From 41d28c1a4075ca557ed16c17da6b90653254b535 Mon Sep 17 00:00:00 2001 From: Paul Lecuq Date: Sun, 24 Jan 2021 20:04:03 +0100 Subject: [PATCH] updated acme state --- states/acme/acmesh.sls | 38 ++++++++++++++++++++++++++++ states/acme/common.sls | 15 +++++++++++ states/acme/defaults.yaml | 10 +++++--- states/acme/init.sls | 52 +++------------------------------------ states/acme/pkic.py.j2 | 30 ++++++++++++++++++++++ states/acme/pkic.sls | 21 ++++++++++++++++ 6 files changed, 115 insertions(+), 51 deletions(-) create mode 100644 states/acme/acmesh.sls create mode 100644 states/acme/common.sls create mode 100644 states/acme/pkic.py.j2 create mode 100644 states/acme/pkic.sls diff --git a/states/acme/acmesh.sls b/states/acme/acmesh.sls new file mode 100644 index 0000000..9d1ffbe --- /dev/null +++ b/states/acme/acmesh.sls @@ -0,0 +1,38 @@ +# vim:syntax=yaml +--- +{%- from "acme/map.jinja" import acme with context %} +acmesh-install: + cmd.run: + - name: "curl https://get.acme.sh | sh" + - runas: root + - cwd: /root + - env: + - HOME: /root + - unless: /bin/bash -c "[[ -f /root/.acme.sh/acme.sh ]]" + +acmesh-upgrade: + cmd.run: + - name: /root/.acme.sh/acme.sh --upgrade + - runas: root + - cwd: /root + - env: + - HOME: /root + - require: + - cmd: acmesh-install + +acmesh-run: + cmd.run: + - name: /root/.acme.sh/acme.sh --debug --issue {%- for domain in acme.domains %} -d '{{ domain }}' {% endfor -%} --dns dns_ovh --cert-file '' --fullchain-file '{{ acme.fullcertfile }}' --key-file '{{ acme.keyfile }}' -k {{ acme.keysize }} + - env: + - OVH_AK: '{{ acme.provider.api.application_key }}' + - OVH_AS: '{{ acme.provider.api.application_secret }}' + - OVH_CK: '{{ acme.provider.api.consumer_key }}' + - HOME: '/root' + - success_retcodes: + - 0 + - 1 + - 2 + - runas: root + - cwd: /root + - require: + - cmd: acmesh-install diff --git a/states/acme/common.sls b/states/acme/common.sls new file mode 100644 index 0000000..3c7eb24 --- /dev/null +++ b/states/acme/common.sls @@ -0,0 +1,15 @@ +# vim:syntax=yaml +--- +{%- from "acme/map.jinja" import acme with context %} + +{%- for dir in acme.directories %} +acme-directories-{{ dir }}: + file.directory: + - name: {{ dir }} + - makedirs: true +{%- endfor %} + +acme-dh-params: + cmd.run: + - name: openssl dhparam -out {{ acme.dh.path }} {{ acme.dh.keysize }} + - creates: {{ acme.dh.path }} diff --git a/states/acme/defaults.yaml b/states/acme/defaults.yaml index 233401b..023cbba 100644 --- a/states/acme/defaults.yaml +++ b/states/acme/defaults.yaml @@ -9,12 +9,16 @@ acme: path: "/etc/acme/dh/dh.pem" keysize: 2048 keysize: 4096 - domain: "*.example.com" + domains: [] dns: "dns_provider" + fullcertfile: "/etc/acme/certs/certificate.crt" keyfile: "/etc/acme/keys/private.key" - fullchainfile: "/etc/acme/certs/certificate.crt" provider: api: application_key: "test" application_secret: "test" - consumer_key: "test" \ No newline at end of file + consumer_key: "test" + pki: + url: "https://pki" + username: "test" + password: "test" diff --git a/states/acme/init.sls b/states/acme/init.sls index c4beaba..21ddb10 100644 --- a/states/acme/init.sls +++ b/states/acme/init.sls @@ -1,50 +1,6 @@ # vim:syntax=yaml --- -{%- from "acme/map.jinja" import acme with context %} -acme-install: - cmd.run: - - name: "curl https://get.acme.sh | sh" - - runas: root - - cwd: /root - - env: - - HOME: /root - - unless: /bin/bash -c "[[ -f /root/.acme.sh/acme.sh ]]" - -acme-upgrade: - cmd.run: - - name: /root/.acme.sh/acme.sh --upgrade - - runas: root - - cwd: /root - - env: - - HOME: /root - - require: - - cmd: acme-install - -{%- for dir in acme.directories %} -acme-directories-{{ dir }}: - file.directory: - - name: {{ dir }} - - makedirs: true -{%- endfor %} - -acme-dh-params: - cmd.run: - - name: openssl dhparam -out {{ acme.dh.path }} {{ acme.dh.keysize }} - - creates: {{ acme.dh.path }} - -acme-certs: - cmd.run: - - name: /root/.acme.sh/acme.sh --debug --issue {%- for dom in acme.domains %} -d '{{ dom }}' {% endfor -%} --dns dns_ovh --cert-file '' --key-file '{{ acme.keyfile }}' --fullchain-file '{{ acme.fullchainfile }}' -k {{ acme.keysize }} - - env: - - OVH_AK: '{{ acme.provider.api.application_key }}' - - OVH_AS: '{{ acme.provider.api.application_secret }}' - - OVH_CK: '{{ acme.provider.api.consumer_key }}' - - HOME: '/root' - - success_retcodes: - - 0 - - 1 - - 2 - - runas: root - - cwd: /root - - require: - - cmd: acme-install +include: + - .common + - .pkic + # - .acmesh diff --git a/states/acme/pkic.py.j2 b/states/acme/pkic.py.j2 new file mode 100644 index 0000000..bce4dcb --- /dev/null +++ b/states/acme/pkic.py.j2 @@ -0,0 +1,30 @@ +#!python3 +# vim:syntax=python + +import os +import requests + +URL=os.environ("URL") +DOMAINS=os.environ("DOMAINS") +FULLCERTFILE=os.environ("FULLCERTFILE") +KEYFILE=os.environ("KEYFILE") +USERNAME=os.environ("USERNAME") +PASSWORD=os.environ("PASSWORD") + +def main(): + res = requests.request(method="GET", url=f"{URL}/domain/{DOMAINS}", auth=(USERNAME, PASSWORD)) + resj = res.json() + + try: + with open(FULLCERTFILE) as fcf: + os.write(ffcf, resj["certificate"]) + + with open(KEYFILE) as fkf: + os.write(fkf, resj["privatekey"]) + except Exception as e: + return e + + return + +if __name__ == "__main__": + main() diff --git a/states/acme/pkic.sls b/states/acme/pkic.sls new file mode 100644 index 0000000..8f9b4dc --- /dev/null +++ b/states/acme/pkic.sls @@ -0,0 +1,21 @@ +# vim:syntax=yaml +--- +{%- from "acme/map.jinja" import acme with context %} +pkic-install: + file.managed: + - name: /etc/acme/pkic.py + - template: jinja + - source: salt://acme/pkic.py.j2 + - mode: 755 + +pkic-run: + cmd.run: + - name: /etc/acme/pkic.py + - env: + - URL: '{{ acme.provider.pki.url }}' + - FULLCERTFILE: '{{ acme.fullcertfile }}' + - KEYFILE: '{{ acme.keyfile }}' + - USERNAME: '{{ acme.provider.pki.username }}' + - PASSWORD: '{{ acme.provider.pki.password }}' + - require: + - cmd: pkic-install