Add new software release for letsencrypt certificate automation

software/autocert/buildout.hash.cfg

+# THIS IS NOT A BUILDOUT FILE, despite purposedly using a compatible syntax.
+# The only allowed lines here are (regexes):
+# - "^#" comments, copied verbatim
+# - "^[" section beginings, copied verbatim
+# - lines containing an "=" sign which must fit in the following categorie.
+#   - "^\s*filename\s*=\s*path\s*$" where "path" is relative to this file
+#     Copied verbatim.
+#   - "^\s*hashtype\s*=.*" where "hashtype" is one of the values supported
+#     by the re-generation script.
+#     Re-generated.
+# - other lines are copied verbatim
+# Substitution (${...:...}), extension ([buildout] extends = ...) and
+# section inheritance (< = ...) are NOT supported (but you should really
+# not need these here).
+
+[template-instance]
+filename = instance.cfg.in
+md5sum = 9e584e5273ecf222da40b0f318fd62fd
+
+[template-autocert]
+filename = instance-autocert.cfg.jinja2.in
+md5sum = cf6b10e4460b5660a74322daa29d988d
+
+[template-dehydrated-config]
+filename = config.in
+md5sum = a12b0e12658a48658e366f3ed7c2e48e

software/autocert/config.in

+CA="letsencrypt"
+
+OLDCA="https://acme-v01.api.letsencrypt.org/directory"
+
+CHALLENGETYPE="http-01"
+
+# Path to a directory containing additional config files, allowing to override
+# the defaults found in the main configuration file. Additional config files
+# in this directory needs to be named with a '.sh' ending.
+# default: <unset>
+#CONFIG_D=
+
+# Directory for per-domain configuration files.
+# If not set, per-domain configurations are sourced from each certificates output directory.
+# default: <unset>
+#DOMAINS_D=
+
+# Base directory for account key, generated certificates and list of domains (default: $SCRIPTDIR -- uses config directory if undefined)
+BASEDIR={{ parameter_dict['base-dir'] }}
+
+# File containing the list of domains to request certificates for (default: $BASEDIR/domains.txt)
+DOMAINS_TXT="${BASEDIR}/domains.txt"
+
+# Output directory for generated certificates
+CERTDIR="${BASEDIR}/certs"
+
+# Output directory for alpn verification certificates
+ALPNCERTDIR="${BASEDIR}/alpn-certs"
+
+# Directory for account keys and registration information
+ACCOUNTDIR="${BASEDIR}/accounts"
+
+# Output directory for challenge-tokens to be served by webserver or deployed in HOOK (default: /var/www/dehydrated)
+WELLKNOWN="{{ parameter_dict['acme-dir'] }}"
+
+# Default keysize for private keys (default: 4096)
+KEYSIZE="4096"
+
+# Path to openssl config file (default: <unset> - tries to figure out system default)
+#OPENSSL_CNF=
+
+# Path to OpenSSL binary (default: "openssl")
+OPENSSL="{{ parameter_dict['openssl-bin'] }}"
+
+# Extra options passed to the curl binary (default: <unset>)
+#CURL_OPTS=
+
+# Program or function called in certain situations
+#
+# After generating the challenge-response, or after failed challenge (in this case altname is empty)
+# Given arguments: clean_challenge|deploy_challenge altname token-filename token-content
+#
+# After successfully signing certificate
+# Given arguments: deploy_cert domain path/to/privkey.pem path/to/cert.pem path/to/fullchain.pem
+#
+# BASEDIR and WELLKNOWN variables are exported and can be used in an external program
+# default: <unset>
+#HOOK=
+
+# Chain clean_challenge|deploy_challenge arguments together into one hook call per certificate (default: no)
+#HOOK_CHAIN="no"
+
+# Minimum days before expiration to automatically renew certificate (default: 30)
+RENEW_DAYS="30"
+
+# Regenerate private keys instead of just signing new certificates on renewal (default: yes)
+#PRIVATE_KEY_RENEW="yes"
+
+# Create an extra private key for rollover (default: no)
+#PRIVATE_KEY_ROLLOVER="no"
+
+# Which public key algorithm should be used? Supported: rsa, prime256v1 and secp384r1
+#KEY_ALGO=secp384r1
+
+# E-mail to use during the registration (default: <unset>)
+CONTACT_EMAIL={{ parameter_dict['registration-email'] }}
+
+# Lockfile location, to prevent concurrent access (default: $BASEDIR/lock)
+LOCKFILE="${BASEDIR}/lock"
+
+# Option to add CSR-flag indicating OCSP stapling to be mandatory (default: no)
+#OCSP_MUST_STAPLE="no"
+
+# Fetch OCSP responses (default: no)
+#OCSP_FETCH="no"
+
+# OCSP refresh interval (default: 5 days)
+#OCSP_DAYS=5
+
+# Issuer chain cache directory (default: $BASEDIR/chains)
+CHAINCACHE="${BASEDIR}/chains"
+
+# Automatic cleanup (default: no)
+AUTO_CLEANUP="no"
+
+# ACME API version (default: auto)
+#API=auto
+
+# Preferred issuer chain (default: <unset> -> uses default chain)
+#PREFERRED_CHAIN=

