Deploy dephydrated certs into /var/local/certificates.
This way we can ensure we get the ownership and permissions right. Also explicitly restart exim on mail cert updates.
This commit is contained in:
Jim Hague
parent
17550da505
commit
3a790075ff
|
|
@ -1,3 +1,3 @@
|
||||||
HOOK=/etc/dehydrated/dehydrated-mythic-dns01/dehydrated-mythic-dns01.sh
|
HOOK=/etc/dehydrated/hooks/hookchain.sh
|
||||||
CHALLENGETYPE=dns-01
|
CHALLENGETYPE=dns-01
|
||||||
HOOK_CHAIN=yes
|
HOOK_CHAIN=yes
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,26 @@
|
||||||
|
#!/usr/bin/env bash
|
||||||
|
#
|
||||||
|
# Copy dehydrated generated certs into /var/local/certificates and
|
||||||
|
# set required ownership. Also restart local services as appropriate.
|
||||||
|
|
||||||
|
action=$1
|
||||||
|
shift
|
||||||
|
|
||||||
|
deploy_cert() {
|
||||||
|
cp -R /var/lib/dehydrated/certs/* /var/local/certificates/
|
||||||
|
chown -R root:ssl-cert /var/local/certificates/
|
||||||
|
|
||||||
|
DOMAIN="$1"
|
||||||
|
case $DOMAIN in
|
||||||
|
"mail.lunch.org.uk")
|
||||||
|
systemctl restart exim4
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
}
|
||||||
|
|
||||||
|
case $action in
|
||||||
|
deploy_cert)
|
||||||
|
deploy_cert "$@"
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
|
@ -0,0 +1,8 @@
|
||||||
|
#!/usr/bin/env bash
|
||||||
|
#
|
||||||
|
# Call Mythic's DNS hook.
|
||||||
|
/etc/dehydrated/dehydrated-mythic-dns01/dehydrated-mythic-dns01.sh "$@"
|
||||||
|
|
||||||
|
# Now our deployment script.
|
||||||
|
|
||||||
|
/etc/dehydrated/hooks/deploy.sh "$@"
|
||||||
|
|
@ -34,23 +34,20 @@ dehydrated_cert_group:
|
||||||
- name: ssl-cert
|
- name: ssl-cert
|
||||||
- system: true
|
- system: true
|
||||||
|
|
||||||
dehydrated_permissions:
|
dehydrated_confs:
|
||||||
file.directory:
|
|
||||||
- name: /var/lib/dehydrated/certs
|
|
||||||
- group: ssl-cert
|
|
||||||
- dir_mode: 2750
|
|
||||||
- file_mode: 0640
|
|
||||||
- recurse:
|
|
||||||
- group
|
|
||||||
- mode
|
|
||||||
|
|
||||||
dehydrated_hooks:
|
|
||||||
file.recurse:
|
file.recurse:
|
||||||
- name: /etc/dehydrated/conf.d
|
- name: /etc/dehydrated/conf.d
|
||||||
- source: salt://certificates/dehydrated/conf.d
|
- source: salt://certificates/dehydrated/conf.d
|
||||||
- dir_mode: '0755'
|
- dir_mode: '0755'
|
||||||
- file_mode: '0644'
|
- file_mode: '0644'
|
||||||
|
|
||||||
|
dehydrated_hooks:
|
||||||
|
file.recurse:
|
||||||
|
- name: /etc/dehydrated/hooks
|
||||||
|
- source: salt://certificates/dehydrated/hooks
|
||||||
|
- dir_mode: '0755'
|
||||||
|
- file_mode: '0755'
|
||||||
|
|
||||||
dehydrated_cron:
|
dehydrated_cron:
|
||||||
file.managed:
|
file.managed:
|
||||||
- name: /etc/cron.daily/dehydrated
|
- name: /etc/cron.daily/dehydrated
|
||||||
|
|
@ -69,6 +66,7 @@ server_key:
|
||||||
- source: salt://certificates/certificates_id_ed25519.pub
|
- source: salt://certificates/certificates_id_ed25519.pub
|
||||||
|
|
||||||
server_client_certificate_location:
|
server_client_certificate_location:
|
||||||
file.symlink:
|
file.directory:
|
||||||
- name: /var/local/certificates
|
- name: /var/local/certificates
|
||||||
- target: /var/lib/dehydrated/certs
|
- dir_mode: 0750
|
||||||
|
- file_mode: 0640
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue