resource_name :tls_cert_for provides :tls_cert_for property :domain, [String, Array], name_property: true property :auth, [String, NilClass], default: nil property :deploy_hook, [String, NilClass], default: nil property :acme_domain, [String, NilClass], default: nil default_action :create def initialize(*args) super @run_context.include_recipe 'kosmos-base::letsencrypt' end action :create do domains = Array(new_resource.domain) case new_resource.auth when "gandi_dns" gandi_api_credentials = data_bag_item('credentials', 'gandi_api') hook_path = "/root/gandi_dns_certbot_hook.sh" hook_auth_command = "#{hook_path} auth" hook_cleanup_command = "#{hook_path} cleanup" if new_resource.acme_domain hook_auth_command += " #{new_resource.acme_domain}" hook_cleanup_command += " #{new_resource.acme_domain}" end template hook_path do cookbook "kosmos-base" variables access_token: gandi_api_credentials["access_token"] mode 0700 sensitive true end if new_resource.deploy_hook deploy_hook_path = "/etc/letsencrypt/renewal-hooks/#{domains.first}" file deploy_hook_path do content new_resource.deploy_hook mode 0755 owner "root" group "root" end elsif node.run_list.roles.include?("openresty_proxy") deploy_hook_path = "/etc/letsencrypt/renewal-hooks/post/openresty" end # Generate a Let's Encrypt cert (only if no cert has been generated before). # The systemd timer will take care of renewing execute "letsencrypt cert for #{domains.join(', ')}" do command <<-CMD certbot certonly --manual -n \ --preferred-challenges dns \ --manual-public-ip-logging-ok \ --agree-tos \ --manual-auth-hook '#{hook_auth_command}' \ --manual-cleanup-hook '#{hook_cleanup_command}' \ --email ops@kosmos.org \ #{"--deploy-hook #{deploy_hook_path}" if defined?(deploy_hook_path)} \ #{domains.map {|d| "-d #{d}" }.join(" ")} CMD not_if do ::File.exist?("/etc/letsencrypt/live/#{domains.first}/fullchain.pem") end end else # regular http auth end end