[Qa-jenkins-scm] [Git][qa/jenkins.debian.net][master] initial settings deploying dehydrated to handle the SSL certificates

Mattia Rizzolo gitlab at salsa.debian.org
Sun Aug 16 15:49:04 BST 2020 


Mattia Rizzolo pushed to branch master at Debian QA / jenkins.debian.net


Commits:
da9520f9 by Mattia Rizzolo at 2020-08-16T16:48:50+02:00
initial settings deploying dehydrated to handle the SSL certificates

Signed-off-by: Mattia Rizzolo <mattia at debian.org>

- - - - -


5 changed files:

- + hosts/jenkins/etc/dehydrated/conf.d/local_local.sh
- + hosts/jenkins/etc/dehydrated/domains.txt
- + hosts/jenkins/etc/dehydrated/hooks.sh
- + hosts/jenkins/etc/sudoers.d/letsencrypt
- update_jdn.sh


Changes:

=====================================
hosts/jenkins/etc/dehydrated/conf.d/local_local.sh
=====================================
@@ -0,0 +1,11 @@
+#CA="https://acme-v02.api.letsencrypt.org/directory"
+CA="https://acme-staging.api.letsencrypt.org/directory"
+
+RENEW_DAYS="30"
+KEYSIZE="4096"
+PRIVATE_KEY_RENEW="no"
+
+CHALLENGETYPE="http-01"
+HOOK="/etc/dehydrated/hook.sh"
+
+CONTACT_EMAIL="contact at reproducible-builds.org"


=====================================
hosts/jenkins/etc/dehydrated/domains.txt
=====================================
@@ -0,0 +1,6 @@
+jenkins.debian.net
+reproducible-builds.org
+www.reproducible-builds.org
+diffoscope.org
+tests.reproducible-builds.org
+reproducible.debian.net


=====================================
hosts/jenkins/etc/dehydrated/hooks.sh
=====================================
@@ -0,0 +1,30 @@
+#!/bin/bash
+
+set -eu
+
+OP=$1
+
+_log () {
+    echo " + ($OP) $*"
+}
+
+reload_apache () {
+    _log "Reloading apache..."
+    sudo apache2ctl graceful
+}
+
+email () {
+    # $1: domain name $6: timestamp of cert creation
+    echo -e "The following SSL certifcate has just been renewed:\n\n    $1\t$6" | \
+        mail -s "R-B SSL certifcate renewed" root
+}
+
+case "$OP" in
+    deploy_cert)
+        reload_apache
+        email "$@"
+        ;;
+    *)
+        ;;
+esac
+


=====================================
hosts/jenkins/etc/sudoers.d/letsencrypt
=====================================
@@ -0,0 +1 @@
+letsencrypt ALL=(root) NOPASSWD: /usr/sbin/apache2ctl graceful


=====================================
update_jdn.sh
=====================================
@@ -144,6 +144,24 @@ users=$(for i in ${!user_host_groups[@]}; do echo ${i%,*} ; done | sort -u)
 		continue
 	fi
 
+	# create the letsencrypt group and user in jenkins if needed
+	# doing it here instead of using the array above as we have to use --system
+	if [ "$HOSTNAME" = jenkins ]; then
+		if ! getent group letsencrypt > /dev/null ; then
+			sudo addgroup --system letsencrypt
+		fi
+		if ! getopt passwd letsencrypt > /dev/null ; then
+			sudo adduser --system \
+				--gecos "Let's Encrypt role account" \
+				--shell /usr/sbin/nologin \
+				--disabled-login \
+				--home /var/lib/dehydrated \
+				--no-create-home \
+				--ingroup letsencrypt \
+				letsencrypt
+		fi
+	fi
+
 	# create the user
 	if ! getent passwd $user > /dev/null ; then
 		# adduser, defaulting to /bin/bash as shell
@@ -482,6 +500,8 @@ if [ -f /etc/debian_version ] ; then
 				cmake 
 				cron-apt 
 				csvtool 
+				dehydrated
+				dehydrated-apache2
 				dnsmasq-base 
 				dstat 
 				figlet 
@@ -634,6 +654,14 @@ sudo chown root.root /etc/sudoers.d/jenkins ; sudo chmod 700 /etc/sudoers.d/jenk
 sudo chown root.root /etc/sudoers.d/jenkins-adm ; sudo chmod 700 /etc/sudoers.d/jenkins-adm
 [ -f /etc/mailname ] || ( echo $HOSTNAME.debian.net | sudo tee /etc/mailname )
 
+if [ "$HOSTNAME" = "jenkins" ]; then
+	for path in /var/lib/dehydrated /var/lib/dehydrated/acme-challenges; do
+		if ! dpkg-statoverride --list "$path" > /dev/null; then
+			sudo dpkg-statoverride --update --add letsencrypt letsencrypt 755 "$path"
+		fi
+	done
+fi
+
 if [ "$HOSTNAME" = "jenkins" ] || [ "$HOSTNAME" = "profitbricks-build7-amd64" ] ; then
 	if ! $UP2DATE || [ $BASEDIR/hosts/$HOSTNAME/etc/apache2 -nt $STAMP ]  ; then
 		if [ ! -e /etc/apache2/mods-enabled/proxy.load ] ; then



View it on GitLab: https://salsa.debian.org/qa/jenkins.debian.net/-/commit/da9520f9457dace3793d581b78c435a5d48ad15e

-- 
View it on GitLab: https://salsa.debian.org/qa/jenkins.debian.net/-/commit/da9520f9457dace3793d581b78c435a5d48ad15e
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/qa-jenkins-scm/attachments/20200816/1eaf6f7b/attachment-0001.html>

More information about the Qa-jenkins-scm mailing list