Transition to split containers, remove certbot in favour of externally-supplied certs

ansible/files/bin/cert-monitor.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+
+CERT_PATH="/snikket/letsencrypt/live/$SNIKKET_DOMAIN/cert.pem"
+
+if test -f "$CERT_PATH"; then
+	prosodyctl --root cert import /snikket/letsencrypt/live
+	exit 0;
+fi
+
+while sleep 10; do
+	if test -f "$CERT_PATH"; then
+		prosodyctl --root cert import /snikket/letsencrypt/live
+		exit 0;
+	fi
+done

ansible/files/certbot.cron

@@ -1,13 +0,0 @@
-#!/bin/sh
-
-su letsencrypt -- -c "certbot certonly -n --webroot --webroot-path /var/www \
-  --cert-path /etc/ssl/certbot \
-  --keep $SNIKKET_CERTBOT_OPTIONS \
-  --agree-tos --email \"$SNIKKET_ADMIN_EMAIL\" --expand \
-  --allow-subset-of-names \
-  --config-dir /snikket/letsencrypt \
-  --domain \"$SNIKKET_DOMAIN\" --domain \"share.$SNIKKET_DOMAIN\" \
-  --domain \"groups.$SNIKKET_DOMAIN\"
-  "
-
-prosodyctl --root cert import /snikket/letsencrypt/live

ansible/files/prosody.cfg.lua

@@ -1,5 +1,23 @@
 local DOMAIN = assert(ENV_SNIKKET_DOMAIN, "Please set the SNIKKET_DOMAIN environment variable")
 
+if prosody.process_type == "prosody" and not prosody.config_loaded then
+	-- Wait at startup for certificates
+	local lfs, socket = require "lfs", require "socket";
+	local cert_path = "/etc/prosody/certs/"..DOMAIN..".crt";
+	local counter = 0;
+	while not lfs.attributes(cert_path, "mode") do
+		counter = counter + 1;
+		if counter == 1 or counter%6 == 0 then
+			print("Waiting for certificates...");
+		elseif counter > 60 then
+			print("No certificates found... exiting");
+			os.exit(1);
+		end
+		socket.sleep(5);
+	end
+	_G.ltn12 = require "ltn12";
+end
+
 daemonize = false
 network_backend = "epoll"
 

ansible/files/refresh-certs.cron

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+prosodyctl --root cert import /snikket/letsencrypt/live

ansible/files/supervisord.conf

@@ -33,3 +33,11 @@ stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0
 redirect_stderr=true
 umask=002
+
+[program:cert-monitor]
+command=cert-monitor.sh
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+redirect_stderr=true
+umask=002
+

ansible/tasks/certs.yml

@@ -1,33 +1,7 @@
 ---
 
-- name: Install certbot
-  apt:
-    name: certbot
-    state: present
-    install_recommends: no
-- name: Create directory for certs
-  file:
-    state: directory
-    path: /etc/ssl/certbot
 - name: Install certbot cron script
   copy:
-    src: ../files/certbot.cron
-    dest: /etc/cron.daily/certbot
+    src: ../files/refresh-certs.cron
+    dest: /etc/cron.daily/refresh-certs
     mode: 0555
-- name: Create letsencrypt group
-  group:
-    name: letsencrypt
-    system: yes
-- name: Create letsencrypt user
-  user:
-    name: letsencrypt
-    group: letsencrypt
-    system: yes
-    home: /snikket/letsencrypt
-- name: Create directory for challenges
-  file:
-    state: directory
-    path: /var/www/.well-known
-    owner: letsencrypt
-    group: letsencrypt
-    mode: 0755