From e3d4e2e7bf93356fafaff2398cec60d65d6b3873 Mon Sep 17 00:00:00 2001
From: Jesse Luehrs <doy@tozt.net>
Date: Sun, 14 Oct 2018 16:26:34 -0400
Subject: try to fix initial certbot provisioning

---
 modules/certbot/files/bootstrap-certbot | 50 +++++++++++++++++++++++++++++++++
 modules/certbot/manifests/init.pp       | 10 ++++---
 2 files changed, 56 insertions(+), 4 deletions(-)
 create mode 100755 modules/certbot/files/bootstrap-certbot

(limited to 'modules/certbot')

diff --git a/modules/certbot/files/bootstrap-certbot b/modules/certbot/files/bootstrap-certbot
new file mode 100755
index 0000000..cb496f8
--- /dev/null
+++ b/modules/certbot/files/bootstrap-certbot
@@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+set -eu
+set -o pipefail
+
+# XXX update to real domain name
+
+config_dir="$1"
+if systemctl is-active -q nginx; then
+    is_running=1
+else
+    is_running=
+fi
+
+cleanup() {
+    if [ -z "$is_running" ]; then
+        systemctl stop nginx
+    fi
+
+    if [ -e /etc/nginx/nginx.conf.backup ]; then
+        mv /etc/nginx/nginx.conf.backup /etc/nginx.conf
+    fi
+}
+trap cleanup EXIT
+
+mv /etc/nginx/nginx.conf /etc/nginx/nginx.conf.backup
+cat > /etc/nginx/nginx.conf <<EOF
+worker_processes 1;
+events {
+    worker_connections 1024;
+}
+http {
+    server {
+        listen 80 default;
+        server_name new.tozt.net;
+        location / {
+            root /tmp;
+        }
+    }
+}
+EOF
+
+if [ -z "$is_running" ]; then
+    systemctl start nginx
+fi
+
+if [ -z "$config_dir" ]; then
+    /usr/bin/certbot -n --agree-tos -m doy@tozt.net --nginx -d new.tozt.net
+else
+    /usr/bin/certbot -n --agree-tos -m doy@tozt.net --nginx -d new.tozt.net --config-dir "$config_dir"
+fi
diff --git a/modules/certbot/manifests/init.pp b/modules/certbot/manifests/init.pp
index e0e78ab..27d59a6 100644
--- a/modules/certbot/manifests/init.pp
+++ b/modules/certbot/manifests/init.pp
@@ -1,11 +1,9 @@
 class certbot($config_dir=undef) {
   if $config_dir {
     $_config_dir = $config_dir
-    $config_dir_opts = " --config-dir ${config_dir}"
   }
   else {
     $_config_dir = "/etc/letsencrypt"
-    $config_dir_opts = ""
   }
 
   include cron
@@ -36,17 +34,21 @@ class certbot($config_dir=undef) {
     "${_config_dir}/renewal-hooks/deploy/reload-cert":
       source => 'puppet:///modules/certbot/reload-cert',
       require => File["${_config_dir}/renewal-hooks/deploy"];
+    "/usr/local/bin/bootstrap-certbot":
+      source => 'puppet:///modules/certbot/bootstrap-certbot',
+      mode => '0755';
   }
 
   exec { "initial certbot run":
-    # XXX update to real domain name
-    command => "/usr/bin/certbot -n --agree-tos -m doy@tozt.net --nginx -d new.tozt.net${config_dir_opts}",
+    provider => shell,
+    command => "/usr/local/bin/bootstrap-certbot ${config_dir}",
     creates => "${_config_dir}/live",
     require => [
       Package["certbot"],
       # not Class["nginx"], because of circular dependencies with nginx::site
       Package["nginx"],
       Package["certbot-nginx"],
+      File['/usr/local/bin/bootstrap-certbot'],
     ],
   }
 }
-- 
cgit v1.2.3-54-g00ecf