Update planet to work with local letsencrypt (#260)

* Update planet to work with local letsencrypt

* Update salt/planet/init.sls

Co-authored-by: Ee Durbin <[email protected]>

* Update salt/planet/init.sls

Co-authored-by: Ee Durbin <[email protected]>

* Update salt/planet/init.sls

Co-authored-by: Ee Durbin <[email protected]>

Author: cegerhardson

pillar/base/planet.sls

@@ -1,7 +1,7 @@
-planet_sites:
-  planetpython.org:
-    config: config.ini
-    extra_domains:
-      - www.planetpython.org
-#  planet.jython.org:
-#    config: jython.ini
+planet:
+  subject_alternative_names:
+    - planetpython.org
+    - www.planetpython.org
+  sites:
+    planetpython.org:
+      config: config.ini

salt/planet/config/nginx.planet.conf.jinja

@@ -1,4 +1,4 @@
-{% for site, info in salt["pillar.get"]("planet_sites").items() %}
+{% for site, info in salt["pillar.get"]("planet", {}).get("sites").items() %}
 
 server {
     listen 80;
@@ -11,13 +11,13 @@ server {
     server_name {{ site }};
     error_log /var/log/nginx/{{ site }}.error.log;
     access_log /var/log/nginx/{{ site }}.access.log;
-    ssl_certificate /etc/letsencrypt/live/{{ site }}/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/{{ site }}/privkey.pem;
+    ssl_certificate /etc/lego/certificates/{{ grains['fqdn'] }}.crt;
+    ssl_certificate_key /etc/lego/certificates/{{ grains['fqdn'] }}.key;
 
     root /srv/{{ site }}/;
 }
 
-{% for domain in info.get("extra_domains", []) %}
+{% for domain in info.get("subject_alternative_names", []) %}
 server {
     server_name {{ domain }};
     error_log /var/log/nginx/redir-{{ domain }}.error.log;

salt/planet/config/run-planet.sh.jinja

@@ -1,5 +1,5 @@
 cd /srv/planet/
 git pull
-{% for site in salt["pillar.get"]("planet_sites").values() %}
+{% for site in salt["pillar.get"]("planet", {}).get("sites").values() %}
 $(which python2.7) /srv/planet/code/planet.py /srv/planet/config/{{ site["config"] }}
 {% endfor %}

salt/planet/init.sls

@@ -1,5 +1,6 @@
 include:
   - nginx
+  - tls.lego
 
 git:
   pkg.installed
@@ -19,6 +20,30 @@ planet-user:
     - require:
       - file: /etc/nginx/sites.d/
 
+lego_bootstrap:
+  cmd.run:
+    - name: /usr/local/bin/lego -a --email="[email protected]" {% if pillar["dc"] == "vagrant" %}--server=https://salt-master.vagrant.psf.io:14000/dir{% endif %} --domains="{{ grains['fqdn'] }}" {%- for domain in pillar['planet']['subject_alternative_names']  %} --domains {{ domain }}{%- endfor %} --http --path /etc/lego --key-type ec256 run
+    - creates: /etc/lego/certificates/{{ grains['fqdn'] }}.json
+
+lego_renew:
+  cron.present:
+    - name: /usr/local/bin/lego -a --email="[email protected]" {% if pillar["dc"] == "vagrant" %}--server=https://salt-master.vagrant.psf.io:14000/dir{% endif %} --domains="{{ grains['fqdn'] }}" {%- for domain in pillar['planet']['subject_alternative_names']  %} --domains {{ domain }}{%- endfor %} --http --http.webroot /etc/lego --path /etc/lego --key-type ec256  renew --days 30 && /usr/sbin/service nginx reload
+    - identifier: roundup_lego_renew
+    - hour: 0
+    - minute: random
+
+lego_config:
+  file.managed:
+    - name: /etc/nginx/conf.d/lego.conf
+    - source: salt://tls/config/lego.conf.jinja
+    - template: jinja
+    - user: root
+    - group: root
+    - mode: 644
+    - require:
+      - sls: tls.lego
+      - cmd: lego_bootstrap
+
 /srv/planet/:
   file.directory:
     - user: planet
@@ -53,7 +78,7 @@ https://github.com/python/planet:
     - minute: 37
     - hour: 1,4,7,10,13,16,19,21
 
-{% for site in salt["pillar.get"]("planet_sites") %}
+{% for site in salt["pillar.get"]("planet", {}).get("sites", []) %}
 /srv/{{ site }}/:
   file.directory:
     - user: planet