Deploy dephydrated certs into /var/local/certificates.
This way we can ensure we get the ownership and permissions right. Also explicitly restart exim on mail cert updates.
This commit is contained in:
Jim Hague
parent
17550da505
commit
3a790075ff
|
|
@ -1,3 +1,3 @@
|
|||
HOOK=/etc/dehydrated/dehydrated-mythic-dns01/dehydrated-mythic-dns01.sh
|
||||
HOOK=/etc/dehydrated/hooks/hookchain.sh
|
||||
CHALLENGETYPE=dns-01
|
||||
HOOK_CHAIN=yes
|
||||
|
|
|
|||
|
|
@ -0,0 +1,26 @@
|
|||
#!/usr/bin/env bash
|
||||
#
|
||||
# Copy dehydrated generated certs into /var/local/certificates and
|
||||
# set required ownership. Also restart local services as appropriate.
|
||||
|
||||
action=$1
|
||||
shift
|
||||
|
||||
deploy_cert() {
|
||||
cp -R /var/lib/dehydrated/certs/* /var/local/certificates/
|
||||
chown -R root:ssl-cert /var/local/certificates/
|
||||
|
||||
DOMAIN="$1"
|
||||
case $DOMAIN in
|
||||
"mail.lunch.org.uk")
|
||||
systemctl restart exim4
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
case $action in
|
||||
deploy_cert)
|
||||
deploy_cert "$@"
|
||||
;;
|
||||
esac
|
||||
|
||||
|
|
@ -0,0 +1,8 @@
|
|||
#!/usr/bin/env bash
|
||||
#
|
||||
# Call Mythic's DNS hook.
|
||||
/etc/dehydrated/dehydrated-mythic-dns01/dehydrated-mythic-dns01.sh "$@"
|
||||
|
||||
# Now our deployment script.
|
||||
|
||||
/etc/dehydrated/hooks/deploy.sh "$@"
|
||||
|
|
@ -34,23 +34,20 @@ dehydrated_cert_group:
|
|||
- name: ssl-cert
|
||||
- system: true
|
||||
|
||||
dehydrated_permissions:
|
||||
file.directory:
|
||||
- name: /var/lib/dehydrated/certs
|
||||
- group: ssl-cert
|
||||
- dir_mode: 2750
|
||||
- file_mode: 0640
|
||||
- recurse:
|
||||
- group
|
||||
- mode
|
||||
|
||||
dehydrated_hooks:
|
||||
dehydrated_confs:
|
||||
file.recurse:
|
||||
- name: /etc/dehydrated/conf.d
|
||||
- source: salt://certificates/dehydrated/conf.d
|
||||
- dir_mode: '0755'
|
||||
- file_mode: '0644'
|
||||
|
||||
dehydrated_hooks:
|
||||
file.recurse:
|
||||
- name: /etc/dehydrated/hooks
|
||||
- source: salt://certificates/dehydrated/hooks
|
||||
- dir_mode: '0755'
|
||||
- file_mode: '0755'
|
||||
|
||||
dehydrated_cron:
|
||||
file.managed:
|
||||
- name: /etc/cron.daily/dehydrated
|
||||
|
|
@ -69,6 +66,7 @@ server_key:
|
|||
- source: salt://certificates/certificates_id_ed25519.pub
|
||||
|
||||
server_client_certificate_location:
|
||||
file.symlink:
|
||||
file.directory:
|
||||
- name: /var/local/certificates
|
||||
- target: /var/lib/dehydrated/certs
|
||||
- dir_mode: 0750
|
||||
- file_mode: 0640
|
||||
|
|
|
|||
Loading…
Reference in New Issue