Add automation for certbot

Author: taylorific

.gitignore

@@ -16,6 +16,7 @@ kitchen.local.yml
 Berksfile.lock
 .zero-knife.rb
 Policyfile.lock.json
+Policyfile.*.lock.json
 
 .DS_Store
 
@@ -29,4 +30,4 @@ nodes/
 
 *-clear/
 
-bundle-metadata.json
+bundle-metadata.json

cookbooks/boxcutter_acme/kitchen.yml

@@ -48,6 +48,11 @@ platforms:
       image: boxcutter/dokken-ubuntu-22.04
       pid_one_command: /bin/systemd
 
+  - name: ubuntu-24.04
+    driver:
+      image: boxcutter/dokken-ubuntu-24.04
+      pid_one_command: /bin/systemd
+
   - name: centos-stream-9
     driver:
       image: boxcutter/dokken-centos-stream-9
@@ -59,12 +64,17 @@ platforms:
         - RUN rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
 
 suites:
-  - name: default
-    # run_list set in Policyfile.rb, this does nothing
-    # run_list:
-    #   - recipe[boxcutter_ohai]
-    #   - recipe[boxcutter_init]
-    #   - recipe[boxcutter_acme::default]
+  - name: certbot
+    provisioner:
+      policyfile_path: policyfiles/Policyfile.certbot.rb
+    verifier:
+      inspec_tests:
+        - test/integration/default
+    attributes:
+
+  - name: lego
+    provisioner:
+      policyfile_path: policyfiles/Policyfile.lego.rb
     verifier:
       inspec_tests:
         - test/integration/default

cookbooks/boxcutter_acme/policyfiles/Policyfile.certbot.rb

@@ -0,0 +1,18 @@
+# Policyfile.certbot.rb - Describe how you want Chef Infra Client to build your system.
+#
+# For more information on the Policyfile feature, visit
+# https://docs.chef.io/policyfile/
+
+# A name that describes what the system you're building with Chef does.
+name 'boxcutter_acme'
+
+# Where to find external cookbooks:
+default_source :chef_repo, '../../../../chef-cookbooks/cookbooks'
+default_source :chef_repo, '../../'
+
+# run_list: chef-client will run these recipes in the order specified.
+run_list 'boxcutter_ohai', 'boxcutter_init', 'boxcutter_acme_test::certbot'
+
+# Specify a custom source for a single cookbook:
+cookbook 'boxcutter_acme', path: '..'
+cookbook 'boxcutter_acme_test', path: '../test/cookbooks/boxcutter_acme_test'

cookbooks/boxcutter_acme/policyfiles/Policyfile.lego.rb

@@ -0,0 +1,18 @@
+# Policyfile.lego.rb - Describe how you want Chef Infra Client to build your system.
+#
+# For more information on the Policyfile feature, visit
+# https://docs.chef.io/policyfile/
+
+# A name that describes what the system you're building with Chef does.
+name 'boxcutter_acme'
+
+# Where to find external cookbooks:
+default_source :chef_repo, '../../../../chef-cookbooks/cookbooks'
+default_source :chef_repo, '../../'
+
+# run_list: chef-client will run these recipes in the order specified.
+run_list 'boxcutter_ohai', 'boxcutter_init', 'boxcutter_acme_test::lego'
+
+# Specify a custom source for a single cookbook:
+cookbook 'boxcutter_acme', path: '..'
+cookbook 'boxcutter_acme_test', path: '../test/cookbooks/boxcutter_acme_test'

