hax

james-otten · james-otten · commit dbb0a49e34ed · 2025-06-24T02:08:51.000-04:00
diff --git a/dags/nycmesh_generate_omni_cert.py b/dags/nycmesh_generate_omni_cert.py
@@ -3,65 +3,6 @@
 
 from airflow.sdk import dag, task
 
-
-def generate_certbot_tsig_cert(fqdn_string, dns_server, tsig_key_name, tsig_key, full_chain_path, priv_key_path):
-    tsig_ini_file_path = "/tmp/tsig.ini"
-    with open(tsig_ini_file_path, "w") as fd:
-        fd.write(f"""# Target DNS server
-dns_rfc2136_server = {dns_server}
-# Target DNS port
-dns_rfc2136_port = 53
-# TSIG key name
-dns_rfc2136_name = {tsig_key_name}
-# TSIG key secret
-dns_rfc2136_secret = {tsig_key}
-# TSIG key algorithm
-dns_rfc2136_algorithm = HMAC-SHA512
-""")
-    
-    # Get the cert from Let's Encrypt
-    completed = subprocess.run([
-        "certbot",
-        "certonly",
-        "--dns-rfc2136",
-        "--dns-rfc2136-credentials",
-        tsig_ini_file_path,
-        "--non-interactive",
-        "--agree-tos",
-        "-m",
-        "jameso@nycmesh.net",
-        "-d",
-        fqdn_string,
-        "--fullchain-path",
-        full_chain_path,
-        "--key-path",
-        priv_key_path,
-    ], check=True)
-    
-    print(completed.stdout)
-    print(completed.stderr)
-    
-    Path(tsig_ini_file_path).unlink()
-
-    return full_chain_path, priv_key_path
-
-def deploy_to_omni(ip, password, cert_path, priv_key_path):
-    with SSHClient() as ssh:
-        ssh.set_missing_host_key_policy(AutoAddPolicy())
-        ssh.connect(ip, username="admin", password=password, timeout=10)
-
-        with SCPClient(ssh.get_transport()) as scp:
-            scp.put(cert_path, "fullchain.pem")
-            scp.put(priv_key_path, "privkey.pem")
-
-        stdin, stdout, stderr = ssh.exec_command(
-            "/certificate/import file-name=fullchain.pem name=LEfullchain trusted=no;"
-            "/certificate/import file-name=privkey.pem name=LEprivkey trusted=no;"
-            "/ip/service set www-ssl certificate=LEfullchain disabled=no tls-version=only-1.2 address=10.0.0.0/8,199.167.59.0/24,199.170.132.0/24"
-        )
-        print(stdout.read())
-        print(stderr.read())
-
 args = {
     'owner': 'Airflow',
     'start_date': datetime.datetime(2021, 1, 1),
@@ -79,6 +20,65 @@ def omni_cert_dag():
         task_id="certbot_omni_nn_certv1"
     )
     def omni_nn_cert_task():
+
+        def generate_certbot_tsig_cert(fqdn_string, dns_server, tsig_key_name, tsig_key, full_chain_path, priv_key_path):
+            tsig_ini_file_path = "/tmp/tsig.ini"
+            with open(tsig_ini_file_path, "w") as fd:
+                fd.write(f"""# Target DNS server
+dns_rfc2136_server = {dns_server}
+# Target DNS port
+dns_rfc2136_port = 53
+# TSIG key name
+dns_rfc2136_name = {tsig_key_name}
+# TSIG key secret
+dns_rfc2136_secret = {tsig_key}
+# TSIG key algorithm
+dns_rfc2136_algorithm = HMAC-SHA512
+""")
+            
+            # Get the cert from Let's Encrypt
+            completed = subprocess.run([
+                "certbot",
+                "certonly",
+                "--dns-rfc2136",
+                "--dns-rfc2136-credentials",
+                tsig_ini_file_path,
+                "--non-interactive",
+                "--agree-tos",
+                "-m",
+                "jameso@nycmesh.net",
+                "-d",
+                fqdn_string,
+                "--fullchain-path",
+                full_chain_path,
+                "--key-path",
+                priv_key_path,
+            ], check=True)
+            
+            print(completed.stdout)
+            print(completed.stderr)
+            
+            Path(tsig_ini_file_path).unlink()
+
+            return full_chain_path, priv_key_path
+
+        def deploy_to_omni(ip, password, cert_path, priv_key_path):
+            with SSHClient() as ssh:
+                ssh.set_missing_host_key_policy(AutoAddPolicy())
+                ssh.connect(ip, username="admin", password=password, timeout=10)
+
+                with SCPClient(ssh.get_transport()) as scp:
+                    scp.put(cert_path, "fullchain.pem")
+                    scp.put(priv_key_path, "privkey.pem")
+
+                stdin, stdout, stderr = ssh.exec_command(
+                    "/certificate/import file-name=fullchain.pem name=LEfullchain trusted=no;"
+                    "/certificate/import file-name=privkey.pem name=LEprivkey trusted=no;"
+                    "/ip/service set www-ssl certificate=LEfullchain disabled=no tls-version=only-1.2 address=10.0.0.0/8,199.167.59.0/24,199.170.132.0/24"
+                )
+                print(stdout.read())
+                print(stderr.read())
+
         import subprocess
         subprocess.check_call([sys.executable, "-m", "pip", "install", "certbot", "paramiko==3.5.1", "scp==0.15.0", "cryptography==42.0.8"])
         
