Updated letsencrypt cert issue code and deployed sys-monitor module.

openforis · Jan 20, 2021 · c0f36e7 · c0f36e7
1 parent 2aed0ea
commit c0f36e7
Show file tree

Hide file tree

Showing 11 changed files with 73 additions and 21 deletions.
diff --git a/ansible/push-images/templates/push_images.sh b/ansible/push-images/templates/push_images.sh
@@ -2,6 +2,7 @@
 set -e
 
 echo "{{ docker_password }}" | docker login localhost -u "{{ docker_username }}" --password-stdin
+docker push localhost/openforis/sys-monitor:{{ version }}
 docker push localhost/openforis/backup:{{ version }}
 docker push localhost/openforis/rabbitmq:{{ version }}
 docker push localhost/openforis/ldap:{{ version }}

diff --git a/deploy/Dockerfile b/deploy/Dockerfile
@@ -11,4 +11,5 @@ RUN pip3 install \
   ansible==2.9.15 \
   boto \
   boto3
+RUN ansible-galaxy collection install community.aws
 ENV SEPAL_HOME=/usr/local/lib/sepal
diff --git a/hosting-services/aws/sepal/deploy.yml b/hosting-services/aws/sepal/deploy.yml
@@ -200,3 +200,4 @@
     - { role: run-module, module: api-gateway }
     - { role: run-module, module: letsencrypt }
     - { role: run-module, module: haproxy }
+    - { role: run-module, module: sys-monitor }
diff --git a/hosting-services/aws/sepal/monit/monit.d/docker-containers b/hosting-services/aws/sepal/monit/monit.d/docker-containers
@@ -38,6 +38,10 @@ check program letsencrypt with path /usr/local/bin/dockercheck-letsencrypt
     depends on docker
     if status != 0 then alert
 
+check program sys-monitor with path /usr/local/bin/dockercheck-sys-monitor
+    depends on docker
+    if status != 0 then alert
+
 check program terminal with path /usr/local/bin/dockercheck-terminal
     depends on docker
     if status != 0 then alert

diff --git a/hosting-services/aws/sepal/provision.sh b/hosting-services/aws/sepal/provision.sh
@@ -23,7 +23,7 @@ source ../export-aws-keys.sh $CONFIG_HOME/secret.yml
 ansible-playbook provision.yml \
     -i $INVENTORY \
     --private-key=${PRIVATE_KEY}  \
-    --extra-vars "secret_vars_file=$CONFIG_HOME/secret.yml local_ip_address=$LOCAL_IP_ADDRESS"
+    --extra-vars "secret_vars_file=$CONFIG_HOME/secret.yml local_ip_address=$LOCAL_IP_ADDRESS letsencrypt_aws_keys_file=$CONFIG_HOME/letsencrypt-aws-keys.yml"
 
 # Refresh EC2 inventory cache, to make sure provisioned instance is included
 $INVENTORY --refresh-cache > /dev/null

diff --git a/hosting-services/aws/sepal/provision.yml b/hosting-services/aws/sepal/provision.yml
@@ -7,6 +7,53 @@
     - "{{ secret_vars_file }}"
 
   tasks:
+    - name: Create letsencrypt AWS user
+      community.aws.iam:
+        iam_type: user
+        name: letsencrypt
+        state: present
+        access_key_state: create
+      register: letsencrypt_user
+
+    - name: LetsEncypt user
+      ansible.builtin.debug:
+        msg: "{{ letsencrypt_user }}"
+
+    - name: CONFIG HOME
+      ansible.builtin.debug:
+        msg: "{{ letsencrypt_user['created_keys'] }}"
+
+    - name: Create letsencrypt user policy
+      community.aws.iam_policy:
+        iam_type: user
+        iam_name: letsencrypt
+        policy_name: letsencrypt_policy
+        policy_json: >
+          {
+              "Version": "2012-10-17",
+              "Statement": [
+                  {
+                      "Effect": "Allow",
+                      "Action": [
+                          "route53:GetHostedZone",
+                          "route53:ListHostedZones",
+                          "route53:ListHostedZonesByName",
+                          "route53:GetHostedZoneCount",
+                          "route53:ChangeResourceRecordSets",
+                          "route53:ListResourceRecordSets"
+                      ],
+                      "Resource": "*"
+                  }
+              ]
+          }
+        state: present
+
+    - name: Store letsencrypt keys
+      copy:
+        content: "letsencrypt_access_key_id: {{ letsencrypt_user['created_keys'][0]['access_key_id'] }}\nletsencrypt_secret_access_key: {{ letsencrypt_user['created_keys'][0]['secret_access_key'] }}\n"
+        dest: "{{ letsencrypt_aws_keys_file }}"
+      when: "{{ letsencrypt_user['created_keys'] }}"
+
     - name: Create Sepal-Storage security group
       ec2_group:
         name: "Sepal-Storage"

