51 lines
1.4 KiB
Ruby
51 lines
1.4 KiB
Ruby
resource_name :tls_cert_for
|
|
provides :tls_cert_for
|
|
|
|
property :domain, [String, Array], name_property: true
|
|
property :auth, [String, NilClass], default: nil
|
|
|
|
default_action :create
|
|
|
|
def initialize(*args)
|
|
super
|
|
|
|
@run_context.include_recipe 'kosmos-base::letsencrypt'
|
|
end
|
|
|
|
action :create do
|
|
domains = Array(new_resource.domain)
|
|
|
|
case new_resource.auth
|
|
when "gandi_dns"
|
|
gandi_api_data_bag_item = data_bag_item('credentials', 'gandi_api_5apps')
|
|
|
|
hook_path = "/root/gandi_dns_certbot_hook.sh"
|
|
template hook_path do
|
|
cookbook "kosmos-base"
|
|
variables gandi_api_key: gandi_api_data_bag_item["key"]
|
|
mode 0770
|
|
end
|
|
|
|
# Generate a Let's Encrypt cert (only if no cert has been generated before).
|
|
# The systemd timer will take care of renewing
|
|
execute "letsencrypt cert for #{domains.join(', ')}" do
|
|
command <<-CMD
|
|
certbot certonly --manual -n \
|
|
--preferred-challenges dns \
|
|
--manual-public-ip-logging-ok \
|
|
--agree-tos \
|
|
--manual-auth-hook '#{hook_path} auth' \
|
|
--manual-cleanup-hook '#{hook_path} cleanup' \
|
|
--deploy-hook /etc/letsencrypt/renewal-hooks/post/openresty \
|
|
--email ops@kosmos.org \
|
|
#{domains.map {|d| "-d #{d}" }.join(" ")}
|
|
CMD
|
|
not_if do
|
|
::File.exist?("/etc/letsencrypt/live/#{domains.first}/fullchain.pem")
|
|
end
|
|
end
|
|
else
|
|
# regular http auth
|
|
end
|
|
end
|