Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
slapos
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Labels
Merge Requests
107
Merge Requests
107
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Analytics
Analytics
CI / CD
Repository
Value Stream
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Jobs
Commits
Open sidebar
nexedi
slapos
Commits
e61b4bd2
Commit
e61b4bd2
authored
Jul 04, 2023
by
Alain Takoudjou
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Add new software release for letsencrypt certificate automation
parent
63078069
Changes
5
Hide whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
437 additions
and
0 deletions
+437
-0
software/autocert/buildout.hash.cfg
software/autocert/buildout.hash.cfg
+26
-0
software/autocert/config.in
software/autocert/config.in
+100
-0
software/autocert/instance-autocert.cfg.jinja2.in
software/autocert/instance-autocert.cfg.jinja2.in
+180
-0
software/autocert/instance.cfg.in
software/autocert/instance.cfg.in
+53
-0
software/autocert/software.cfg
software/autocert/software.cfg
+78
-0
No files found.
software/autocert/buildout.hash.cfg
0 → 100644
View file @
e61b4bd2
# THIS IS NOT A BUILDOUT FILE, despite purposedly using a compatible syntax.
# The only allowed lines here are (regexes):
# - "^#" comments, copied verbatim
# - "^[" section beginings, copied verbatim
# - lines containing an "=" sign which must fit in the following categorie.
# - "^\s*filename\s*=\s*path\s*$" where "path" is relative to this file
# Copied verbatim.
# - "^\s*hashtype\s*=.*" where "hashtype" is one of the values supported
# by the re-generation script.
# Re-generated.
# - other lines are copied verbatim
# Substitution (${...:...}), extension ([buildout] extends = ...) and
# section inheritance (< = ...) are NOT supported (but you should really
# not need these here).
[template-instance]
filename = instance.cfg.in
md5sum = 9e584e5273ecf222da40b0f318fd62fd
[template-autocert]
filename = instance-autocert.cfg.jinja2.in
md5sum = cf6b10e4460b5660a74322daa29d988d
[template-dehydrated-config]
filename = config.in
md5sum = a12b0e12658a48658e366f3ed7c2e48e
software/autocert/config.in
0 → 100644
View file @
e61b4bd2
CA="letsencrypt"
OLDCA="https://acme-v01.api.letsencrypt.org/directory"
CHALLENGETYPE="http-01"
# Path to a directory containing additional config files, allowing to override
# the defaults found in the main configuration file. Additional config files
# in this directory needs to be named with a '.sh' ending.
# default: <unset>
#CONFIG_D=
# Directory for per-domain configuration files.
# If not set, per-domain configurations are sourced from each certificates output directory.
# default: <unset>
#DOMAINS_D=
# Base directory for account key, generated certificates and list of domains (default: $SCRIPTDIR -- uses config directory if undefined)
BASEDIR={{ parameter_dict['base-dir'] }}
# File containing the list of domains to request certificates for (default: $BASEDIR/domains.txt)
DOMAINS_TXT="${BASEDIR}/domains.txt"
# Output directory for generated certificates
CERTDIR="${BASEDIR}/certs"
# Output directory for alpn verification certificates
ALPNCERTDIR="${BASEDIR}/alpn-certs"
# Directory for account keys and registration information
ACCOUNTDIR="${BASEDIR}/accounts"
# Output directory for challenge-tokens to be served by webserver or deployed in HOOK (default: /var/www/dehydrated)
WELLKNOWN="{{ parameter_dict['acme-dir'] }}"
# Default keysize for private keys (default: 4096)
KEYSIZE="4096"
# Path to openssl config file (default: <unset> - tries to figure out system default)
#OPENSSL_CNF=