software/autocert/instance-autocert.cfg.jinja2.in

+{% set folder_list = [] -%}
+{% set part_list = [] -%}
+
+[httpd-wrapper]
+recipe = slapos.cookbook:simplehttpserver
+host = {{ (ipv6 | list)[0] }}
+port = 9086
+base-path = ${directory:www}
+wrapper = ${directory:services}/http-server
+log-file = ${directory:log}/httpd.log
+use-hash-url = false
+url = http://[${:host}]:${:port}
+
+[logrotate-entry-httpd]
+<= logrotate-entry-base
+name = http-server
+log = ${httpd-wrapper:log-file}
+
+[httpd-url-promise]
+<= monitor-promise-base
+promise = check_url_available
+name = httpd_url.py
+config-url = ${httpd-wrapper:url}
+
+[httpd-listen-promise]
+<= monitor-promise-base
+promise = check_socket_listening
+name = httpd-listen.py
+config-host = ${httpd-wrapper:host}
+config-port = ${httpd-wrapper:port}
+
+[dehydrated-webroot]
+recipe = plone.recipe.command
+path = ${directory:srv}/dehydrated
+command =
+  rm -rf ${:path}
+  ln -sf ${directory:acme} ${:path}
+
+[dehydrated-config-parameters]
+acme-dir = ${dehydrated-webroot:path}
+openssl-bin = {{ openssl_bin }}
+base-dir = ${directory:dehydrated}
+registration-email = {{ slapparameter_dict.get('registration-email', '') }}
+
+[dehydrated-config]
+recipe = slapos.recipe.template:jinja2
+url = {{ parameter_dict['template-config'] }}
+output = ${directory:dehydrated}/config
+context =
+  section parameter_dict dehydrated-config-parameters
+
+[dehydrated-register]
+recipe = slapos.cookbook:wrapper
+command-line =
+  {{ parameter_dict['dehydrated-location'] }}/dehydrated
+  --config ${dehydrated-config:output}
+  --register --accept-terms
+wrapper-path = ${directory:scripts}/dehydrated-register
+
+[caucase-updater]
+recipe = slapos.cookbook:wrapper
+command-line =
+  {{ buildout_bin_directory }}/caucase-updater
+  --ca-url "${instance-parameter:kedifa-caucase-url}"
+  --cas-ca ${directory:caucase}/cas.crt.pem
+  --ca ${:ca-path}
+  --crl ${:crl-path}
+wrapper-path = ${directory:services}/caucase-updater
+crl-path = ${directory:caucase}/crl.pem
+ca-path = ${directory:caucase}/ca.crt.pem
+
+[base-wrapper]
+recipe = slapos.cookbook:wrapper
+environment =
+  PATH={{ openssl_location }}/bin:{{ curl_location }}/bin:/usr/local/bin:/usr/bin:/bin
+
+{% for domain_dict in slapparameter_dict["kedifa-domain-list"] %}
+{%   set domain = domain_dict['domain-list'][0] -%}
+{%   set kedifa_id = domain_dict['kedifa-id'] -%}
+{%   do folder_list.append(domain) -%}
+[dehydrated-domains-{{ domain }}]
+recipe = slapos.recipe.template
+inline =
+  {{ '  ' ~ ' '.join(domain_dict['domain-list']) }}
+output = ${directory:dehydrated}/{{ domain }}/domains.txt
+
+[dehydrated-wrapper-{{ domain }}]
+<= base-wrapper
+command-line =
+  {{ parameter_dict['dehydrated-location'] }}/dehydrated
+  --config ${dehydrated-config:output}
