diff --git a/bundles/bind-acme/metadata.py b/bundles/bind-acme/metadata.py index 94967ac..aa8c547 100644 --- a/bundles/bind-acme/metadata.py +++ b/bundles/bind-acme/metadata.py @@ -2,16 +2,19 @@ 'dns', ) def acme_records(metadata): - if metadata.get('bind/type') == 'slave': - return {} - + domains = set() + + for other_node in repo.nodes: + for domain, conf in other_node.metadata.get('letsencrypt/domains', {}).items(): + domains.add(domain) + domains.update(conf.get('aliases', [])) + return { 'dns': { f'_acme-challenge.{domain}': { 'CNAME': {f"{domain}.{metadata.get('bind/acme_zone')}."}, } - for other_node in repo.nodes - for domain in other_node.metadata.get('letsencrypt/domains', {}).keys() + for domain in domains } } @@ -20,16 +23,13 @@ def acme_records(metadata): 'bind/zones', ) def acme_zone(metadata): - if metadata.get('bind/type') == 'slave': - return {} - return { 'bind': { 'zones': { metadata.get('bind/acme_zone'): { 'dynamic': True, - 'records': set(), 'views': ['external'], + 'records': set(), }, }, }, diff --git a/bundles/letsencrypt/files/domains.txt b/bundles/letsencrypt/files/domains.txt index ea7e427..4260aa5 100644 --- a/bundles/letsencrypt/files/domains.txt +++ b/bundles/letsencrypt/files/domains.txt @@ -1,3 +1,3 @@ -% for domain, aliases in sorted(node.metadata.get('letsencrypt/domains', {}).items()): -${domain} ${' '.join(sorted(aliases))} +% for domain, conf in sorted(domains.items()): +${domain} ${' '.join(sorted(conf.get('aliases', [])))} % endfor diff --git a/bundles/letsencrypt/files/hook.sh b/bundles/letsencrypt/files/hook.sh index 50845b0..16320a5 100644 --- a/bundles/letsencrypt/files/hook.sh +++ b/bundles/letsencrypt/files/hook.sh @@ -8,7 +8,7 @@ deploy_challenge() { zone ${zone}. update add $1.${zone}. 60 IN TXT \"$3\" send - " | tee | nsupdate -y hmac-sha512:acme.sublimity.de:${acme_key} + " | tee | nsupdate -y hmac-sha512:${zone}:${acme_key} sleep 10 } @@ -19,43 +19,37 @@ clean_challenge() { zone ${zone}. update delete $1.${zone}. TXT send - " | tee | nsupdate -y hmac-sha512:acme.sublimity.de:${acme_key} + " | tee | nsupdate -y hmac-sha512:${zone}:${acme_key} } -deploy_cert() {<%text> - local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}" TIMESTAMP="${6}" -% for service, config in node.metadata.get('letsencrypt/concat_and_deploy', {}).items(): - - # concat_and_deploy ${service} - if [ "$DOMAIN" = "${config['match_domain']}" ]; then - cat $KEYFILE > ${config['target']} - cat $FULLCHAINFILE >> ${config['target']} -% if 'chown' in config: - chown ${config['chown']} ${config['target']} -% endif -% if 'chmod' in config: - chmod ${config['chmod']} ${config['target']} -% endif -% if 'commands' in config: -% for command in config['commands']: - ${command} -% endfor -% endif - fi -% endfor +deploy_cert() { + DOMAIN="$1" + KEYFILE="$2" + CERTFILE="$3" + FULLCHAINFILE="$4" + CHAINFILE="$5" + + % for domain, conf in sorted(domains.items()): + % if conf.get('location', None): + if [[ $DOMAIN = ${domain} ]] + then + cat "$KEYFILE" > "${conf['location']}/privkey.pem" + cat "$CERTFILE" > "${conf['location']}/cert.pem" + cat "$FULLCHAINFILE" > "${conf['location']}/fullchain.pem" + cat "$CHAINFILE" > "${conf['location']}/chain.pem" + fi + % endif + % if conf.get('owner', None): + chown ${conf['owner']} "${conf['location']}/privkey.pem" "${conf['location']}/cert.pem" "${conf['location']}/fullchain.pem" "${conf['location']}/chain.pem" + % endif + % for service in sorted(conf.get('reload', [])): + systemctl reload-or-restart ${service} + % endfor + % endfor } - -exit_hook() {<%text> - local ERROR="${1:-}" - -% for service in sorted(node.metadata.get('letsencrypt/reload_after', set())): - systemctl