cookbooks/boxcutter_acme/recipes/certbot.rb

@@ -0,0 +1,47 @@
+#
+# Cookbook:: boxcutter_acme
+# Recipe:: certbot
+#
+# Copyright:: 2024, Boxcutter
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+package ['python3', 'python3-venv'] do
+  action :upgrade
+end
+
+directory '/opt/certbot' do
+  owner node.root_user
+  group node.root_group
+  mode '0755'
+end
+
+execute 'create certbot virtualenv' do
+  command 'python3 -m venv /opt/certbot/venv'
+  creates '/opt/certbot/venv/bin/python'
+end
+
+%w{
+  certbot
+  certbot-dns-cloudflare
+}.each do |pkg|
+  execute "install #{pkg} python package" do
+    command "/opt/certbot/venv/bin/python -m pip install #{pkg}"
+    not_if "/opt/certbot/venv/bin/python -m pip list installed | grep ^#{pkg}"
+  end
+
+  execute "update #{pkg} python package" do
+    command "/opt/certbot/venv/bin/python -m pip install --upgrade #{pkg}"
+    only_if "/opt/certbot/venv/bin/python -m pip list --outdated | grep ^#{pkg}"
+  end
+end

cookbooks/boxcutter_acme/spec/unit/recipes/certbot_spec.rb

@@ -0,0 +1,41 @@
+#
+# Cookbook:: boxcutter_acme
+# Spec:: certbot
+#
+# Copyright:: 2024, Boxcutter
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'spec_helper'
+
+describe 'boxcutter_acme::certbot' do
+  context 'When all attributes are default, on Ubuntu 20.04' do
+    # for a complete list of available platforms and versions see:
+    # https://github.com/chefspec/fauxhai/blob/main/PLATFORMS.md
+    platform 'ubuntu', '20.04'
+
+    it 'converges successfully' do
+      expect { chef_run }.to_not raise_error
+    end
+  end
+
+  context 'When all attributes are default, on CentOS 8' do
+    # for a complete list of available platforms and versions see:
+    # https://github.com/chefspec/fauxhai/blob/main/PLATFORMS.md
+    platform 'centos', '8'
+
+    it 'converges successfully' do
+      expect { chef_run }.to_not raise_error
+    end
+  end
+end

cookbooks/boxcutter_acme/test/cookbooks/boxcutter_acme_test/recipes/certbot.rb

@@ -0,0 +1,6 @@
+#
+# Cookbook:: boxcutter_acme_test
+# Recipe:: certbot
+#
+
+include_recipe 'boxcutter_acme::certbot'

cookbooks/boxcutter_acme/test/cookbooks/boxcutter_acme_test/recipes/lego.rb

@@ -0,0 +1,30 @@
+#
+# Cookbook:: boxcutter_acme_test
+# Recipe:: lego
+#
+
+node.default['boxcutter_acme']['lego']['config'] = {
+  'nexus' => {
+    'certificate_name' => 'hq0-nexus01.sandbox.polymathrobotics.dev',
+    'data_path' => '/etc/lego/tmp',
+    'renew_script_path' => '/opt/lego/lego_renew.sh',
+    'renew_days' => '30',
+    'server' => 'https://acme-staging-v02.api.letsencrypt.org/directory',
+    'email' => 'letsencrypt@polymathrobotics.com',
+    'domains' => %w{
+      hq0-nexus01.sandbox.polymathrobotics.dev
+      *.hq0-nexus01.sandbox.polymathrobotics.dev
+    },
+    'extra_parameters' => [
+      '--dns cloudflare',
+      # There's are issues resolving apex domain servers over tailscale, so
+      # override the DNS resolver lego uses, in case we're running tailscale
+      '--dns.resolvers 1.1.1.1',
+    ],
+    'extra_environment' => {
+      'export CF_DNS_API_TOKEN' => '<token>',
+    },
+  },
+}
+
+include_recipe 'boxcutter_acme::lego'

cookbooks/boxcutter_acme/test/integration/default/certbot_test.rb

@@ -0,0 +1,16 @@
+# Chef InSpec test for recipe boxcutter_acme::certbot
+
+# The Chef InSpec reference, with examples and extensive documentation, can be
+# found at https://docs.chef.io/inspec/resources/
+
+unless os.windows?
+  # This is an example test, replace with your own test.
+  describe user('root'), :skip do
+    it { should exist }
+  end
+end
+
+# This is an example test, replace it with your own test.
+describe port(80), :skip do
+  it { should_not be_listening }
+end