MythicSalt/states/certificates/init.sls

dehydrated:
  pkg.installed:
  - pkgs:
    - dehydrated
    - dnsutils
    - rsync

dehydrated_domains:
  file.managed:
    - name: /etc/dehydrated/domains.txt
    - source: salt://certificates/dehydrated/domains.txt
    - mode: '0644'

dehydrated_dnsapi:
  file.managed:
    - name: /etc/dehydrated/dnsapi.config.txt
    - source: salt://certificates/dehydrated/dnsapi.config.txt
    - mode: '0600'
    - template: jinja

dehydrated_mythic_dns01:
  file.recurse:
    - name: /etc/dehydrated/dehydrated-mythic-dns01
    - source: salt://certificates/dehydrated/dehydrated-mythic-dns01
    - dir_mode: '0755'
    - file_mode: '0755'
    - include_pat:
      - "*.sh"
      - "*-challenge/*"
      - "common/*"

dehydrated_cert_group:
  group.present:
    - name: ssl-cert
    - system: true

dehydrated_confs:
  file.recurse:
    - name: /etc/dehydrated/conf.d
    - source: salt://certificates/dehydrated/conf.d
    - dir_mode: '0755'
    - file_mode: '0644'

dehydrated_hooks:
  file.recurse:
    - name: /etc/dehydrated/hooks
    - source: salt://certificates/dehydrated/hooks
    - dir_mode: '0755'
    - file_mode: '0755'

dehydrated_cron:
  file.managed:
    - name: /etc/cron.daily/dehydrated
    - source: salt://certificates/dehydrated/cron.daily
    - mode: '0755'

dehydrated_logrotate:
  file.managed:
    - name: /etc/logrotate.d/dehydrated
    - source: salt://certificates/dehydrated/logrotate
    - mode: '0644'

server_key:
  ssh_auth.present:
    - user: root
    - source: salt://certificates/certificates_id_ed25519.pub

server_client_certificate_location:
  file.directory:
    - name: /var/local/certificates
    - dir_mode: 0750
    - file_mode: 0640
Add certificate management via Mythic Beasts DNSAPI. 2023-02-20 15:50:20 +00:00			`dehydrated:`
			`pkg.installed:`
			`- pkgs:`
			`- dehydrated`
			`- dnsutils`
Add mechanism for copying certificates to other servers. 2023-03-07 15:09:25 +00:00			`- rsync`
Add certificate management via Mythic Beasts DNSAPI. 2023-02-20 15:50:20 +00:00
			`dehydrated_domains:`
			`file.managed:`
			`- name: /etc/dehydrated/domains.txt`
			`- source: salt://certificates/dehydrated/domains.txt`
			`- mode: '0644'`

			`dehydrated_dnsapi:`
			`file.managed:`
			`- name: /etc/dehydrated/dnsapi.config.txt`
			`- source: salt://certificates/dehydrated/dnsapi.config.txt`
			`- mode: '0600'`
			`- template: jinja`

			`dehydrated_mythic_dns01:`
			`file.recurse:`
			`- name: /etc/dehydrated/dehydrated-mythic-dns01`
			`- source: salt://certificates/dehydrated/dehydrated-mythic-dns01`
			`- dir_mode: '0755'`
			`- file_mode: '0755'`
Copy specific files in dehydrated to avoid copying the subrepo .git. 2023-04-06 15:05:57 +01:00			`- include_pat:`
			`- "*.sh"`
Fix dehydrated-mythic-dns01 install. 2024-05-11 09:27:31 +01:00			`- "-challenge/"`
			`- "common/*"`
Add certificate management via Mythic Beasts DNSAPI. 2023-02-20 15:50:20 +00:00
Set certificate ownership and add www-data to ssl-cert group. ssl-cert has permissions to read certificates. No other regular user does. 2023-05-12 15:26:34 +01:00			`dehydrated_cert_group:`
			`group.present:`
			`- name: ssl-cert`
			`- system: true`

Deploy dephydrated certs into /var/local/certificates. This way we can ensure we get the ownership and permissions right. Also explicitly restart exim on mail cert updates. 2023-07-10 17:54:59 +01:00			`dehydrated_confs:`
Add certificate management via Mythic Beasts DNSAPI. 2023-02-20 15:50:20 +00:00			`file.recurse:`
			`- name: /etc/dehydrated/conf.d`
			`- source: salt://certificates/dehydrated/conf.d`
			`- dir_mode: '0755'`
			`- file_mode: '0644'`

Deploy dephydrated certs into /var/local/certificates. This way we can ensure we get the ownership and permissions right. Also explicitly restart exim on mail cert updates. 2023-07-10 17:54:59 +01:00			`dehydrated_hooks:`
			`file.recurse:`
			`- name: /etc/dehydrated/hooks`
			`- source: salt://certificates/dehydrated/hooks`
			`- dir_mode: '0755'`
			`- file_mode: '0755'`

Add certificate management via Mythic Beasts DNSAPI. 2023-02-20 15:50:20 +00:00			`dehydrated_cron:`
			`file.managed:`
			`- name: /etc/cron.daily/dehydrated`
			`- source: salt://certificates/dehydrated/cron.daily`
			`- mode: '0755'`

			`dehydrated_logrotate:`
			`file.managed:`
			`- name: /etc/logrotate.d/dehydrated`
			`- source: salt://certificates/dehydrated/logrotate`
			`- mode: '0644'`

Add mechanism for copying certificates to other servers. 2023-03-07 15:09:25 +00:00			`server_key:`
			`ssh_auth.present:`
			`- user: root`
			`- source: salt://certificates/certificates_id_ed25519.pub`
Change webmail cert path to client path and add symlink on server. So webmail can be moved between servers if necessary. 2023-03-09 16:58:46 +00:00
			`server_client_certificate_location:`
Deploy dephydrated certs into /var/local/certificates. This way we can ensure we get the ownership and permissions right. Also explicitly restart exim on mail cert updates. 2023-07-10 17:54:59 +01:00			`file.directory:`
Change webmail cert path to client path and add symlink on server. So webmail can be moved between servers if necessary. 2023-03-09 16:58:46 +00:00			`- name: /var/local/certificates`
Deploy dephydrated certs into /var/local/certificates. This way we can ensure we get the ownership and permissions right. Also explicitly restart exim on mail cert updates. 2023-07-10 17:54:59 +01:00			`- dir_mode: 0750`
			`- file_mode: 0640`