75 lines
		
	
	
		
			2.2 KiB
		
	
	
	
		
			Ruby
		
	
	
	
	
	
			
		
		
	
	
			75 lines
		
	
	
		
			2.2 KiB
		
	
	
	
		
			Ruby
		
	
	
	
	
	
| resource_name :tls_cert_for
 | |
| provides :tls_cert_for
 | |
| 
 | |
| property :domain, [String, Array], name_property: true
 | |
| property :auth, [String, NilClass], default: nil
 | |
| property :deploy_hook, [String, NilClass], default: nil
 | |
| property :acme_domain, [String, NilClass], default: nil
 | |
| 
 | |
| default_action :create
 | |
| 
 | |
| def initialize(*args)
 | |
|   super
 | |
| 
 | |
|   @run_context.include_recipe 'kosmos-base::letsencrypt'
 | |
| end
 | |
| 
 | |
| action :create do
 | |
|   domains = Array(new_resource.domain)
 | |
| 
 | |
|   case new_resource.auth
 | |
|   when "gandi_dns"
 | |
|     gandi_api_credentials = data_bag_item('credentials', 'gandi_api')
 | |
| 
 | |
|     hook_path = "/root/gandi_dns_certbot_hook.sh"
 | |
|     hook_auth_command = "#{hook_path} auth"
 | |
|     hook_cleanup_command = "#{hook_path} cleanup"
 | |
| 
 | |
|     if new_resource.acme_domain
 | |
|       hook_auth_command += " #{new_resource.acme_domain}"
 | |
|       hook_cleanup_command += " #{new_resource.acme_domain}"
 | |
|     end
 | |
| 
 | |
|     template hook_path do
 | |
|       cookbook "kosmos-base"
 | |
|       variables access_token: gandi_api_credentials["access_token"]
 | |
|       mode 0700
 | |
|       sensitive true
 | |
|     end
 | |
| 
 | |
|     if new_resource.deploy_hook
 | |
|       deploy_hook_path = "/etc/letsencrypt/renewal-hooks/#{domains.first}"
 | |
| 
 | |
|       file deploy_hook_path do
 | |
|         content new_resource.deploy_hook
 | |
|         mode 0755
 | |
|         owner "root"
 | |
|         group "root"
 | |
|       end
 | |
|     elsif node.run_list.roles.include?("openresty_proxy")
 | |
|       deploy_hook_path = "/etc/letsencrypt/renewal-hooks/post/openresty"
 | |
|     end
 | |
| 
 | |
|     # Generate a Let's Encrypt cert (only if no cert has been generated before).
 | |
|     # The systemd timer will take care of renewing
 | |
|     execute "letsencrypt cert for #{domains.join(', ')}" do
 | |
|       command <<-CMD
 | |
|       certbot certonly --manual -n \
 | |
|         --preferred-challenges dns \
 | |
|         --manual-public-ip-logging-ok \
 | |
|         --agree-tos \
 | |
|         --manual-auth-hook '#{hook_auth_command}' \
 | |
|         --manual-cleanup-hook '#{hook_cleanup_command}' \
 | |
|         --email ops@kosmos.org \
 | |
|         #{"--deploy-hook #{deploy_hook_path}" if defined?(deploy_hook_path)} \
 | |
|         #{domains.map {|d| "-d #{d}" }.join(" ")}
 | |
|       CMD
 | |
|       not_if do
 | |
|         ::File.exist?("/etc/letsencrypt/live/#{domains.first}/fullchain.pem")
 | |
|       end
 | |
|     end
 | |
|   else
 | |
|     # regular http auth
 | |
|   end
 | |
| end
 |