chef/site-cookbooks/kosmos-base/recipes/letsencrypt.rb

#
# Cookbook Name:: kosmos-base
# Recipe:: letsencrypt
#
# Copyright 2018, Kosmos
#
# All rights reserved - Do Not Redistribute
#

# Install certbot and set up hooks

# Remove the unless/else when we get rid of dev, running 15.04. No ppa for it
unless node["lsb"]["codename"] == "vivid"
  apt_repository "certbot" do
    uri "ppa:certbot/certbot"
  end

  package "certbot"
else
  remote_file "/usr/bin/certbot" do
    source "https://dl.eff.org/certbot-auto"
    mode 0755
  end

  cron "renew Let's Encrypt certificates" do
   hour "4"
   mailto "logs@5apps.com"
   command "/usr/bin/certbot -q renew"
 end
end

directory "/etc/letsencrypt/renewal-hooks" do
  recursive true
  mode 0755
  owner "root"
  group "root"
end

file "/etc/letsencrypt/renewal-hooks/deploy/nginx" do
  content <<-EOF
#!/usr/bin/env bash
# Reloading nginx is enough to read the new certificates
systemctl reload nginx
  EOF
  mode 0755
  owner "root"
  group "root"
end

gandi_api_data_bag_item = data_bag_item('credentials', 'gandi_api_5apps')

template "/root/gandi_dns_certbot_hook.sh" do
  variables gandi_api_key: gandi_api_data_bag_item["key"]
  mode 0770
end