# Path to OpenSSL binary (default: "openssl")
OPENSSL="{{ parameter_dict['openssl-bin'] }}"
# Extra options passed to the curl binary (default: <unset>)
#CURL_OPTS=
# Program or function called in certain situations
#
# After generating the challenge-response, or after failed challenge (in this case altname is empty)
# Given arguments: clean_challenge|deploy_challenge altname token-filename token-content
#
# After successfully signing certificate
# Given arguments: deploy_cert domain path/to/privkey.pem path/to/cert.pem path/to/fullchain.pem
#
# BASEDIR and WELLKNOWN variables are exported and can be used in an external program
# default: <unset>
#HOOK=
# Chain clean_challenge|deploy_challenge arguments together into one hook call per certificate (default: no)
#HOOK_CHAIN="no"
# Minimum days before expiration to automatically renew certificate (default: 30)
RENEW_DAYS="30"
# Regenerate private keys instead of just signing new certificates on renewal (default: yes)
#PRIVATE_KEY_RENEW="yes"
# Create an extra private key for rollover (default: no)
#PRIVATE_KEY_ROLLOVER="no"
# Which public key algorithm should be used? Supported: rsa, prime256v1 and secp384r1
#KEY_ALGO=secp384r1
# E-mail to use during the registration (default: <unset>)
CONTACT_EMAIL={{ parameter_dict['registration-email'] }}
# Lockfile location, to prevent concurrent access (default: $BASEDIR/lock)
LOCKFILE="${BASEDIR}/lock"
# Option to add CSR-flag indicating OCSP stapling to be mandatory (default: no)
#OCSP_MUST_STAPLE="no"
# Fetch OCSP responses (default: no)
#OCSP_FETCH="no"
# OCSP refresh interval (default: 5 days)
#OCSP_DAYS=5
# Issuer chain cache directory (default: $BASEDIR/chains)
CHAINCACHE="${BASEDIR}/chains"
# Automatic cleanup (default: no)
AUTO_CLEANUP="no"
# ACME API version (default: auto)
#API=auto
# Preferred issuer chain (default: <unset> -> uses default chain)
#PREFERRED_CHAIN=
software/autocert/instance-autocert.cfg.jinja2.in
0 → 100644
View file @
e61b4bd2
{% set folder_list = [] -%}
{% set part_list = [] -%}
[httpd-wrapper]
recipe = slapos.cookbook:simplehttpserver
host = {{ (ipv6 | list)[0] }}
port = 9086
base-path = ${directory:www}
wrapper = ${directory:services}/http-server
log-file = ${directory:log}/httpd.log
use-hash-url = false
url = http://[${:host}]:${:port}
[logrotate-entry-httpd]
<= logrotate-entry-base
name = http-server
log = ${httpd-wrapper:log-file}
[httpd-url-promise]
<= monitor-promise-base
promise = check_url_available
name = httpd_url.py
config-url = ${httpd-wrapper:url}
[httpd-listen-promise]
<= monitor-promise-base
promise = check_socket_listening
name = httpd-listen.py
config-host = ${httpd-wrapper:host}
config-port = ${httpd-wrapper:port}
[dehydrated-webroot]
recipe = plone.recipe.command
path = ${directory:srv}/dehydrated
command =
rm -rf ${:path}
ln -sf ${directory:acme} ${:path}
[dehydrated-config-parameters]
acme-dir = ${dehydrated-webroot:path}
openssl-bin = {{ openssl_bin }}
base-dir = ${directory:dehydrated}
registration-email = {{ slapparameter_dict.get('registration-email', '') }}
[dehydrated-config]
recipe = slapos.recipe.template:jinja2
url = {{ parameter_dict['template-config'] }}
output = ${directory:dehydrated}/config
context =
section parameter_dict dehydrated-config-parameters
[dehydrated-register]
recipe = slapos.cookbook:wrapper
command-line =
{{ parameter_dict['dehydrated-location'] }}/dehydrated
--config ${dehydrated-config:output}
--register --accept-terms
wrapper-path = ${directory:scripts}/dehydrated-register
[caucase-updater]
recipe = slapos.cookbook:wrapper
command-line =
{{ buildout_bin_directory }}/caucase-updater
