forked from ungleich-public/cdist
[__letsencrypt_cert] Move hook contents generation out of manifest
While there address some minor issues in the comments in the hook contents.
This commit is contained in:
parent
b832af5e3b
commit
aa80c09c80
2 changed files with 88 additions and 74 deletions
84
cdist/conf/type/__letsencrypt_cert/files/gen_hook.sh
Normal file
84
cdist/conf/type/__letsencrypt_cert/files/gen_hook.sh
Normal file
|
@ -0,0 +1,84 @@
|
||||||
|
#!/bin/sh -e
|
||||||
|
|
||||||
|
# It is expected that this defines hook_contents
|
||||||
|
|
||||||
|
# Reasonable defaults
|
||||||
|
hook_source="${__object}/parameter/${hook}-hook"
|
||||||
|
hook_state="absent"
|
||||||
|
hook_contents_head="#!/bin/sh -e"
|
||||||
|
hook_contents_logic=""
|
||||||
|
hook_contents_tail=""
|
||||||
|
|
||||||
|
# Backwards compatibility
|
||||||
|
# Remove this when renew-hook is removed
|
||||||
|
# Falling back to renew-hook if deploy-hook is not passed
|
||||||
|
if [ "${hook}" = "deploy" ] && [ ! -f "${hook_source}" ]; then
|
||||||
|
hook_source="${__object}/parameter/renew-hook"
|
||||||
|
fi
|
||||||
|
if [ "${state}" = "present" ] && \
|
||||||
|
[ -f "${hook_source}" ]; then
|
||||||
|
# This hook is to be installed, let's generate it with some
|
||||||
|
# safety boilerplate
|
||||||
|
# Since certbot runs all hooks for all renewal processes
|
||||||
|
# (at each state for deploy, pre, post), it is up to us to
|
||||||
|
# differentiate whether or not the hook must run
|
||||||
|
hook_state="present"
|
||||||
|
hook_contents_head="$(cat <<EOF
|
||||||
|
#!/bin/sh -e
|
||||||
|
#
|
||||||
|
# Managed remotely with https://cdi.st
|
||||||
|
#
|
||||||
|
# Domains for which this hook is supposed to apply
|
||||||
|
lineage="${LE_DIR}/live/${__object_id}"
|
||||||
|
domains="\$(cat <<eof
|
||||||
|
${domains}
|
||||||
|
eof
|
||||||
|
)"
|
||||||
|
EOF
|
||||||
|
)"
|
||||||
|
case "${hook}" in
|
||||||
|
pre|post)
|
||||||
|
# Certbot is kind of terrible, we have
|
||||||
|
# no way of knowing what domain/lineage the
|
||||||
|
# hook is running for
|
||||||
|
hook_contents_logic="$(cat <<EOF
|
||||||
|
# pre/post-hooks apply always due to a certbot limitation
|
||||||
|
APPLY_HOOK="YES"
|
||||||
|
EOF
|
||||||
|
)"
|
||||||
|
;;
|
||||||
|
deploy)
|
||||||
|
hook_contents_logic="$(cat <<EOF
|
||||||
|
# certbot defines these environment variables:
|
||||||
|
# RENEWED_DOMAINS="DOMAIN1 DOMAIN2"
|
||||||
|
# RENEWED_LINEAGE="/etc/letsencrypt/live/__object_id"
|
||||||
|
# It feels more stable to use RENEWED_LINEAGE
|
||||||
|
if [ "\${lineage}" = "\${RENEWED_LINEAGE}" ]; then
|
||||||
|
APPLY_HOOK="YES"
|
||||||
|
fi
|
||||||
|
EOF
|
||||||
|
)"
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
echo "Unknown hook '${hook}'" >> /dev/stderr
|
||||||
|
exit 1
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
hook_contents_tail="$(cat <<EOF
|
||||||
|
if [ -n "\${APPLY_HOOK}" ]; then
|
||||||
|
# Messing with indentation can eff up the users' scripts, let's not
|
||||||
|
$(cat "${hook_source}")
|
||||||
|
fi
|
||||||
|
EOF
|
||||||
|
)"
|
||||||
|
fi
|
||||||
|
|
||||||
|
hook_contents="$(cat <<EOF
|
||||||
|
${hook_contents_head}
|
||||||
|
|
||||||
|
${hook_contents_logic}
|
||||||
|
|
||||||
|
${hook_contents_tail}
|
||||||
|
EOF
|
||||||
|
)"
|
|
@ -141,77 +141,11 @@ fi
|
||||||
for hook in deploy pre post; do
|
for hook in deploy pre post; do
|
||||||
# Using something unique and specific to this object
|