+  --domains-txt {{ "${dehydrated-domains-" ~ domain ~ ":output}" }}
+  --cron
+wrapper-path = ${directory:services}/dehydrated-{{ domain.replace('\.', '-') }}
+depends =
+  {{ "${dehydrated-domains-" ~ domain ~ ":recipe}" }}
+
+[kedifa-generate-auth-{{ domain }}]
+<= base-wrapper
+command-line =
+  {{ parameter_dict['kedifa-location'] }}/contrib/shell/kedifa_generateauth
+  ${instance-parameter:kedifa-url}/{{ kedifa_id }}/generateauth
+  ${caucase-updater:ca-path}
+  ${caucase-updater:crl-path} {{ domain }}
+  ${directory:kedifa}
+wait-for-files =
+  ${caucase-updater:crl-path}
+wrapper-path = ${directory:scripts}/kedifa-genauth-{{ domain.replace('\.', '-') }}
+
+[kedifa-upload-{{ domain }}]
+<= base-wrapper
+command-line =
+  {{ parameter_dict['kedifa-location'] }}/contrib/shell/kedifa_update_cert
+     ${directory:kedifa}/{{ domain }}.sh
+     ${directory:dehydrated}/{{ domain }}/certs/{{ domain }}/privkey.pem
+     ${directory:dehydrated}/{{ domain }}/certs/{{ domain }}/fullchain.pem
+wait-for-files =
+  ${directory:dehydrated}/{{ domain }}/certs/{{ domain }}/fullchain.pem
+wrapper-path = ${directory:bin}/kedifa-upload-{{ domain.replace('\.', '-') }}
+depends =
+  {{ "  ${dehydrated-wrapper-" ~ domain ~ ":recipe}" }}
+  {{ "  ${kedifa-generate-auth-" ~ domain ~ ":recipe}" }}
+
+[cron-entry-{{ domain }}]
+<= cron
+recipe = slapos.cookbook:cron.d
+name = {{ domain }}
+frequency = 0 0 * * 0
+command = {{ "${kedifa-upload-" ~ domain ~ ":wrapper-path}" }}
+
+{% do part_list.append("cron-entry-" ~ domain) -%}
+{% endfor %}
+
+[instance-parameter]
+kedifa-caucase-url = {{ slapparameter_dict['kedifa-caucase-url'] }}
+kedifa-url = {{ slapparameter_dict['kedifa-base-url'] }}
+
+[publish-connection-information]
+<= monitor-publish
+recipe = slapos.cookbook:publish
+url = ${httpd-wrapper:url}
+
+[directory]
+recipe = slapos.cookbook:mkdirectory
+etc = ${buildout:directory}/etc
+bin = ${buildout:directory}/bin
+srv = ${buildout:directory}/srv
+var = ${buildout:directory}/var
+run = ${:var}/run
+log = ${:var}/log
+scripts = ${:etc}/run
+services = ${:etc}/service
+plugins = ${:etc}/plugin
+www = ${:srv}/www
+tmp = ${:srv}/tmp
+acme = ${:www}/.well-known/acme-challenge
+caucase = ${:etc}/caucase
+dehydrated = ${:etc}/dehydrated
+kedifa = ${:etc}/kedifa
+{% for name in folder_list -%}
+{{   name }} = ${:dehydrated}/{{ name }}
+{% endfor -%}
+
+[buildout]
+extends = {{ template_monitor }}
+
+parts =
+  publish-connection-information
+  logrotate-entry-httpd
+  httpd-wrapper
+  httpd-listen-promise
+  httpd-url-promise
+  dehydrated-register
+
+# Complete parts with sections
+  {{ part_list | join('\n  ') }}
+
+eggs-directory = {{ eggs_directory }}
+develop-eggs-directory = {{ develop_eggs_directory }}
+offline = true

