Deploy dephydrated certs into /var/local/certificates.

This way we can ensure we get the ownership and permissions right.
Also explicitly restart exim on mail cert updates.
This commit is contained in:
Jim Hague 2023-07-10 17:54:59 +01:00
parent 17550da505
commit 3a790075ff
4 changed files with 46 additions and 14 deletions

View File

@ -1,3 +1,3 @@
HOOK=/etc/dehydrated/dehydrated-mythic-dns01/dehydrated-mythic-dns01.sh HOOK=/etc/dehydrated/hooks/hookchain.sh
CHALLENGETYPE=dns-01 CHALLENGETYPE=dns-01
HOOK_CHAIN=yes HOOK_CHAIN=yes

View File

@ -0,0 +1,26 @@
#!/usr/bin/env bash
#
# Copy dehydrated generated certs into /var/local/certificates and
# set required ownership. Also restart local services as appropriate.
action=$1
shift
deploy_cert() {
cp -R /var/lib/dehydrated/certs/* /var/local/certificates/
chown -R root:ssl-cert /var/local/certificates/
DOMAIN="$1"
case $DOMAIN in
"mail.lunch.org.uk")
systemctl restart exim4
;;
esac
}
case $action in
deploy_cert)
deploy_cert "$@"
;;
esac

View File

@ -0,0 +1,8 @@
#!/usr/bin/env bash
#
# Call Mythic's DNS hook.
/etc/dehydrated/dehydrated-mythic-dns01/dehydrated-mythic-dns01.sh "$@"
# Now our deployment script.
/etc/dehydrated/hooks/deploy.sh "$@"

View File

@ -34,23 +34,20 @@ dehydrated_cert_group:
- name: ssl-cert - name: ssl-cert
- system: true - system: true
dehydrated_permissions: dehydrated_confs:
file.directory:
- name: /var/lib/dehydrated/certs
- group: ssl-cert
- dir_mode: 2750
- file_mode: 0640
- recurse:
- group
- mode
dehydrated_hooks:
file.recurse: file.recurse:
- name: /etc/dehydrated/conf.d - name: /etc/dehydrated/conf.d
- source: salt://certificates/dehydrated/conf.d - source: salt://certificates/dehydrated/conf.d
- dir_mode: '0755' - dir_mode: '0755'
- file_mode: '0644' - file_mode: '0644'
dehydrated_hooks:
file.recurse:
- name: /etc/dehydrated/hooks
- source: salt://certificates/dehydrated/hooks
- dir_mode: '0755'
- file_mode: '0755'
dehydrated_cron: dehydrated_cron:
file.managed: file.managed:
- name: /etc/cron.daily/dehydrated - name: /etc/cron.daily/dehydrated
@ -69,6 +66,7 @@ server_key:
- source: salt://certificates/certificates_id_ed25519.pub - source: salt://certificates/certificates_id_ed25519.pub
server_client_certificate_location: server_client_certificate_location:
file.symlink: file.directory:
- name: /var/local/certificates - name: /var/local/certificates
- target: /var/lib/dehydrated/certs - dir_mode: 0750
- file_mode: 0640