--ca-url "${instance-parameter:kedifa-caucase-url}"
--cas-ca ${directory:caucase}/cas.crt.pem
--ca ${:ca-path}
--crl ${:crl-path}
wrapper-path = ${directory:services}/caucase-updater
crl-path = ${directory:caucase}/crl.pem
ca-path = ${directory:caucase}/ca.crt.pem
[base-wrapper]
recipe = slapos.cookbook:wrapper
environment =
PATH={{ openssl_location }}/bin:{{ curl_location }}/bin:/usr/local/bin:/usr/bin:/bin
{% for domain_dict in slapparameter_dict["kedifa-domain-list"] %}
{% set domain = domain_dict['domain-list'][0] -%}
{% set kedifa_id = domain_dict['kedifa-id'] -%}
{% do folder_list.append(domain) -%}
[dehydrated-domains-{{ domain }}]
recipe = slapos.recipe.template
inline =
{{ ' ' ~ ' '.join(domain_dict['domain-list']) }}
output = ${directory:dehydrated}/{{ domain }}/domains.txt
[dehydrated-wrapper-{{ domain }}]
<= base-wrapper
command-line =
{{ parameter_dict['dehydrated-location'] }}/dehydrated
--config ${dehydrated-config:output}
--domains-txt {{ "${dehydrated-domains-" ~ domain ~ ":output}" }}
--cron
wrapper-path = ${directory:services}/dehydrated-{{ domain.replace('\.', '-') }}
depends =
{{ "${dehydrated-domains-" ~ domain ~ ":recipe}" }}
[kedifa-generate-auth-{{ domain }}]
<= base-wrapper
command-line =
{{ parameter_dict['kedifa-location'] }}/contrib/shell/kedifa_generateauth
${instance-parameter:kedifa-url}/{{ kedifa_id }}/generateauth
${caucase-updater:ca-path}
${caucase-updater:crl-path} {{ domain }}
${directory:kedifa}
wait-for-files =
${caucase-updater:crl-path}
wrapper-path = ${directory:scripts}/kedifa-genauth-{{ domain.replace('\.', '-') }}
[kedifa-upload-{{ domain }}]
<= base-wrapper
command-line =
{{ parameter_dict['kedifa-location'] }}/contrib/shell/kedifa_update_cert
${directory:kedifa}/{{ domain }}.sh
${directory:dehydrated}/{{ domain }}/certs/{{ domain }}/privkey.pem
${directory:dehydrated}/{{ domain }}/certs/{{ domain }}/fullchain.pem
wait-for-files =
${directory:dehydrated}/{{ domain }}/certs/{{ domain }}/fullchain.pem
wrapper-path = ${directory:bin}/kedifa-upload-{{ domain.replace('\.', '-') }}
depends =
{{ " ${dehydrated-wrapper-" ~ domain ~ ":recipe}" }}
{{ " ${kedifa-generate-auth-" ~ domain ~ ":recipe}" }}
[cron-entry-{{ domain }}]
<= cron
recipe = slapos.cookbook:cron.d
name = {{ domain }}
frequency = 0 0 * * 0
command = {{ "${kedifa-upload-" ~ domain ~ ":wrapper-path}" }}
{% do part_list.append("cron-entry-" ~ domain) -%}
{% endfor %}
[instance-parameter]
kedifa-caucase-url = {{ slapparameter_dict['kedifa-caucase-url'] }}
kedifa-url = {{ slapparameter_dict['kedifa-base-url'] }}
[publish-connection-information]
<= monitor-publish
recipe = slapos.cookbook:publish
url = ${httpd-wrapper:url}
[directory]
recipe = slapos.cookbook:mkdirectory
etc = ${buildout:directory}/etc
bin = ${buildout:directory}/bin
srv = ${buildout:directory}/srv
var = ${buildout:directory}/var
run = ${:var}/run
log = ${:var}/log
scripts = ${:etc}/run
services = ${:etc}/service
plugins = ${:etc}/plugin
www = ${:srv}/www
tmp = ${:srv}/tmp
acme = ${:www}/.well-known/acme-challenge
caucase = ${:etc}/caucase
dehydrated = ${:etc}/dehydrated
kedifa = ${:etc}/kedifa
{% for name in folder_list -%}
{{ name }} = ${:dehydrated}/{{ name }}
{% endfor -%}
[buildout]
extends = {{ template_monitor }}
parts =
publish-connection-information
logrotate-entry-httpd
httpd-wrapper
httpd-listen-promise
httpd-url-promise
dehydrated-register
# Complete parts with sections
{{ part_list | join('\n ') }}
eggs-directory = {{ eggs_directory }}
develop-eggs-directory = {{ develop_eggs_directory }}
offline = true
software/autocert/instance.cfg.in
0 → 100644
View file @
