sunet-cdn/cdn-ops
2
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Add certbot deploy script for mosquitto

Browse source
This commit is contained in:
Patrik Lundin 2024-10-10 10:13:04 +02:00
parent b9266ec0e7
commit 65fc0590b4
Signed by: patlu
GPG key ID: A0A812BA2249F294
2 changed files with 37 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

28
global/overlay/etc/puppet/modules/cdn/files/mqtt/sunet-cdn-mqtt Executable file
View file

@ -0,0 +1,28 @@
#!/bin/bash
# Mosquitto is running with a user that is not privileged enough to read files
# directly from the certbot dirs, so copy files to where mosquitto expects
# them.
set -eu
le_dir="/etc/letsencrypt/live/$(hostname -f)"
mosquitto_dir="/etc/mosquitto/"
le_chain="$le_dir/chain.pem"
mosquitto_chain="$mosquitto_dir/ca_certificates/chain.pem"
cp $le_chain $mosquitto_chain
chown mosquitto:root $mosquitto_chain
le_cert="$le_dir/cert.pem"
mosquitto_cert="$mosquitto_dir/certs/cert.pem"
cp $le_cert $mosquitto_cert
chown mosquitto:root $mosquitto_cert
le_key="$le_dir/privkey.pem"
mosquitto_key="$mosquitto_dir/certs/privkey.pem"
cp $le_key $mosquitto_key
chown mosquitto:root $mosquitto_key
# Tell mosquitto to reload certs
pkill -x -HUP mosquitto

10
global/overlay/etc/puppet/modules/cdn/manifests/mqtt.pp
View file

@ -41,7 +41,15 @@ class cdn::mqtt(
$dash_split = split($my_hostname,'[-]') $dash_split = split($my_hostname,'[-]')
$environment = $dash_split[2] $environment = $dash_split[2]
file { '/etc/letsencrypt/renewal-hooks/deploy/sunet-cdn-mqtt':
ensure => file,
owner => 'root',
group => 'root',
mode => '0755',
content => file('cdn/mqtt/sunet-cdn-mqtt'),
}
exec { "certbot certonly -n --email patlu@sunet.se --no-eff-email --agree-tos --standalone -d ${my_fqdn} --server ${acme_url[$environment]}": exec { "certbot certonly -n --email patlu@sunet.se --no-eff-email --agree-tos --standalone -d ${my_fqdn} --server ${acme_url[$environment]}":
creates => "/etc/letsencrypt/live/${my_fqdn}/fullchain.pem" creates => "/etc/letsencrypt/live/${my_fqdn}/fullchain.pem"
} }
} }