chef/site-cookbooks/kosmos-base/recipes/letsencrypt.rb

#
# Cookbook Name:: kosmos-base
# Recipe:: letsencrypt
#

unless platform?('ubuntu')
  raise "This recipe only supports Ubuntu installs"
end

if node[:platform_version].to_f < 20.04
  apt_repository "certbot" do
    uri "ppa:certbot/certbot"
  end
  package "certbot"
else
  bash "install_certbot_snap" do
    code "snap install --classic certbot"
  end
  # TODO switch to snap_package resource when they fix it
  # snap_package "certbot" do
  #   options "--classic"
  # end
end

%w(deploy post pre).each do |subdir|
  directory "/etc/letsencrypt/renewal-hooks/#{subdir}" do
    recursive true
    mode 0755
    owner "root"
    group "root"
  end
end

if node.run_list.roles.include?("openresty_proxy")
  file "/etc/letsencrypt/renewal-hooks/post/openresty" do
    content <<-EOF
  #!/usr/bin/env bash
  # Reloading openresty is enough to read the new certificates
  systemctl reload openresty
    EOF
    mode 0755
    owner "root"
    group "root"
  end
end

# include_recipe 'kosmos-base::systemd_emails'

# TODO Check the deployed certs expiration dates instead of overwriting supplied systemd services
# Overwrite the systemd service to add email notifications on failures
# cookbook_file "/lib/systemd/system/certbot.service" do
#   source "certbot.service"
#   notifies :run, "execute[systemctl daemon-reload]", :delayed
# end
# execute "systemctl daemon-reload" do
#   command "systemctl daemon-reload"
#   action :nothing
# end