From 65fc0590b4a5a93b10a7dfe982ff03584b6312f7 Mon Sep 17 00:00:00 2001 From: Patrik Lundin Date: Thu, 10 Oct 2024 10:13:04 +0200 Subject: [PATCH] Add certbot deploy script for mosquitto --- .../modules/cdn/files/mqtt/sunet-cdn-mqtt | 28 +++++++++++++++++++ .../etc/puppet/modules/cdn/manifests/mqtt.pp | 10 ++++++- 2 files changed, 37 insertions(+), 1 deletion(-) create mode 100755 global/overlay/etc/puppet/modules/cdn/files/mqtt/sunet-cdn-mqtt diff --git a/global/overlay/etc/puppet/modules/cdn/files/mqtt/sunet-cdn-mqtt b/global/overlay/etc/puppet/modules/cdn/files/mqtt/sunet-cdn-mqtt new file mode 100755 index 0000000..cfa76fa --- /dev/null +++ b/global/overlay/etc/puppet/modules/cdn/files/mqtt/sunet-cdn-mqtt @@ -0,0 +1,28 @@ +#!/bin/bash + +# Mosquitto is running with a user that is not privileged enough to read files +# directly from the certbot dirs, so copy files to where mosquitto expects +# them. + +set -eu + +le_dir="/etc/letsencrypt/live/$(hostname -f)" +mosquitto_dir="/etc/mosquitto/" + +le_chain="$le_dir/chain.pem" +mosquitto_chain="$mosquitto_dir/ca_certificates/chain.pem" +cp $le_chain $mosquitto_chain +chown mosquitto:root $mosquitto_chain + +le_cert="$le_dir/cert.pem" +mosquitto_cert="$mosquitto_dir/certs/cert.pem" +cp $le_cert $mosquitto_cert +chown mosquitto:root $mosquitto_cert + +le_key="$le_dir/privkey.pem" +mosquitto_key="$mosquitto_dir/certs/privkey.pem" +cp $le_key $mosquitto_key +chown mosquitto:root $mosquitto_key + +# Tell mosquitto to reload certs +pkill -x -HUP mosquitto diff --git a/global/overlay/etc/puppet/modules/cdn/manifests/mqtt.pp b/global/overlay/etc/puppet/modules/cdn/manifests/mqtt.pp index 0101471..39feae6 100644 --- a/global/overlay/etc/puppet/modules/cdn/manifests/mqtt.pp +++ b/global/overlay/etc/puppet/modules/cdn/manifests/mqtt.pp @@ -41,7 +41,15 @@ class cdn::mqtt( $dash_split = split($my_hostname,'[-]') $environment = $dash_split[2] + file { '/etc/letsencrypt/renewal-hooks/deploy/sunet-cdn-mqtt': + ensure => file, + owner => 'root', + group => 'root', + mode => '0755', + content => file('cdn/mqtt/sunet-cdn-mqtt'), + } + exec { "certbot certonly -n --email patlu@sunet.se --no-eff-email --agree-tos --standalone -d ${my_fqdn} --server ${acme_url[$environment]}": - creates => "/etc/letsencrypt/live/${my_fqdn}/fullchain.pem" + creates => "/etc/letsencrypt/live/${my_fqdn}/fullchain.pem" } }