [
"/opt/ejabberd/conf/kosmos.org.crt",
"/opt/ejabberd/conf/kosmos.org.key",
"/opt/ejabberd/conf/kosmos.chat.crt",
"/opt/ejabberd/conf/kosmos.chat.key"
],
append_host_config: <<-EOF
modules:
mod_disco:
@ -114,6 +120,10 @@ hosts = [
sql_database: "ejabberd_5apps",
ldap_enabled: true,
ldap_password: ejabberd_credentials['5apps_ldap_password'],
certfiles: [
"/opt/ejabberd/conf/5apps.com.crt",
"/opt/ejabberd/conf/5apps.com.key"
],
append_host_config: <<-EOF
modules:
mod_disco:

13
site-cookbooks/kosmos-ejabberd/recipes/letsencrypt.rb
View File

@ -15,7 +15,7 @@ set -e
# letsencrypt live folder
for domain in $RENEWED_DOMAINS; do
case $domain in
kosmos.org|5apps.com)
kosmos.org|kosmos.chat|5apps.com)
cp "${RENEWED_LINEAGE}/privkey.pem" /opt/ejabberd/conf/$domain.key
cp "${RENEWED_LINEAGE}/fullchain.pem" /opt/ejabberd/conf/$domain.crt
chown ejabberd:ejabberd /opt/ejabberd/conf/$domain.*
@ -42,13 +42,20 @@ end
# Generate a Let's Encrypt cert (only if no cert has been generated before).
# The systemd timer will take care of renewing
execute "letsencrypt cert for kosmos xmpp" do
command "certbot certonly --manual --preferred-challenges dns --manual-public-ip-logging-ok --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@kosmos.org -d kosmos.org -d xmpp.kosmos.org -d chat.kosmos.org -d kosmos.chat -d uploads.xmpp.kosmos.org -n"
execute "letsencrypt cert for kosmos.org domains" do
command "certbot certonly --manual --preferred-challenges dns --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup letsencrypt.kosmos.org\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@kosmos.org -d kosmos.org -d xmpp.kosmos.org -d chat.kosmos.org -d uploads.xmpp.kosmos.org -n"
not_if do
File.exist?("/etc/letsencrypt/live/kosmos.org/fullchain.pem")
end
end
execute "letsencrypt cert for kosmos.chat" do
command "certbot certonly --manual --preferred-challenges dns --agree-tos --manual-auth-hook \"/root/gandi_dns_certbot_hook.sh auth letsencrypt.kosmos.org\" --manual-cleanup-hook \"/root/gandi_dns_certbot_hook.sh cleanup letsencrypt.kosmos.org\" --deploy-hook \"/etc/letsencrypt/renewal-hooks/post/ejabberd\" --email ops@kosmos.org -d kosmos.chat -n"
not_if do
File.exist?("/etc/letsencrypt/live/kosmos.chat/fullchain.pem")
end
end
# Generate a Let's Encrypt cert (only if no cert has been generated before).
# The systemd timer will take care of renewing
execute "letsencrypt cert for 5apps xmpp" do

5
site-cookbooks/kosmos-ejabberd/templates/vhost.yml.erb
View File

@ -1,7 +1,8 @@
# Generated by Chef for <%= @host[:name] %>
certfiles:
- "/opt/ejabberd/conf/<%= @host[:name] %>.crt"
- "/opt/ejabberd/conf/<%= @host[:name] %>.key"
<% @host[:certfiles].each do |certfile| %>
- <%= certfile %>
<% end %>
host_config:
"<%= @host[:name] %>":
sql_type: pgsql

1
site-cookbooks/kosmos-hubot/recipes/nginx_botka_irc-libera-chat.rb
View File

@ -4,6 +4,7 @@ upstream_host = search(:node, "role:hubot").first["knife_zero"]["host"]
tls_cert_for domain do
auth "gandi_dns"
acme_domain "letsencrypt.kosmos.org"
action :create
end

1
site-cookbooks/kosmos-hubot/recipes/nginx_hal8000_xmpp.rb
View File

@ -5,6 +5,7 @@ upstream_host = search(:node, "role:hubot").first["knife_zero"]["host"]
tls_cert_for domain do
auth "gandi_dns"
acme_domain "letsencrypt.kosmos.org"
action :create
end

1
site-cookbooks/kosmos_website/recipes/redirects.rb
View File

@ -6,6 +6,7 @@
redirects = [
{
domain: "kosmos.chat",
acme_domain: "letsencrypt.kosmos.org",
target: "https://kosmos.org",
http_status: 307
},