cronekorkn/bundlewrap
1
0
Fork 0
Code Issues Pull requests 8 Projects Releases Wiki Activity

aliases

Browse source
This commit is contained in:
mwiegand 2021-11-06 16:11:48 +01:00
parent 4f633eab8e
commit 684c2b46e1
9 changed files with 66 additions and 63 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
bundles/bind-acme/metadata.py
View file

@ -2,16 +2,19 @@
'dns', 'dns',
) )
def acme_records(metadata): def acme_records(metadata):
if metadata.get('bind/type') == 'slave': domains = set()
return {}
for other_node in repo.nodes:
for domain, conf in other_node.metadata.get('letsencrypt/domains', {}).items():
domains.add(domain)
domains.update(conf.get('aliases', []))
return { return {
'dns': { 'dns': {
f'_acme-challenge.{domain}': { f'_acme-challenge.{domain}': {
'CNAME': {f"{domain}.{metadata.get('bind/acme_zone')}."}, 'CNAME': {f"{domain}.{metadata.get('bind/acme_zone')}."},
} }
for other_node in repo.nodes for domain in domains
for domain in other_node.metadata.get('letsencrypt/domains', {}).keys()
} }
} }
@ -20,16 +23,13 @@ def acme_records(metadata):
'bind/zones', 'bind/zones',
) )
def acme_zone(metadata): def acme_zone(metadata):
if metadata.get('bind/type') == 'slave':
return {}
return { return {
'bind': { 'bind': {
'zones': { 'zones': {
metadata.get('bind/acme_zone'): { metadata.get('bind/acme_zone'): {
'dynamic': True, 'dynamic': True,
'records': set(),
'views': ['external'], 'views': ['external'],
'records': set(),
}, },
}, },
}, },

4
bundles/letsencrypt/files/domains.txt
View file

@ -1,3 +1,3 @@
% for domain, aliases in sorted(node.metadata.get('letsencrypt/domains', {}).items()): % for domain, conf in sorted(domains.items()):
${domain} ${' '.join(sorted(aliases))} ${domain} ${' '.join(sorted(conf.get('aliases', [])))}
% endfor % endfor

64
bundles/letsencrypt/files/hook.sh
View file

@ -8,7 +8,7 @@ deploy_challenge() {
zone ${zone}. zone ${zone}.
update add $1.${zone}. 60 IN TXT \"$3\" update add $1.${zone}. 60 IN TXT \"$3\"
send send
" | tee | nsupdate -y hmac-sha512:acme.sublimity.de:${acme_key} " | tee | nsupdate -y hmac-sha512:${zone}:${acme_key}
sleep 10 sleep 10
} }
@ -19,43 +19,37 @@ clean_challenge() {
zone ${zone}. zone ${zone}.
update delete $1.${zone}. TXT update delete $1.${zone}. TXT
send send
" | tee | nsupdate -y hmac-sha512:acme.sublimity.de:${acme_key} " | tee | nsupdate -y hmac-sha512:${zone}:${acme_key}
} }
deploy_cert() {<%text> deploy_cert() {
local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}" TIMESTAMP="${6}"</%text> DOMAIN="$1"
% for service, config in node.metadata.get('letsencrypt/concat_and_deploy', {}).items(): KEYFILE="$2"
CERTFILE="$3"
# concat_and_deploy ${service} FULLCHAINFILE="$4"
if [ "$DOMAIN" = "${config['match_domain']}" ]; then CHAINFILE="$5"
cat $KEYFILE > ${config['target']}
cat $FULLCHAINFILE >> ${config['target']} % for domain, conf in sorted(domains.items()):
% if 'chown' in config: % if conf.get('location', None):
chown ${config['chown']} ${config['target']} if [[ $DOMAIN = ${domain} ]]
% endif then
% if 'chmod' in config: cat "$KEYFILE" > "${conf['location']}/privkey.pem"
chmod ${config['chmod']} ${config['target']} cat "$CERTFILE" > "${conf['location']}/cert.pem"
% endif cat "$FULLCHAINFILE" > "${conf['location']}/fullchain.pem"
% if 'commands' in config: cat "$CHAINFILE" > "${conf['location']}/chain.pem"
% for command in config['commands']: fi
${command} % endif
% endfor % if conf.get('owner', None):
% endif chown ${conf['owner']} "${conf['location']}/privkey.pem" "${conf['location']}/cert.pem" "${conf['location']}/fullchain.pem" "${conf['location']}/chain.pem"
fi % endif
% endfor % for service in sorted(conf.get('reload', [])):
systemctl reload-or-restart ${service}
% endfor
% endfor
} }
exit_hook() {<%text>
local ERROR="${1:-}"</%text>
% for service in sorted(node.metadata.get('letsencrypt/reload_after', set())):
systemctl reload-or-restart ${service}
% endfor
}
<%text>
HANDLER="$1"; shift HANDLER="$1"; shift
if [[ "${HANDLER}" =~ ^(deploy_cert|exit_hook|deploy_challenge|clean_challenge)$ ]]; then if [[ $HANDLER =~ ^(deploy_cert|deploy_challenge|clean_challenge)$ ]]
then
"$HANDLER" "$@" "$HANDLER" "$@"
fi</%text> fi