reload-or-restart ${service} -% endfor -} - -<%text> HANDLER="$1"; shift -if [[ "${HANDLER}" =~ ^(deploy_cert|exit_hook|deploy_challenge|clean_challenge)$ ]]; then +if [[ $HANDLER =~ ^(deploy_cert|deploy_challenge|clean_challenge)$ ]] +then "$HANDLER" "$@" -fi +fi diff --git a/bundles/letsencrypt/items.py b/bundles/letsencrypt/items.py index e114933..e91cb97 100644 --- a/bundles/letsencrypt/items.py +++ b/bundles/letsencrypt/items.py @@ -13,6 +13,9 @@ directories = { files = { '/etc/dehydrated/domains.txt': { 'content_type': 'mako', + 'context': { + 'domains': node.metadata.get('letsencrypt/domains'), + }, 'triggers': { 'action:letsencrypt_update_certificates', }, @@ -28,6 +31,7 @@ files = { 'server': ip_interface(acme_node.metadata.get('network/external/ipv4')).ip, 'zone': acme_node.metadata.get('bind/acme_zone'), 'acme_key': acme_node.metadata.get('bind/keys/' + acme_node.metadata.get('bind/acme_zone')), + 'domains': node.metadata.get('letsencrypt/domains'), }, 'mode': '0755', }, diff --git a/bundles/letsencrypt/metadata.py b/bundles/letsencrypt/metadata.py index 57aadd4..143b8ff 100644 --- a/bundles/letsencrypt/metadata.py +++ b/bundles/letsencrypt/metadata.py @@ -53,22 +53,19 @@ def renew(metadata): ) def delegated_domains(metadata): delegated_domains = { - domain + domain: conf for other_node in repo.nodes if other_node.has_bundle('letsencrypt') - and other_node.metadata.get('letsencrypt/delegate_to_node', None) == node.name - for domain in other_node.metadata.get('letsencrypt/domains').keys() + and other_node.metadata.get('letsencrypt/delegate_to_node', None) == node.name + for domain, conf in other_node.metadata.get('letsencrypt/domains').items() } return { 'letsencrypt': { - 'domains': { - domain: set() - for domain in delegated_domains - }, + 'domains': delegated_domains, }, 'dns': { domain: repo.libs.dns.get_a_records(metadata, internal=False) - for domain in delegated_domains + for domain in delegated_domains.keys() }, } diff --git a/bundles/mailserver/metadata.py b/bundles/mailserver/metadata.py index c853a53..fc885f6 100644 --- a/bundles/mailserver/metadata.py +++ b/bundles/mailserver/metadata.py @@ -60,7 +60,9 @@ def letsencrypt(metadata): return { 'letsencrypt': { 'domains': { - metadata.get('mailserver/hostname'): set(), + metadata.get('mailserver/hostname'): { + 'reload': {'dovecot', 'postfix'}, + }, }, }, } diff --git a/bundles/mosquitto/metadata.py b/bundles/mosquitto/metadata.py index 98b80a2..4ae4c71 100644 --- a/bundles/mosquitto/metadata.py +++ b/bundles/mosquitto/metadata.py @@ -84,7 +84,7 @@ def letsencrypt(metadata): return { 'letsencrypt': { 'domains': { - metadata.get('mosquitto/hostname'): set(), + metadata.get('mosquitto/hostname'): {}, }, }, } diff --git a/bundles/nginx/metadata.py b/bundles/nginx/metadata.py index ad25a3c..8c213b9 100644 --- a/bundles/nginx/metadata.py +++ b/bundles/nginx/metadata.py @@ -104,10 +104,10 @@ def letsencrypt(metadata): return { 'letsencrypt': { 'domains': { - domain: set() for domain in metadata.get('nginx/vhosts').keys() - }, - 'reload_after': { - 'nginx', + domain: { + 'reload': {'nginx'}, + } + for domain in metadata.get('nginx/vhosts').keys() }, }, } diff --git a/nodes/htz.mails.py b/nodes/htz.mails.py index 11ab13a..63f37ea 100644 --- a/nodes/htz.mails.py +++ b/nodes/htz.mails.py @@ -63,9 +63,15 @@ }, 'letsencrypt': { 'domains': { - 'ckn.li': set(), - 'sublimity.de': set(), - 'freibrief.net': set(), + 'ckn.li': {}, + 'test6.ckn.li': { + 'aliases': {'www.test6.ckn.li'}, + 'location': '/root/temp', + 'owner': 'telegraf', + 'reload': {'telegraf'}, + }, + 'sublimity.de': {}, + 'freibrief.net': {}, }, }, 'mailserver': {