diff options
| -rw-r--r-- | type/__dtnrch_getssl/explorer/cfg-values | 4 | ||||
| -rw-r--r-- | type/__dtnrch_getssl/files/update_getssl_cfg.awk | 63 | ||||
| -rw-r--r-- | type/__dtnrch_getssl/gencode-remote | 60 | ||||
| -rw-r--r-- | type/__dtnrch_getssl/man.rst | 18 | ||||
| -rw-r--r-- | type/__dtnrch_getssl/parameter/boolean | 1 | ||||
| -rw-r--r-- | type/__dtnrch_getssl/parameter/default/keysize | 1 | ||||
| -rw-r--r-- | type/__dtnrch_getssl/parameter/default/renew-allow | 1 | ||||
| -rw-r--r-- | type/__dtnrch_getssl/parameter/optional | 3 | ||||
| -rw-r--r-- | type/__dtnrch_getssl/parameter/optional_multiple | 1 |
9 files changed, 149 insertions, 3 deletions
diff --git a/type/__dtnrch_getssl/explorer/cfg-values b/type/__dtnrch_getssl/explorer/cfg-values index a354bbc..60cb5bd 100644 --- a/type/__dtnrch_getssl/explorer/cfg-values +++ b/type/__dtnrch_getssl/explorer/cfg-values @@ -23,4 +23,6 @@ CONF_DIR=/etc/getssl test -e "${CONF_DIR:?}/getssl.cfg" || exit 0 -sed -e 's/^[ \t]*\(.*\)[ \t]*$/\1/' -e '/^#/d' -e '/^$/d' "${CONF_DIR}/getssl.cfg" +sed -e 's/^[ \t]*\(.*\)[ \t]*$/\1/' -e '/^#/d' -e '/^$/d' \ + "${CONF_DIR}/getssl.cfg" \ +| sort diff --git a/type/__dtnrch_getssl/files/update_getssl_cfg.awk b/type/__dtnrch_getssl/files/update_getssl_cfg.awk new file mode 100644 index 0000000..8b79639 --- /dev/null +++ b/type/__dtnrch_getssl/files/update_getssl_cfg.awk @@ -0,0 +1,63 @@ +#!/usr/bin/awk -f + +BEGIN { + FS = RS + + # Store the should state read from stdin in should array + while (("cat" | getline should_line)) { + k = substr(should_line, 1, index(should_line, "=") - 1) + v = substr(should_line, length(k) + 2) + + if (k !~ /^[A-Z_]+$/) { + printf "Suspicious key: %s\n", k | "cat >&2" + suspicious_keys = 1 + } + + should[k] = v + } + close("cat") + if (suspicious_keys) exit (e=1) +} + +{ + line = $0 + sub(/^[ \t]*/, "", line) + + is_comment = (line ~ /^#/) + + if (is_comment) { + # keep comments + print + sub(/^#*[ \t]*/, "", line) + } +} + +line { + key = substr(line, 1, index(line, "=") - 1) + value = substr(line, length(key) + 2) + + if ((key in should)) { + # update option + if (should[key] != value || is_comment) { + printf "%s=%s\n", key, should[key] + } else { + print # keep line + } + delete should[key] + next + } else { + # drop option + next + } +} + +# Do not print comments, they have already been printed above +!is_comment { print } + +END { + if (!e) { + for (key in should) { + printf "%s=%s\n", key, should[key] + } + } +} diff --git a/type/__dtnrch_getssl/gencode-remote b/type/__dtnrch_getssl/gencode-remote index 34c8a70..0a173ca 100644 --- a/type/__dtnrch_getssl/gencode-remote +++ b/type/__dtnrch_getssl/gencode-remote @@ -18,10 +18,68 @@ # along with cdist. If not, see <http://www.gnu.org/licenses/>. # +quote() { printf "'%s'" "$(printf '%s' "$*" | sed -e "s/'/'\\\\''/g")"; } +drop_awk_comments() { quote "$(sed '/^[[:blank:]]*#.*$/d;/^$/d' "$@")"; } + DEST=/usr/local/bin CONF_DIR=/etc/getssl +getssl_cfg=${CONF_DIR}/getssl.cfg + + +################################################################################ +# Create getssl.cfg + test -s "${__object:?}/explorer/cfg-values" || { # Using . as the domain is a HUGE HACK - printf '%s/getssl -w %s -c %s\n' "${DEST}" "${CONF_DIR}" '.' + printf '%s/getssl -w %s -c %s\n' "${DEST}" "$(quote "${CONF_DIR}")" '.' + + # Comment out all CA lines, to preserve their values (as comments). + # Otherwise, the AWK update script would overwrite all values. + printf "sed -i -e 's/^CA=/#&/' %s\n" "$(quote "${getssl_cfg}")" + + # Server type and check_remote should be configured in the domain config, + # instead of globally. + printf "sed -i -e 's/^\(SERVER_TYPE\|CHECK_REMOTE\)=/#&/' %s\n" "$(quote "${getssl_cfg}")" } + +################################################################################ +# Update getssl.cfg + +cfg_values_should=$( + # Account + if test -s "${__object:?