caucase.jinja2.library

{% macro caucased(
  prefix,
  buildout_bin_directory,
  caucased_path,
  data_dir,
  netloc,
  tmp,
  service_auto_approve_count=0,
  user_auto_approve_count=1,
  key_len=None,
  backup_dir=None,
  promise=True
) -%}
[{{ prefix }}-directory]
recipe = slapos.cookbook:mkdirectory
data-dir = {{ data_dir }}
mode = 0750

[{{ prefix }}]
recipe = slapos.cookbook:wrapper
wrapper-path = {{ caucased_path }}
{%- if tmp %}
environment =
  TMP={{ tmp }}
  TMPDIR={{ tmp }}
{%- endif %}
command-line = '{{ buildout_bin_directory }}/caucased'
  --db          '${ {{- prefix }}-directory:data-dir}/caucase.sqlite'
  --server-key  '${ {{- prefix }}-directory:data-dir}/server.key.pem'
  --netloc      '{{ netloc }}'
  {% if key_len %}--key-len '{{ key_len }}' {%- endif %}
  {% if backup_dir %}--backup-directory {{ backup_dir }} {%- endif %}
  --service-auto-approve-count '{{ service_auto_approve_count }}'
  --user-auto-approve-count    '{{ user_auto_approve_count }}'
  --lock-auto-approve-count

{% if promise -%}
[{{ prefix }}-promise]
<= monitor-promise-base
promise = check_command_execute
name = {{ prefix }}.py
config-command = '{{ buildout_bin_directory }}/caucase-probe' 'http://{{ netloc }}'
{%- endif %}
{%- endmacro %}

{% macro updater(
  prefix,
  buildout_bin_directory,
  updater_path,
  url,
  data_dir,
  ca_path,
  crl_path,
  crt_path=None,
  key_path=None,
  on_renew=None,
  max_sleep=None,
  mode='service',
  template_csr=None,
  template_csr_pem=None,
  openssl=None,
  promise=True
) -%}
[{{ prefix }}-directory]
recipe = slapos.cookbook:mkdirectory
data-dir = {{ data_dir }}

{% if crt_path %}
{%   if template_csr_pem or template_csr -%}
[{{ prefix }}-provided-csr-content]
{%     if template_csr_pem %}
content = {{ dumps(template_csr_pem) }}
{%     elif template_csr %}
content = {{ template_csr }}
{%     endif %}
[{{ prefix }}-provided-csr]
recipe = slapos.recipe.template:jinja2
{%     if template_csr_pem %}
inline =
  {{ '{{ content }}' }}
output = ${ {{- prefix }}-directory:data-dir}/provided.csr.pem
context = key content {{ prefix }}-provided-csr-content:content
{%     elif template_csr %}
url = {{ '${' + prefix }}-provided-csr-content:content}
output = ${ {{- prefix }}-directory:data-dir}/provided.csr.pem
{%     endif %}
{{   rerequest(
       prefix=prefix ~ '-csr',
       buildout_bin_directory=buildout_bin_directory,
       template='${' ~ prefix ~  '-provided-csr:output}',
       csr='${:csr}',
       key=key_path,
)}}
{%-   else -%}
[{{ prefix }}-csr]
recipe = plone.recipe.command
command =
  if [ ! -f '{{ key_path or crt_path }}' ] && [ ! -f '${:csr}' ] ; then
    '{{ openssl }}' req -newkey rsa:2048 -batch -new -nodes -subj /CN=example.com -keyout '{{ key_path or crt_path }}' -out '${:csr}'
  fi
{%-   endif %}
csr = ${ {{- prefix }}-directory:data-dir}/good.csr.pem
{%- endif %}

[{{ prefix }}]
recipe = slapos.cookbook:wrapper
wrapper-path = {{ updater_path }}
command-line = '{{ buildout_bin_directory }}/caucase-updater'
  --ca-url '{{ url }}'
  --cas-ca '${ {{- prefix }}-directory:data-dir}/cas.crt.pem'
  --mode '{{ mode }}'
  {% if crt_path %}--csr '${ {{- prefix }}-csr:csr}'
  --crt '{{ crt_path }}' {%- endif %}
  --ca '{{ ca_path }}'
  --crl '{{ crl_path }}'
  {% if key_path %}--key '{{ key_path }}' {%- endif %}
  {% if on_renew %}--on-renew '{{ on_renew }}' {%- endif %}
  {% if max_sleep %}--max-sleep '{{ max_sleep }}' {%- endif %}
{% if promise -%}
[{{ prefix }}-promise]
<= monitor-promise-base
promise = check_certificate
name = {{ prefix }}.py
config-certificate = {{ crt_path }}
config-key = {{ key_path }}
config-certificate-expiration-days = 15
{%- endif %}
{%- endmacro %}

{% macro rerequest(prefix, buildout_bin_directory, template, csr, key) -%}
[{{ prefix }}]
recipe = plone.recipe.command
checksum-file = '{{ template }}.md5'
command =
  set -e
  md5_current=$(${buildout:executable} -c "from __future__ import print_function ; import hashlib ; print(hashlib.md5(open('{{ template }}', 'rb').read()).hexdigest())")
  md5_old=$([ -f ${:checksum-file} ] && cat ${:checksum-file} || echo none)
  if [ "$md5_current" != "$md5_old" ] || [ ! -f '{{ csr }}' ] || [ ! -f '{{ key }}' ] ; then
    '{{ buildout_bin_directory }}/caucase-rerequest' --template '{{ template }}' --csr '{{ csr }}' --key '{{ key }}'
    echo $md5_current > ${:checksum-file}
  fi
update-command = ${:command}
stop-on-error = True
{%- endmacro %}