acme_node

bundles/bind-acme/metadata.py

@@ -8,7 +8,7 @@ def acme_records(metadata):
     return {
         'dns': {
             f'_acme-challenge.{domain}': {
-                'CNAME': {f"{domain}.{metadata.get('bind/acme_hostname')}."},
+                'CNAME': {f"{domain}.{metadata.get('bind/acme_zone')}."},
             }
                 for other_node in repo.nodes
                 for domain in other_node.metadata.get('letsencrypt/domains', {}).keys()
@@ -26,7 +26,7 @@ def acme_zone(metadata):
     return {
         'bind': {
             'zones': {
-                metadata.get('bind/acme_hostname'): {
+                metadata.get('bind/acme_zone'): {
                     'dynamic': True,
                     'records': set(),
                     'views': ['external'],

bundles/letsencrypt/files/hook.sh

@@ -9,8 +9,8 @@ deploy_challenge() {
   CHALLENGE=$3
   KEY=hmac-sha512:acme.sublimity.de:${acme_key}
   cmd="
-    server 162.55.188.157
-    zone acme.sublimity.de.
+    server $SERVER
+    zone $ACME_ZONE.
     update add $DOMAIN.$ACME_ZONE. 60 IN TXT \"$CHALLENGE\"
     send
   "
@@ -31,8 +31,8 @@ clean_challenge() {
   CHALLENGE=$3
   KEY=hmac-sha512:acme.sublimity.de:${acme_key}
   cmd="
-    server 162.55.188.157
-    zone acme.sublimity.de.
+    server $SERVER
+    zone $ACME_ZONE.
     update delete $DOMAIN.$ACME_ZONE. TXT
     send
   "

bundles/letsencrypt/items.py

@@ -1,6 +1,9 @@
 assert node.has_bundle('nginx')
 
+from ipaddress import ip_interface
+
 delegated = 'delegate_to_node' in node.metadata.get('letsencrypt')
+acme_node = repo.get_node(node.metadata.get('letsencrypt/acme_node'))
 
 directories = {
     '/etc/dehydrated/conf.d': {},
@@ -22,9 +25,9 @@ files = {
     '/etc/dehydrated/hook.sh': {
         'content_type': 'mako',
         'context': {
-            'server': node.metadata.get('network/external/ipv4').split('/')[0],
-            'zone': node.metadata.get('bind/acme_hostname'),
-            'acme_key': node.metadata.get('bind/keys/acme.sublimity.de'),
+            'server': ip_interface(acme_node.metadata.get('network/external/ipv4')).ip,
+            'zone': acme_node.metadata.get('bind/acme_zone'),
+            'acme_key': acme_node.metadata.get('bind/keys/' + acme_node.metadata.get('bind/acme_zone')),
         },
         'mode': '0755',
     },

groups/all.py

@@ -17,5 +17,8 @@
                 },
             },
         },
+        'letsencrypt': {
+            'acme_node': 'htz.mails',
+        },
     }
 }

nodes/htz.mails.py

@@ -32,7 +32,7 @@
         },
         'bind': {
             'hostname': 'resolver.name',
-            'acme_hostname': 'acme.sublimity.de',
+            'acme_zone': 'acme.sublimity.de',
             'zones': {
                 'sublimity.de': {},
                 'freibrief.net': {},
@@ -64,11 +64,6 @@
         'letsencrypt': {
             'domains': {
                 'ckn.li': set(),
-                'test1.ckn.li': set(),
-                'test2.ckn.li': set(),
-                'test3.ckn.li': set(),
-                'test4.ckn.li': set(),
-                'test5.ckn.li': set(),
                 'sublimity.de': set(),
                 'freibrief.net': set(),
             },