diff options
| author | Paul Buetow <paul@buetow.org> | 2022-07-13 13:09:16 +0100 |
|---|---|---|
| committer | Paul Buetow <paul@buetow.org> | 2022-07-13 13:09:16 +0100 |
| commit | 0f841977cfa1f2b934f433ac4239e612b44e5dcf (patch) | |
| tree | 9d2abd0b69275e3fd368da6b3a84049921541caa /frontends/Rexfile | |
| parent | 251e0cb9f2b5442405a87a71e018f50b73a09995 (diff) | |
Use ACME
Diffstat (limited to 'frontends/Rexfile')
| -rw-r--r-- | frontends/Rexfile | 83 |
1 files changed, 50 insertions, 33 deletions
diff --git a/frontends/Rexfile b/frontends/Rexfile index 6ffd55a..5eeda02 100644 --- a/frontends/Rexfile +++ b/frontends/Rexfile @@ -40,12 +40,18 @@ our $ipv6address = sub { # facts aren't set yet due to the myname file in the first place. our $fqdns = sub { my $ipv4 = shift; - return 'blowfish.buetow.org' if $ipv4 eq '23.88.35.144'; + return 'blowfish.buetow.org' if $ipv4 eq '23.88.35.144'; return 'twofish.buetow.org' if $ipv4 eq '108.160.134.135'; Rex::Logger::info("Unable to determine hostname for $ipv4", 'error'); return 'HOSTNAME-UNKNOWN.buetow.org'; }; +# To determine whether te server is te primary or the secondary. +our $is_primary = sub { + my $ipv4 = shift; + $fqdns->($ipv4) eq 'blowfish.buetow.org'; +}; + our $filewalk; our $filewalk = sub { my $dir = shift; @@ -71,6 +77,7 @@ our $filewalk = sub { our $secrets = sub { read_file './secrets/' . shift }; our @dns_zones = qw/buetow.org dtail.dev foo.surf foo.zone irregular.ninja sidewalk.ninja snonux.de snonux.me snonux.land/; +our @acme_hosts = qw/paul.buetow.org buetow.org dtail.dev foo.zone irregular.ninja snonux.land/; # UTILITY TASKS @@ -79,35 +86,6 @@ task 'dump_info', group => 'frontends', sub { dump_system_information }; # OPENBSD TASKS SECTION -desc 'Install certificates from the secret store'; -task 'certs', group => 'frontends', - sub { - my $restart_services = FALSE; - - for my $source ($filewalk->('./secrets/etc/ssl')) { - my $dest = $source; - $dest =~ s/.*secrets//; - my $mode = $dest =~ /private/ ? '440' : '644'; - - Rex::Logger::info("Dealing with $dest"); - file $dest, - source => $source, - owner => 'root', - group => 'www', - mode => $mode, - on_change => sub { - Rex::Logger::info("$dest changed, scheduling services restart"); - $restart_services = TRUE; - }; - } - - if ($restart_services) { - service 'httpd' => 'restart'; - service 'relayd' => 'restart'; - service 'smtpd' => 'restart'; - } - }; - desc 'Install base stuff'; task 'base', group => 'frontends', sub { @@ -132,6 +110,40 @@ task 'uptimed', group => 'frontends', service 'uptimed', ensure => 'started'; }; +desc 'Configure ACME client'; +task 'acme', group => 'frontends', + sub { + file '/etc/acme-client.conf', + content => template('./etc/acme-client.conf.tpl', + acme_hosts => \@acme_hosts, + is_primary => $is_primary), + owner => 'root', + group => 'wheel', + mode => '644'; + + file '/usr/local/bin/acme.sh', + content => template('./scripts/acme.sh.tpl', + acme_hosts => \@acme_hosts, + is_primary => $is_primary), + owner => 'root', + group => 'wheel', + mode => '744'; + + file '/etc/daily.local', + ensure => 'present', + owner => 'root', + group => 'wheel', + mode => '744'; + + append_if_no_such_line '/etc/daily.local', '/usr/local/bin/acme.sh'; + }; + +desc 'Invoke ACME client'; +task 'acme_invoke', group => 'frontends', + sub { + say run '/usr/local/bin/acme.sh'; + }; + desc 'Setup httpd'; task 'httpd', group => 'frontends', sub { @@ -139,7 +151,9 @@ task 'httpd', group => 'frontends', #delete_lines_according_to qr{httpd_flags}, '/etc/rc.conf.local'; file '/etc/httpd.conf', - source => './etc/httpd.conf', + content => template('./etc/httpd.conf.tpl', + acme_hosts => \@acme_hosts, + is_primary => $is_primary), owner => 'root', group => 'wheel', mode => '644', @@ -169,7 +183,9 @@ task 'relayd', group => 'frontends', append_if_no_such_line '/etc/rc.conf.local', 'relayd_flags='; file '/etc/relayd.conf', - content => template('./etc/relayd.conf.tpl', ipv6address => $ipv6address), + content => template('./etc/relayd.conf.tpl', + ipv6address => $ipv6address, + is_primary => $is_primary), owner => 'root', group => 'wheel', mode => '600', @@ -297,10 +313,11 @@ task 'failunderd', group => 'frontends', desc 'Common configs of all hosts'; task 'commons', group => 'frontends', sub { - certs(); base(); uptimed(); httpd(); + acme(); + acme_invoke(); inetd(); relayd(); smtpd(); |