diff --git a/hosting-services/common/operations/build-and-push-images.yml b/hosting-services/common/operations/build-and-push-images.yml
@@ -8,6 +8,7 @@
     - "{{ secret_vars_file }}"
 
   roles:
+    - { role: build-module, module: sys-monitor }
     - { role: build-module, module: letsencrypt }
     - { role: build-module, module: java }
     - { role: build-module, module: rabbitmq }

diff --git a/hosting-services/vagrant/sepal/deploy.yml b/hosting-services/vagrant/sepal/deploy.yml
@@ -157,3 +157,4 @@
     - { role: run-module, module: letsencrypt }
     - { role: run-module, module: haproxy }
     - { role: run-module, module: rabbitmq }
+    - { role: run-module, module: sys-monitor }
diff --git a/modules/letsencrypt/docker/script/init_container.sh b/modules/letsencrypt/docker/script/init_container.sh
@@ -2,15 +2,14 @@
 
 sleep 30 # Make sure HAproxy had time to start
 
-if [ ! -d "$DIRECTORY" ]; then
-    /etc/letsencrypt/live/$SEPAL_HOST_SEPAL_ENV
-    /root/certbot-auto certonly\
-     --noninteractive\
-     --agree-tos\
-     --email $SEPAL_OPERATOR_EMAIL_SEPAL_ENV\
-     --standalone\
-     -d $SEPAL_HOST_SEPAL_ENV
-fi
+mkdir -p /etc/letsencrypt/live/$SEPAL_HOST_SEPAL_ENV
+
+~/.acme.sh/acme.sh --issue --dns dns_aws -d $SEPAL_HOST_SEPAL_ENV
+
+~/.acme.sh/acme.sh --install-cert -d $SEPAL_HOST_SEPAL_ENV \
+  --cert-file      /etc/letsencrypt/live/$SEPAL_HOST_SEPAL_ENV/cert.pem  \
+  --key-file       /etc/letsencrypt/live/$SEPAL_HOST_SEPAL_ENV/privkey.pem  \
+  --fullchain-file /etc/letsencrypt/live/$SEPAL_HOST_SEPAL_ENV/fullchain.pem
 
 # Unset all env variables ending with _SEPAL_ENV
 unset $(printenv | grep '_SEPAL_ENV' | sed -E "s/([0-9a-zA-Z]+)=.*/\\1/" | tr '\n' ' ')

diff --git a/modules/letsencrypt/docker/script/init_image.sh b/modules/letsencrypt/docker/script/init_image.sh
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
-# https://certbot.eff.org/#ubuntutrusty-nginx
 apt-get update -y && apt-get install -y\
+ curl\
  wget\
  supervisor\
  python\
@@ -13,12 +13,5 @@ apt-get update -y && apt-get install -y\
  libffi-dev\
  ca-certificates
 
-cd /root
-wget -nv https://dl.eff.org/certbot-auto
-chmod a+x certbot-auto
-
-# Renew the certificate twice a day. It will not have any effect unless it's about to expire
-# but will catch cases where certificate been revoked for some reason.
-printf '%s\n' \
-    '38  0,12 * * * root /root/certbot-auto renew --quiet --no-self-upgrade' \
-    >> /etc/crontab
+apt-get install -y
+curl https://get.acme.sh | sh
diff --git a/modules/letsencrypt/run.yml b/modules/letsencrypt/run.yml
@@ -1,4 +1,7 @@
 ---
+vars_files:
+  - "{{ config_home }}/letsencrypt-aws-keys.yml"
+
 - file: path="/data/letsencrypt" state=directory
 
 - name: "letsencrypt | Start container"
@@ -17,4 +20,5 @@
     env:
       SEPAL_HOST_SEPAL_ENV: "{{ sepal_host }}"
       SEPAL_OPERATOR_EMAIL_SEPAL_ENV: "{{ sepal_operator_email}}"
-
+      AWS_ACCESS_KEY_ID: "{{ letsencrypt_access_key_id }}"
+      AWS_SECRET_ACCESS_KEY: "{{ letsencrypt_secret_access_key }}"