4
bundles/letsencrypt/items.py
View file

@ -13,6 +13,9 @@ directories = {
files = { files = {
'/etc/dehydrated/domains.txt': { '/etc/dehydrated/domains.txt': {
'content_type': 'mako', 'content_type': 'mako',
'context': {
'domains': node.metadata.get('letsencrypt/domains'),
},
'triggers': { 'triggers': {
'action:letsencrypt_update_certificates', 'action:letsencrypt_update_certificates',
}, },
@ -28,6 +31,7 @@ files = {
'server': ip_interface(acme_node.metadata.get('network/external/ipv4')).ip, 'server': ip_interface(acme_node.metadata.get('network/external/ipv4')).ip,
'zone': acme_node.metadata.get('bind/acme_zone'), 'zone': acme_node.metadata.get('bind/acme_zone'),
'acme_key': acme_node.metadata.get('bind/keys/' + acme_node.metadata.get('bind/acme_zone')), 'acme_key': acme_node.metadata.get('bind/keys/' + acme_node.metadata.get('bind/acme_zone')),
'domains': node.metadata.get('letsencrypt/domains'),
}, },
'mode': '0755', 'mode': '0755',
}, },

13
bundles/letsencrypt/metadata.py
View file

@ -53,22 +53,19 @@ def renew(metadata):
) )
def delegated_domains(metadata): def delegated_domains(metadata):
delegated_domains = { delegated_domains = {
domain domain: conf
for other_node in repo.nodes for other_node in repo.nodes
if other_node.has_bundle('letsencrypt') if other_node.has_bundle('letsencrypt')
and other_node.metadata.get('letsencrypt/delegate_to_node', None) == node.name and other_node.metadata.get('letsencrypt/delegate_to_node', None) == node.name
for domain in other_node.metadata.get('letsencrypt/domains').keys() for domain, conf in other_node.metadata.get('letsencrypt/domains').items()
} }
return { return {
'letsencrypt': { 'letsencrypt': {
'domains': { 'domains': delegated_domains,
domain: set()
for domain in delegated_domains
},
}, },
'dns': { 'dns': {
domain: repo.libs.dns.get_a_records(metadata, internal=False) domain: repo.libs.dns.get_a_records(metadata, internal=False)
for domain in delegated_domains for domain in delegated_domains.keys()
}, },
} }

4
bundles/mailserver/metadata.py
View file

@ -60,7 +60,9 @@ def letsencrypt(metadata):
return { return {
'letsencrypt': { 'letsencrypt': {
'domains': { 'domains': {
metadata.get('mailserver/hostname'): set(), metadata.get('mailserver/hostname'): {
'reload': {'dovecot', 'postfix'},
},
}, },
}, },
} }

2
bundles/mosquitto/metadata.py
View file

@ -84,7 +84,7 @@ def letsencrypt(metadata):
return { return {
'letsencrypt': { 'letsencrypt': {
'domains': { 'domains': {
metadata.get('mosquitto/hostname'): set(), metadata.get('mosquitto/hostname'): {},
}, },
}, },
} }

8
bundles/nginx/metadata.py
View file

@ -104,10 +104,10 @@ def letsencrypt(metadata):
return { return {
'letsencrypt': { 'letsencrypt': {
'domains': { 'domains': {
domain: set() for domain in metadata.get('nginx/vhosts').keys() domain: {
}, 'reload': {'nginx'},
'reload_after': { }
'nginx', for domain in metadata.get('nginx/vhosts').keys()
}, },
}, },
} }

12
nodes/htz.mails.py
View file

@ -63,9 +63,15 @@
}, },
'letsencrypt': { 'letsencrypt': {
'domains': { 'domains': {
'ckn.li': set(), 'ckn.li': {},
'sublimity.de': set(), 'test6.ckn.li': {
'freibrief.net': set(), 'aliases': {'www.test6.ckn.li'},
'location': '/root/temp',
'owner': 'telegraf',
'reload': {'telegraf'},
},
'sublimity.de': {},
'freibrief.net': {},
}, },
}, },
'mailserver': { 'mailserver': {