# Using something unique and specific to this object
|
||||||
hook_file="${HOOKS_DIR}/${hook}/${__object_id}.cdist.sh"
|
hook_file="${HOOKS_DIR}/${hook}/${__object_id}.cdist.sh"
|
||||||
# Reasonable defaults
|
|
||||||
hook_source="${__object}/parameter/${hook}-hook"
|
|
||||||
hook_state="absent"
|
|
||||||
hook_contents_head="#!/bin/sh -e"
|
|
||||||
hook_contents_logic=""
|
|
||||||
hook_contents_tail=""
|
|
||||||
|
|
||||||
# Backwards compatibility
|
# This defines hook_contents
|
||||||
# Remove this when renew-hook is removed
|
# shellcheck source=cdist/conf/type/__letsencrypt_cert/files/gen_hook.sh
|
||||||
# Falling back to renew-hook if deploy-hook is not passed
|
. "${__type}/files/gen_hook.sh"
|
||||||
if [ "${hook}" = "deploy" ] && [ ! -f "${hook_source}" ]; then
|
|
||||||
hook_source="${__object}/parameter/renew-hook"
|
|
||||||
fi
|
|
||||||
if [ "${state}" = "present" ] && \
|
|
||||||
[ -f "${hook_source}" ]; then
|
|
||||||
# This hook is to be installed, let's generate it with some
|
|
||||||
# safety boilerplate
|
|
||||||
# Since certbot runs all hooks for all renewal processes
|
|
||||||
# (at each state for deploy, pre, post), it is up to us to
|
|
||||||
# differentiate whether or not the hook must run
|
|
||||||
hook_state="present"
|
|
||||||
hook_contents_head="$(cat <<EOF
|
|
||||||
#!/bin/sh -e
|
|
||||||
#
|
|
||||||
# Managed remotely with https://cdi.st
|
|
||||||
#
|
|
||||||
# Domains for which this hook is supposed to apply
|
|
||||||
lineage="${LE_DIR}/live/${__object_id}"
|
|
||||||
domains="\$(cat <<eof
|
|
||||||
${domains}
|
|
||||||
eof
|
|
||||||
)"
|
|
||||||
EOF
|
|
||||||
)"
|
|
||||||
case "${hook}" in
|
|
||||||
pre|post)
|
|
||||||
# Certbot is kind of terrible, we have
|
|
||||||
# no way of knowing what domain/lineage the
|
|
||||||
# hook is running for
|
|
||||||
hook_contents_logic="$(cat <<EOF
|
|
||||||
# pre/post-hooks apply always due to a certbot limitation
|
|
||||||
APPLY_HOOK="YES"
|
|
||||||
EOF
|
|
||||||
)"
|
|
||||||
;;
|
|
||||||
deploy)
|
|
||||||
hook_contents_logic="$(cat <<EOF
|
|
||||||
# certbot defines these:
|
|
||||||
# RENEWED_DOMAINS: DOMAIN1,DOMAIN2
|
|
||||||
# RENEWED_LINEAGE: /etc/letsencrypt/live/__object_id
|
|
||||||
# It feels more stable to use RENEWED_LINEAGE
|
|
||||||
if [ "\${lineage}" = "\${RENEWED_LINEAGE}" ]; then
|
|
||||||
APPLY_HOOK="YES"
|
|
||||||
fi
|
|
||||||
EOF
|
|
||||||
)"
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
echo "Unknown hook '${hook}'" >> /dev/stderr
|
|
||||||
exit 1
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
|
|
||||||
hook_contents_tail="$(cat <<EOF
|
|
||||||
if [ -n "\${APPLY_HOOK}" ]; then
|
|
||||||
# Messing with indentation can eff up the users' scripts, let's not
|
|
||||||
$(cat "${hook_source}")
|
|
||||||
fi
|
|
||||||
EOF
|
|
||||||
)"
|
|
||||||
fi
|
|
||||||
# Ensure hook directory exists
|
# Ensure hook directory exists
|
||||||
require="__directory/${HOOKS_DIR}" __directory "${HOOKS_DIR}/${hook}" \
|
require="__directory/${HOOKS_DIR}" __directory "${HOOKS_DIR}/${hook}" \
|
||||||
--mode 0755
|
--mode 0755
|
||||||
|
@ -219,10 +153,6 @@ EOF
|
||||||
--mode 0555 \
|
--mode 0555 \
|
||||||
--source '-' \
|
--source '-' \
|
||||||
--state "${hook_state}" <<EOF
|
--state "${hook_state}" <<EOF
|
||||||
${hook_contents_head}
|
${hook_contents}
|
||||||
|
|
||||||
${hook_contents_logic}
|
|
||||||
|
|
||||||
${hook_contents_tail}
|
|
||||||
EOF
|
EOF
|
||||||
done
|
done
|
||||||
|
|
Loading…
Reference in a new issue