}/parameter/email" + then + printf 'ACCOUNT_EMAIL="%s"\n' "$(head -n 1 "${__object:?}/parameter/email")" + fi + printf 'ACCOUNT_KEY="%s"\n' "${CONF_DIR}/account.key" + printf 'ACCOUNT_KEY_LENGTH=%u\n' "$(head -n 1 "${__object:?}/parameter/keysize")" + printf 'PRIVATE_KEY_ALG="%s"\n' 'rsa' + + # CA (v2) + if test -f "${__object:?}/parameter/staging" + then + printf 'CA="https://acme-staging-v02.api.letsencrypt.org"\n' + else + printf 'CA="https://acme-v02.api.letsencrypt.org"\n' + fi + + # Renew allow + printf 'RENEW_ALLOW=%u\n' "$(head -n 1 "${__object:?}/parameter/renew-allow")" + + if test -s "${__object:?}/parameter/extra-config" + then + sort "${__object:?}/parameter/extra-config" + fi +) + +if ! printf '%s\n' "${cfg_values_should}" | cmp -s "${__object:?}/explorer/cfg-values" - +then + cat <<CODE +awk $(drop_awk_comments "${__type:?}/files/update_getssl_cfg.awk") <<'EOF' $(quote "${getssl_cfg}") >$(quote "${getssl_cfg}.tmp") \\ + && cat $(quote "${getssl_cfg}.tmp") >$(quote "${getssl_cfg}") || exit +${cfg_values_should} +EOF +rm -f $(quote "${getssl_cfg}.tmp") +CODE +fi diff --git a/type/__dtnrch_getssl/man.rst b/type/__dtnrch_getssl/man.rst index d9ec166..624c264 100644 --- a/type/__dtnrch_getssl/man.rst +++ b/type/__dtnrch_getssl/man.rst @@ -18,6 +18,21 @@ None. OPTIONAL PARAMETERS ------------------- +email + Add an e-mail address to the Let's Encrypt account. + + See also: https://letsencrypt.org/docs/expiration-emails/ +extra-config + Other configuration options that should be added to the ``getssl.cfg``. +keysize + The size of the account private key. + + Defaults to 4096 bits. +renew-allow + Maximum number of days that a certificate will be renewed prior to its expiry + date. + + Defaults to 30. state Whether getssl should be installed (``present``) on the target or not (``absent``). @@ -28,7 +43,8 @@ version BOOLEAN PARAMETERS ------------------ -None. +staging + If set, getssl uses Let's Encrypt's staging CA by default. EXAMPLES diff --git a/type/__dtnrch_getssl/parameter/boolean b/type/__dtnrch_getssl/parameter/boolean new file mode 100644 index 0000000..dcd5906 --- /dev/null +++ b/type/__dtnrch_getssl/parameter/boolean @@ -0,0 +1 @@ +staging diff --git a/type/__dtnrch_getssl/parameter/default/keysize b/type/__dtnrch_getssl/parameter/default/keysize new file mode 100644 index 0000000..801c306 --- /dev/null +++ b/type/__dtnrch_getssl/parameter/default/keysize @@ -0,0 +1 @@ +4096 diff --git a/type/__dtnrch_getssl/parameter/default/renew-allow b/type/__dtnrch_getssl/parameter/default/renew-allow new file mode 100644 index 0000000..64bb6b7 --- /dev/null +++ b/type/__dtnrch_getssl/parameter/default/renew-allow @@ -0,0 +1 @@ +30 diff --git a/type/__dtnrch_getssl/parameter/optional b/type/__dtnrch_getssl/parameter/optional index 4d595ed..00559ac 100644 --- a/type/__dtnrch_getssl/parameter/optional +++ b/type/__dtnrch_getssl/parameter/optional @@ -1,2 +1,5 @@ +email +keysize +renew-allow state version diff --git a/type/__dtnrch_getssl/parameter/optional_multiple b/type/__dtnrch_getssl/parameter/optional_multiple new file mode 100644 index 0000000..c2bfdab --- /dev/null +++ b/type/__dtnrch_getssl/parameter/optional_multiple @@ -0,0 +1 @@ +extra-config |