Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
192 lines (163 sloc) 5.32 KB
[package]
name = "hologram-letsencrypt"
version = "1.5.0"
description = "Pluggable letsencrypt-based certificate auto-issuance"
requires = [
"certbot",
"nginx",
]
################################################################################
# run an nginx under port 80 for the ACME challenge, and to upgrade all HTTP
# requests to HTTPS
[[file]]
path = "/usr/share/letsencrypt-allofthem/nginx.conf"
content = """
user http;
worker_processes 1;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
access_log off;
server {
# IPv4
listen 80 default_server;
# IPv6
listen [::]:80 default_server;
# upgrade HTTP requests to HTTPS...
location / {
return 301 https://$host$request_uri;
}
# ...except for ACME challenges
location /.well-known/acme-challenge/ {
root /srv/letsencrypt;
}
}
}
"""
[[file]]
path = "/etc/systemd/system/nginx-for-letsencrypt.service"
contentFrom = "/dev/null" # initially empty, will be rendered by holoscript below
# I tried to add a drop-in into
# /etc/systemd/system/nginx-for-letsencrypt.service.d/ to modify the default
# nginx.service to reference the custom nginx.conf from above, but apparently
# if you symlink one unit to another one, it will only use the drop-ins for the
# target unit. Therefore, use a holoscript to render the unit.
[[file]]
path = "/usr/share/holo/files/10-letsencrypt/etc/systemd/system/nginx-for-letsencrypt.service.holoscript"
mode = "0755"
content = '''
#!/bin/bash
cat /usr/lib/systemd/system/nginx.service | sed "
/^Description=/ s+=.*+=HTTP server for HTTPS upgrade and ACME challenges+
/^ExecStart=/ s+=.*+=/usr/bin/nginx -c /usr/share/letsencrypt-allofthem/nginx.conf -g 'pid /run/nginx-for-letsencrypt.pid; error_log stderr;'+
/^PIDFile=/ s+=.*+=/run/nginx-for-letsencrypt.pid+
"
'''
# nginx-for-letsencrypt.service needs to be running all the time for the
# HTTP->HTTPS upgrading to work
[[symlink]]
path = "/etc/systemd/system/multi-user.target.wants/nginx-for-letsencrypt.service"
target = "/etc/systemd/system/nginx-for-letsencrypt.service"
# open port when using hologram-ferm
[[file]]
path = "/etc/ferm.d/incoming-http"
content = "proto tcp dport http ACCEPT;"
################################################################################
# run letsencrypt under restricted user
[[group]]
name = "letsencrypt"
system = true
[[user]]
name = "letsencrypt"
group = "letsencrypt"
system = true
home = "/var/lib/letsencrypt"
# nginx needs to be able to read the acme-challenge directory
[[user]]
name = "http"
groups = ["letsencrypt"]
# fix UID/GID on directories provided by letsencrypt package
[[directory]]
path = "/etc/letsencrypt"
owner = "letsencrypt"
group = "letsencrypt"
[[directory]]
path = "/var/lib/letsencrypt"
owner = "letsencrypt"
group = "letsencrypt"
[[directory]]
path = "/var/log/letsencrypt"
mode = "0700"
owner = "letsencrypt"
group = "letsencrypt"
# filesystem location for the webroot challenge method
[[directory]]
path = "/srv/letsencrypt/.well-known"
mode = "0755"
owner = "letsencrypt"
group = "letsencrypt"
[[directory]]
path = "/srv/letsencrypt/.well-known/acme-challenge"
mode = "0750"
owner = "letsencrypt"
group = "letsencrypt"
# script to interactively (and after that, automatically) issue certificates
#
# To select domains for auto-issuance, place a script below
# /etc/letsencrypt-allofthem that prints the domains that need a certificate.
[[file]]
path = "/usr/bin/letsencrypt-allofthem"
mode = "0755"
content = '''
#!/bin/sh
if [ "$(id -u)" != 0 ]; then
echo "!! Run this as user root." >&2
exit 1
fi
set -e
find /etc/letsencrypt-allofthem/ -maxdepth 1 -type f -executable | while read collector; do
"$collector"
done | sort -u | while read domain; do
echo ">> domain: $domain"
sudo -u letsencrypt -g letsencrypt certbot certonly --quiet --non-interactive --agree-tos --keep-until-expiring --webroot -w /srv/letsencrypt/ -d "$domain"
done
find /etc/letsencrypt-allofthem/then/ -maxdepth 1 -type f -executable | while read hook; do
"$hook"
done
'''
[[directory]]
path = "/etc/letsencrypt-allofthem"
[[directory]]
path = "/etc/letsencrypt-allofthem/then"
[[file]]
path = "/usr/lib/systemd/system/letsencrypt-allofthem.service"
content = """
[Unit]
Description=Provision and renew TLS certificates automatically
After=network-online.target nginx-for-letsencrypt.service
Wants=network-online.target
Requires=nginx-for-letsencrypt.service
[Service]
Type=oneshot
ExecStart=/usr/bin/letsencrypt-allofthem
"""
[[file]]
path = "/usr/lib/systemd/system/letsencrypt-allofthem.timer"
content = """
[Unit]
Description=Provision and renew TLS certificates once a week
After=network-online.target
Wants=network-online.target
[Timer]
OnCalendar=weekly
[Install]
WantedBy=timers.target
"""
[[symlink]]
path = "/etc/systemd/system/timers.target.wants/letsencrypt-allofthem.timer"
target = "/usr/lib/systemd/system/letsencrypt-allofthem.timer"