software/autocert/instance.cfg.in

+[buildout]
+parts = switch-softwaretype
+
+eggs-directory = {{ buildout_egg_directory }}
+develop-eggs-directory = {{ buildout_develop_directory }}
+offline = true
+
+
+[switch-softwaretype]
+recipe = slapos.cookbook:switch-softwaretype
+default  = dynamic-template-autocert:output
+RootSoftwareInstance = ${:default}
+
+[slap-configuration]
+recipe = slapos.cookbook:slapconfiguration.serialised
+computer = ${slap-connection:computer-id}
+partition = ${slap-connection:partition-id}
+url = ${slap-connection:server-url}
+key = ${slap-connection:key-file}
+cert = ${slap-connection:cert-file}
+
+[jinja2-template-base]
+recipe = slapos.recipe.template:jinja2
+output = ${buildout:directory}/${:filename}
+extensions = jinja2.ext.do
+extra-context =
+context =
+  key develop_eggs_directory buildout:develop-eggs-directory
+  key buildout_directory buildout:directory
+  key eggs_directory buildout:eggs-directory
+  key ipv4 slap-configuration:ipv4
+  key ipv6 slap-configuration:ipv6
+  key slapparameter_dict slap-configuration:configuration
+  raw buildout_bin_directory {{ bin_directory }}
+  raw bash_executable_location {{ bash_location }}/bin/dash
+  raw curl_location {{ curl_location }}
+  raw openssl_location {{ openssl_location }}
+  raw openssl_bin {{ openssl_location }}/bin/openssl
+  raw template_monitor {{ template_monitor_cfg }}
+  ${:extra-context}
+
+
+[dynamic-template-autocert-parameters]
+dehydrated-location = {{ dehydrated_location }}
+kedifa-location = {{ kedifa_location }}
+template-config = {{ template_dehydrated_config }}
+
+[dynamic-template-autocert]
+<= jinja2-template-base
+url = {{ template_autocert }}
+filename = instance-autocert.cfg
+extra-context =
+  section parameter_dict dynamic-template-autocert-parameters

software/autocert/software.cfg

+[buildout]
+extends =
+  ../../component/bash/buildout.cfg
+  ../../component/openssl/buildout.cfg
+  ../../component/curl/buildout.cfg
+  ../../stack/slapos.cfg
+  ../../stack/monitor/buildout.cfg
+  ./buildout.hash.cfg
+
+parts =
+  slapos-cookbook
+  eggs
+  template-instance
+
+allow-picked-versions = true
+
+[eggs]
+recipe = zc.recipe.egg
+eggs =
+  caucase
+  kedifa
+scripts =
+  caucase
+  caucase-probe
+  caucase-updater
+  caucase-rerequest
+  caucase-key-id
+
+[git-clone-base]
+recipe = slapos.recipe.build:gitclone
+git-executable = ${git:location}/bin/git
+branch = master
+
+[dehydrated]
+<= git-clone-base
+repository = https://github.com/dehydrated-io/dehydrated.git
+revision = v0.7.1
+
+[kedifa]
+<= git-clone-base
+repository = https://lab.nexedi.com/nexedi/kedifa.git
+revision = 7f6bdd71
+
+[download-template]
+recipe = slapos.recipe.build:download
+url = ${:_profile_base_location_}/${:filename}
+output = ${buildout:directory}/${:filename}
+
+[template-instance]
+recipe = slapos.recipe.template:jinja2
+output = ${buildout:directory}/instance.cfg
+url = ${:_profile_base_location_}/${:filename}
+context =
+    key bash_location bash:location
+    key bin_directory buildout:bin-directory
+    key buildout_egg_directory buildout:eggs-directory
+    key buildout_develop_directory buildout:develop-eggs-directory
+    key buildout_directory buildout:directory
+    key curl_location bash:location
+    key dehydrated_location dehydrated:location
+    key kedifa_location kedifa:location
+    key openssl_location openssl:location
+    key template_monitor_cfg monitor2-template:output
+    key template_autocert template-autocert:target
+    key template_dehydrated_config template-dehydrated-config:target
+
+[template-autocert]
+<= download-template
+output = ${buildout:directory}/instance-autocert.cfg.jinja2
+
+[template-dehydrated-config]
+<= download-template
+
+[versions]
+caucase = 0.9.15
+kedifa = 0.0.6
+pem = 21.1.0
+PyJWT = 2.7.0