caucase.jinja2.library 4.29 KB
Newer Older
1 2 3 4 5 6
{% macro caucased(
  prefix,
  buildout_bin_directory,
  caucased_path,
  data_dir,
  netloc,
7
  tmp,
8 9 10 11
  service_auto_approve_count=0,
  user_auto_approve_count=1,
  key_len=None,
  backup_dir=None,
12
  promise=True
13 14 15 16 17 18 19 20 21
) -%}
[{{ prefix }}-directory]
recipe = slapos.cookbook:mkdirectory
data-dir = {{ data_dir }}
mode = 0750

[{{ prefix }}]
recipe = slapos.cookbook:wrapper
wrapper-path = {{ caucased_path }}
22 23 24 25 26
{%- if tmp %}
environment =
  TMP={{ tmp }}
  TMPDIR={{ tmp }}
{%- endif %}
27 28 29 30 31 32 33 34 35 36 37 38
command-line = '{{ buildout_bin_directory }}/caucased'
  --db          '${ {{- prefix }}-directory:data-dir}/caucase.sqlite'
  --server-key  '${ {{- prefix }}-directory:data-dir}/server.key.pem'
  --netloc      '{{ netloc }}'
  {% if key_len %}--key-len '{{ key_len }}' {%- endif %}
  {% if backup_dir %}--backup-directory {{ backup_dir }} {%- endif %}
  --service-auto-approve-count '{{ service_auto_approve_count }}'
  --user-auto-approve-count    '{{ user_auto_approve_count }}'
  --lock-auto-approve-count

{% if promise -%}
[{{ prefix }}-promise]
39
<= monitor-promise-base
40
promise = check_command_execute
41 42
name = {{ prefix }}.py
config-command = '{{ buildout_bin_directory }}/caucase-probe' 'http://{{ netloc }}'
43 44 45 46 47 48 49 50 51 52 53
{%- endif %}
{%- endmacro %}

{% macro updater(
  prefix,
  buildout_bin_directory,
  updater_path,
  url,
  data_dir,
  ca_path,
  crl_path,
54
  crt_path=None,
55 56 57 58
  key_path=None,
  on_renew=None,
  max_sleep=None,
  mode='service',
59
  template_csr=None,
60
  template_csr_pem=None,
61 62
  openssl=None,
  promise=True
63 64 65 66 67
) -%}
[{{ prefix }}-directory]
recipe = slapos.cookbook:mkdirectory
data-dir = {{ data_dir }}

68 69
{% if crt_path %}
{%   if template_csr_pem or template_csr -%}
70
[{{ prefix }}-provided-csr-content]
71
{%     if template_csr_pem %}
72
content = {{ dumps(template_csr_pem) }}
73
{%     elif template_csr %}
74
content = {{ template_csr }}
75
{%     endif %}
76 77
[{{ prefix }}-provided-csr]
recipe = slapos.recipe.template:jinja2
78
{%     if template_csr_pem %}
79 80 81
inline =
  {{ '{{ content }}' }}
output = ${ {{- prefix }}-directory:data-dir}/provided.csr.pem
82
context = key content {{ prefix }}-provided-csr-content:content
83
{%     elif template_csr %}
84 85
url = {{ '${' + prefix }}-provided-csr-content:content}
output = ${ {{- prefix }}-directory:data-dir}/provided.csr.pem
86
{%     endif %}
87 88
{{   rerequest(
       prefix=prefix ~ '-csr',
89
       buildout_bin_directory=buildout_bin_directory,
90
       template='${' ~ prefix ~  '-provided-csr:output}',
91 92 93
       csr='${:csr}',
       key=key_path,
)}}
94
{%-   else -%}
95 96
[{{ prefix }}-csr]
recipe = plone.recipe.command
97 98 99 100
command =
  if [ ! -f '{{ key_path or crt_path }}' ] && [ ! -f '${:csr}' ] ; then
    '{{ openssl }}' req -newkey rsa:2048 -batch -new -nodes -subj /CN=example.com -keyout '{{ key_path or crt_path }}' -out '${:csr}'
  fi
101
{%-   endif %}
102
csr = ${ {{- prefix }}-directory:data-dir}/good.csr.pem
103
{%- endif %}
104 105 106 107 108 109 110 111

[{{ prefix }}]
recipe = slapos.cookbook:wrapper
wrapper-path = {{ updater_path }}
command-line = '{{ buildout_bin_directory }}/caucase-updater'
  --ca-url '{{ url }}'
  --cas-ca '${ {{- prefix }}-directory:data-dir}/cas.crt.pem'
  --mode '{{ mode }}'
112 113
  {% if crt_path %}--csr '${ {{- prefix }}-csr:csr}'
  --crt '{{ crt_path }}' {%- endif %}
114 115 116
  --ca '{{ ca_path }}'
  --crl '{{ crl_path }}'
  {% if key_path %}--key '{{ key_path }}' {%- endif %}
117
  {% if on_renew %}--on-renew '{{ on_renew }}' {%- endif %}
118
  {% if max_sleep %}--max-sleep '{{ max_sleep }}' {%- endif %}
119 120 121
{% if promise -%}
[{{ prefix }}-promise]
<= monitor-promise-base
122
promise = check_certificate
123 124 125 126 127
name = {{ prefix }}.py
config-certificate = {{ crt_path }}
config-key = {{ key_path }}
config-certificate-expiration-days = 15
{%- endif %}
128 129 130 131 132
{%- endmacro %}

{% macro rerequest(prefix, buildout_bin_directory, template, csr, key) -%}
[{{ prefix }}]
recipe = plone.recipe.command
133 134 135
checksum-file = '{{ template }}.md5'
command =
  set -e
136
  md5_current=$(${buildout:executable} -c "from __future__ import print_function ; import hashlib ; print(hashlib.md5(open('{{ template }}', 'rb').read()).hexdigest())")
137 138 139 140 141 142 143
  md5_old=$([ -f ${:checksum-file} ] && cat ${:checksum-file} || echo none)
  if [ "$md5_current" != "$md5_old" ] || [ ! -f '{{ csr }}' ] || [ ! -f '{{ key }}' ] ; then
    '{{ buildout_bin_directory }}/caucase-rerequest' --template '{{ template }}' --csr '{{ csr }}' --key '{{ key }}'
    echo $md5_current > ${:checksum-file}
  fi
update-command = ${:command}
stop-on-error = True
144
{%- endmacro %}