From fd15227637e241ba1d053b123b28d17848795118 Mon Sep 17 00:00:00 2001 From: mwiegand Date: Sat, 6 Nov 2021 13:30:26 +0100 Subject: [PATCH] acme_node --- bundles/bind-acme/metadata.py | 4 ++-- bundles/letsencrypt/files/hook.sh | 8 ++++---- bundles/letsencrypt/items.py | 9 ++++++--- groups/all.py | 3 +++ nodes/htz.mails.py | 7 +------ 5 files changed, 16 insertions(+), 15 deletions(-) diff --git a/bundles/bind-acme/metadata.py b/bundles/bind-acme/metadata.py index 1e78cd2..94967ac 100644 --- a/bundles/bind-acme/metadata.py +++ b/bundles/bind-acme/metadata.py @@ -8,7 +8,7 @@ def acme_records(metadata): return { 'dns': { f'_acme-challenge.{domain}': { - 'CNAME': {f"{domain}.{metadata.get('bind/acme_hostname')}."}, + 'CNAME': {f"{domain}.{metadata.get('bind/acme_zone')}."}, } for other_node in repo.nodes for domain in other_node.metadata.get('letsencrypt/domains', {}).keys() @@ -26,7 +26,7 @@ def acme_zone(metadata): return { 'bind': { 'zones': { - metadata.get('bind/acme_hostname'): { + metadata.get('bind/acme_zone'): { 'dynamic': True, 'records': set(), 'views': ['external'], diff --git a/bundles/letsencrypt/files/hook.sh b/bundles/letsencrypt/files/hook.sh index 6ffbaaa..9b9eeb1 100644 --- a/bundles/letsencrypt/files/hook.sh +++ b/bundles/letsencrypt/files/hook.sh @@ -9,8 +9,8 @@ deploy_challenge() { CHALLENGE=$3 KEY=hmac-sha512:acme.sublimity.de:${acme_key} cmd=" - server 162.55.188.157 - zone acme.sublimity.de. + server $SERVER + zone $ACME_ZONE. update add $DOMAIN.$ACME_ZONE. 60 IN TXT \"$CHALLENGE\" send " @@ -31,8 +31,8 @@ clean_challenge() { CHALLENGE=$3 KEY=hmac-sha512:acme.sublimity.de:${acme_key} cmd=" - server 162.55.188.157 - zone acme.sublimity.de. + server $SERVER + zone $ACME_ZONE. update delete $DOMAIN.$ACME_ZONE. TXT send " diff --git a/bundles/letsencrypt/items.py b/bundles/letsencrypt/items.py index dd793c6..e114933 100644 --- a/bundles/letsencrypt/items.py +++ b/bundles/letsencrypt/items.py @@ -1,6 +1,9 @@ assert node.has_bundle('nginx') +from ipaddress import ip_interface + delegated = 'delegate_to_node' in node.metadata.get('letsencrypt') +acme_node = repo.get_node(node.metadata.get('letsencrypt/acme_node')) directories = { '/etc/dehydrated/conf.d': {}, @@ -22,9 +25,9 @@ files = { '/etc/dehydrated/hook.sh': { 'content_type': 'mako', 'context': { - 'server': node.metadata.get('network/external/ipv4').split('/')[0], - 'zone': node.metadata.get('bind/acme_hostname'), - 'acme_key': node.metadata.get('bind/keys/acme.sublimity.de'), + 'server': ip_interface(acme_node.metadata.get('network/external/ipv4')).ip, + 'zone': acme_node.metadata.get('bind/acme_zone'), + 'acme_key': acme_node.metadata.get('bind/keys/' + acme_node.metadata.get('bind/acme_zone')), }, 'mode': '0755', }, diff --git a/groups/all.py b/groups/all.py index 1b8192e..5169847 100644 --- a/groups/all.py +++ b/groups/all.py @@ -17,5 +17,8 @@ }, }, }, + 'letsencrypt': { + 'acme_node': 'htz.mails', + }, } } diff --git a/nodes/htz.mails.py b/nodes/htz.mails.py index 1adf18d..11ab13a 100644 --- a/nodes/htz.mails.py +++ b/nodes/htz.mails.py @@ -32,7 +32,7 @@ }, 'bind': { 'hostname': 'resolver.name', - 'acme_hostname': 'acme.sublimity.de', + 'acme_zone': 'acme.sublimity.de', 'zones': { 'sublimity.de': {}, 'freibrief.net': {}, @@ -64,11 +64,6 @@ 'letsencrypt': { 'domains': { 'ckn.li': set(), - 'test1.ckn.li': set(), - 'test2.ckn.li': set(), - 'test3.ckn.li': set(), - 'test4.ckn.li': set(), - 'test5.ckn.li': set(), 'sublimity.de': set(), 'freibrief.net': set(), },