certbot: Control auto-renew with a zulip.conf setting.

This causes the cron job to run only when a Zulip-managed certbot install is actually set up. Inside `install`, zulip.conf doesn't yet exist when we run setup-certbot, so we write the setting later. But we also give setup-certbot the ability to write the setting itself, so that we can recommend it in instructions for adopting certbot in an existing Zulip installation.
2017-11-14 15:48:22 -08:00 · 2017-11-14 15:48:22 -08:00 · ae901309fc
parent dd32348fca
commit ae901309fc
4 changed files with 35 additions and 3 deletions
--- a/puppet/zulip/files/cron.d/certbot-renew
+++ b/puppet/zulip/files/cron.d/certbot-renew
@ -3,4 +3,4 @@ PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
 USER=root

 # Cron job to renew certbot twice a day.
-52 0,12 * * * root /usr/local/sbin/certbot-auto renew --webroot --webroot-path=/var/lib/zulip/certbot-webroot/ --quiet
+52 0,12 * * * root /home/zulip/deployments/current/scripts/lib/certbot-maybe-renew
--- a/scripts/lib/certbot-maybe-renew
+++ b/scripts/lib/certbot-maybe-renew
@ -0,0 +1,19 @@
+#!/bin/bash
+
+zulip_conf_get_boolean() {
+    # Get a boolean flag from zulip.conf, using the Python
+    # `configparser` library's conventions for what counts as true.
+    # Treat absent and invalid values as false.
+    value=$(crudini --get /etc/zulip/zulip.conf "$1" "$2" 2>/dev/null)
+    case "$(echo "$value" | tr A-Z a-z)" in
+        1|yes|true|on) return 0 ;;
+        *) return 1 ;;
+    esac
+}
+
+if ! zulip_conf_get_boolean certbot auto_renew; then
+    exit 0
+fi
+
+/usr/local/sbin/certbot-auto renew --quiet \
+  --webroot --webroot-path=/var/lib/zulip/certbot-webroot/
--- a/scripts/lib/install
+++ b/scripts/lib/install
@ -83,7 +83,8 @@ ZULIP_PATH="$(realpath $(dirname $0)/../..)"
 "$ZULIP_PATH"/scripts/lib/check-upstart

 if [ -n "$USE_CERTBOT" ]; then
-    "$ZULIP_PATH"/scripts/setup/setup-certbot --hostname "$EXTERNAL_HOST" --email "$ZULIP_ADMINISTRATOR"
+    "$ZULIP_PATH"/scripts/setup/setup-certbot --no-zulip-conf \
+        --hostname "$EXTERNAL_HOST" --email "$ZULIP_ADMINISTRATOR"
 fi

 # Check for missing SSL certificates early as well
@ -134,6 +135,10 @@ mkdir -p /etc/zulip
    if [ -n "$TRAVIS" ] || ! dpkg-query --showformat '${Status}\n' -W rabbitmq-server 2>/dev/null | grep -vq ' not-installed$'; then
        echo -e "\n[rabbitmq]\nnodename = zulip@localhost"
    fi
+
+    if [ -n "$USE_CERTBOT" ]; then
+        echo -e "\n[certbot]\nauto_renew = yes"
+    fi
 ) > /etc/zulip/zulip.conf
 "$ZULIP_PATH"/scripts/zulip-puppet-apply -f

--- a/scripts/setup/setup-certbot
+++ b/scripts/setup/setup-certbot
@ -12,7 +12,7 @@ if [ "$EUID" -ne 0 ]; then
    exit 1
 fi

-args="$(getopt -o '' --long help,hostname:,email: -n "$0" -- "$@")"
+args="$(getopt -o '' --long help,hostname:,email:,no-zulip-conf -n "$0" -- "$@")"
 eval "set -- $args"
 while true; do
    case "$1" in
@ -26,6 +26,10 @@ while true; do
            shift
            shift
            ;;
+        --no-zulip-conf)
+            no_zulip_conf=1
+            shift
+            ;;
        --help)
            show_help=1
            shift
@ -61,4 +65,8 @@ CERT_DIR=/etc/letsencrypt/live/"$DOMAIN"
 symlink_with_backup "$CERT_DIR"/privkey.pem /etc/ssl/private/zulip.key
 symlink_with_backup "$CERT_DIR"/fullchain.pem /etc/ssl/certs/zulip.combined-chain.crt

+if [ -z "$no_zulip_conf" ]; then
+    crudini --set /etc/zulip/zulip.conf certbot auto_renew yes
+fi
+
 echo "Certbot SSL certificate configuration succeeded."