diff options
| author | Jesse Luehrs <doy@tozt.net> | 2020-07-11 00:02:40 -0400 |
|---|---|---|
| committer | Jesse Luehrs <doy@tozt.net> | 2020-07-11 00:05:20 -0400 |
| commit | 4e9fb2d323dffc288a27d9cc918fc78de930ba5b (patch) | |
| tree | 35d3227a210143ecaefda42cbf5796ed74397369 /modules/certbot | |
| parent | dc5da84a004d6d5b2e045f0ca422747f514240ce (diff) | |
| download | puppet-tozt-4e9fb2d323dffc288a27d9cc918fc78de930ba5b.tar.gz puppet-tozt-4e9fb2d323dffc288a27d9cc918fc78de930ba5b.zip | |
improve certbot provisioning script
Diffstat (limited to 'modules/certbot')
| -rwxr-xr-x | modules/certbot/files/bootstrap-certbot | 97 | ||||
| -rw-r--r-- | modules/certbot/manifests/init.pp | 21 | ||||
| -rwxr-xr-x | modules/certbot/templates/certbot-tozt | 76 |
3 files changed, 93 insertions, 101 deletions
diff --git a/modules/certbot/files/bootstrap-certbot b/modules/certbot/files/bootstrap-certbot deleted file mode 100755 index f0b43f4..0000000 --- a/modules/certbot/files/bootstrap-certbot +++ /dev/null @@ -1,97 +0,0 @@ -#!/usr/bin/env bash -set -eu -set -o pipefail - -config_dir="$1" -if systemctl is-active -q nginx; then - is_running=1 -else - is_running= -fi - -cleanup() { - if [ -z "$is_running" ]; then - systemctl stop nginx - fi - - if [ -e /etc/nginx/nginx.conf.backup ]; then - mv /etc/nginx/nginx.conf.backup /etc/nginx.conf - fi -} -trap cleanup EXIT - -mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.backup -cat > /etc/nginx/nginx.conf <<EOF -worker_processes 1; -events { - worker_connections 1024; -} -http { - server { - listen 80 default; - server_name tozt.net; - location / { - root /tmp; - } - } - server { - listen 80; - server_name blog.tozt.net; - location / { - root /tmp; - } - } - server { - listen 80; - server_name paste.tozt.net; - location / { - root /tmp; - } - } - server { - listen 80; - server_name git.tozt.net; - location / { - root /tmp; - } - } - server { - listen 80; - server_name rss.tozt.net; - location / { - root /tmp; - } - } - server { - listen 80; - server_name munin.tozt.net; - location / { - root /tmp; - } - } - server { - listen 80; - server_name metabase.tozt.net; - location / { - root /tmp; - } - } - server { - listen 80; - server_name rc-teleterm.tozt.net; - location / { - root /tmp; - } - } -} -EOF - -if [ -z "$is_running" ]; then - systemctl start nginx -fi - -if [ -z "$config_dir" ]; then - /usr/bin/certbot -n --agree-tos -m doy@tozt.net --nginx -d tozt.net -d blog.tozt.net -d paste.tozt.net -d git.tozt.net -d rss.tozt.net -d munin.tozt.net -d metabase.tozt.net -d rc-teleterm.tozt.net -d bitwarden.tozt.net -d gitea.tozt.net -d influxdb.tozt.net -d chronograf.tozt.net -else - /usr/bin/certbot -n --agree-tos -m doy@tozt.net --nginx -d tozt.net -d blog.tozt.net -d paste.tozt.net -d git.tozt.net -d rss.tozt.net -d munin.tozt.net -d metabase.tozt.net -d rc-teleterm.tozt.net -d bitwarden.tozt.net -d gitea.tozt.net -d influxdb.tozt.net -d chronograf.tozt.net --config-dir "$config_dir" -fi diff --git a/modules/certbot/manifests/init.pp b/modules/certbot/manifests/init.pp index 917e8a6..8f3b4cb 100644 --- a/modules/certbot/manifests/init.pp +++ b/modules/certbot/manifests/init.pp @@ -9,6 +9,19 @@ class certbot($config_dir=undef) { include cron include nginx + $primary_domain = "tozt.net" + $secondary_domains = [ + "blog.tozt.net", + "paste.tozt.net", + "git.tozt.net", + "rss.tozt.net", + "metabase.tozt.net", + "rc-teleterm.tozt.net", + "bitwarden.tozt.net", + "influxdb.tozt.net", + "chronograf.tozt.net", + ] + package { [ 'certbot', @@ -41,21 +54,21 @@ class certbot($config_dir=undef) { require => File["${_config_dir}/renewal-hooks/deploy"]; "${_config_dir}/renewal-hooks/deploy/reload-cert": ensure => absent; - "/usr/local/bin/bootstrap-certbot": - source => 'puppet:///modules/certbot/bootstrap-certbot', + "/usr/local/bin/certbot-tozt": + content => template('certbot/certbot-tozt'), mode => '0755'; } exec { "initial certbot run": provider => shell, - command => "/usr/local/bin/bootstrap-certbot ${config_dir}", + command => "/usr/local/bin/certbot-tozt ${config_dir}", creates => "${_config_dir}/live", require => [ Package["certbot"], # not Class["nginx"], because of circular dependencies with nginx::site Package["nginx"], Package["certbot-nginx"], - File['/usr/local/bin/bootstrap-certbot'], + File['/usr/local/bin/certbot-tozt'], ], } } diff --git a/modules/certbot/templates/certbot-tozt b/modules/certbot/templates/certbot-tozt new file mode 100755 index 0000000..bdf1201 --- /dev/null +++ b/modules/certbot/templates/certbot-tozt @@ -0,0 +1,76 @@ +#!/usr/bin/env bash +set -eu +set -o pipefail + +config_dir="${1:-}" +if systemctl is-active -q nginx; then + is_running=1 +else + is_running= +fi + +cleanup() { + if [ -z "$is_running" ]; then + systemctl stop nginx + fi + + if [ -e /etc/nginx/nginx.conf.backup ]; then + mv /etc/nginx/nginx.conf.backup /etc/nginx.conf + fi +} +trap cleanup EXIT + +mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.backup +cat > /etc/nginx/nginx.conf <<EOF +worker_processes 1; +events { + worker_connections 1024; +} +http { + server { + listen 80 default; + server_name <%= @primary_domain %>; + location / { + root /tmp; + } + } +<%- @secondary_domains.each do |domain| -%> + server { + listen 80; + server_name <%= domain %>; + location / { + root /tmp; + } + } +<%- end -%> +} +EOF + +if [ -z "$is_running" ]; then + systemctl start nginx +fi + +if [ -z "$config_dir" ]; then + /usr/bin/certbot run \ + -n \ + --agree-tos \ + -m doy@tozt.net \ + --cert-name <%= @primary_domain %> \ + -d <%= @primary_domain %> \ +<%- @secondary_domains.each do |domain| -%> + -d <%= domain %> \ +<%- end -%> + --nginx +else + /usr/bin/certbot run \ + -n \ + --agree-tos \ + -m doy@tozt.net \ + --config-dir "$config_dir" \ + --cert-name <%= @primary_domain %> \ + -d <%= @primary_domain %> \ +<%- @secondary_domains.each do |domain| -%> + -d <%= domain %> \ +<%- end -%> + --nginx +fi |