e61b4bd2
[buildout]
parts = switch-softwaretype
eggs-directory = {{ buildout_egg_directory }}
develop-eggs-directory = {{ buildout_develop_directory }}
offline = true
[switch-softwaretype]
recipe = slapos.cookbook:switch-softwaretype
default = dynamic-template-autocert:output
RootSoftwareInstance = ${:default}
[slap-configuration]
recipe = slapos.cookbook:slapconfiguration.serialised
computer = ${slap-connection:computer-id}
partition = ${slap-connection:partition-id}
url = ${slap-connection:server-url}
key = ${slap-connection:key-file}
cert = ${slap-connection:cert-file}
[jinja2-template-base]
recipe = slapos.recipe.template:jinja2
output = ${buildout:directory}/${:filename}
extensions = jinja2.ext.do
extra-context =
context =
key develop_eggs_directory buildout:develop-eggs-directory
key buildout_directory buildout:directory
key eggs_directory buildout:eggs-directory
key ipv4 slap-configuration:ipv4
key ipv6 slap-configuration:ipv6
key slapparameter_dict slap-configuration:configuration
raw buildout_bin_directory {{ bin_directory }}
raw bash_executable_location {{ bash_location }}/bin/dash
raw curl_location {{ curl_location }}
raw openssl_location {{ openssl_location }}
raw openssl_bin {{ openssl_location }}/bin/openssl
raw template_monitor {{ template_monitor_cfg }}
${:extra-context}
[dynamic-template-autocert-parameters]
dehydrated-location = {{ dehydrated_location }}
kedifa-location = {{ kedifa_location }}
template-config = {{ template_dehydrated_config }}
[dynamic-template-autocert]
<= jinja2-template-base
url = {{ template_autocert }}
filename = instance-autocert.cfg
extra-context =
section parameter_dict dynamic-template-autocert-parameters
software/autocert/software.cfg
0 → 100644
View file @
e61b4bd2
[buildout]
extends =
../../component/bash/buildout.cfg
../../component/openssl/buildout.cfg
../../component/curl/buildout.cfg
../../stack/slapos.cfg
../../stack/monitor/buildout.cfg
./buildout.hash.cfg
parts =
slapos-cookbook
eggs
template-instance
allow-picked-versions = true
[eggs]
recipe = zc.recipe.egg
eggs =
caucase
kedifa
scripts =
caucase
caucase-probe
caucase-updater
caucase-rerequest
caucase-key-id
[git-clone-base]
recipe = slapos.recipe.build:gitclone
git-executable = ${git:location}/bin/git
branch = master
[dehydrated]
<= git-clone-base
repository = https://github.com/dehydrated-io/dehydrated.git
revision = v0.7.1
[kedifa]
<= git-clone-base
repository = https://lab.nexedi.com/nexedi/kedifa.git
revision = 7f6bdd71
[download-template]
recipe = slapos.recipe.build:download
url = ${:_profile_base_location_}/${:filename}
output = ${buildout:directory}/${:filename}
[template-instance]
recipe = slapos.recipe.template:jinja2
output = ${buildout:directory}/instance.cfg
url = ${:_profile_base_location_}/${:filename}
context =
key bash_location bash:location
key bin_directory buildout:bin-directory
key buildout_egg_directory buildout:eggs-directory
key buildout_develop_directory buildout:develop-eggs-directory
key buildout_directory buildout:directory
key curl_location bash:location
key dehydrated_location dehydrated:location
key kedifa_location kedifa:location
key openssl_location openssl:location
key template_monitor_cfg monitor2-template:output
key template_autocert template-autocert:target
key template_dehydrated_config template-dehydrated-config:target
[template-autocert]
<= download-template
output = ${buildout:directory}/instance-autocert.cfg.jinja2
[template-dehydrated-config]
<= download-template
[versions]
caucase = 0.9.15
kedifa = 0.0.6
pem = 21.1.0
PyJWT = 2.7.0
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment