From f811e72e6400d4fff55b3d5efd5d1bbf33f910fd Mon Sep 17 00:00:00 2001 From: samuel Date: Sun, 18 Jan 2026 12:42:37 +0100 Subject: [PATCH] Add certbot renew service --- Makefile | 8 ++-- conf/{ => certbot}/ovh.ini | 0 .../{_security.conf => nginx/0_security.conf} | 0 conf/nginx/default.conf | 13 ++++++ conf/systemd/certbot-renew.service | 5 +++ conf/systemd/certbot-renew.timer | 8 ++++ netoik-rp.spec | 40 ++++++++++--------- 7 files changed, 51 insertions(+), 23 deletions(-) rename conf/{ => certbot}/ovh.ini (100%) rename conf/{_security.conf => nginx/0_security.conf} (100%) create mode 100644 conf/nginx/default.conf create mode 100644 conf/systemd/certbot-renew.service create mode 100644 conf/systemd/certbot-renew.timer diff --git a/Makefile b/Makefile index b50eb99..378cb41 100644 --- a/Makefile +++ b/Makefile @@ -28,7 +28,7 @@ tarball: $(RPM_TARBALL_PATH) .PHONY: install install: - install --directory $(DESTDIR)$(RPM_SYSCONFDIR)/nginx/conf.d - install --target-directory=$(DESTDIR)$(RPM_SYSCONFDIR)/nginx/conf.d conf/_security.conf - install --directory $(DESTDIR)$(RPM_SYSCONFDIR)/certbot - install --target-directory=$(DESTDIR)$(RPM_SYSCONFDIR)/certbot/ conf/ovh.ini + install --directory $(DESTDIR)$(RPM_SYSCONFDIR)/nginx/conf.d $(DESTDIR)$(RPM_SYSCONFDIR)/certbot $(DESTDIR)$(RPM_UNITDIR) + install --target-directory=$(DESTDIR)$(RPM_SYSCONFDIR)/nginx/conf.d conf/nginx/0_security.conf conf/nginx/default.conf + install --target-directory=$(DESTDIR)$(RPM_SYSCONFDIR)/certbot conf/certbot/ovh.ini + install --target-directory=$(DESTDIR)$(RPM_UNITDIR) conf/systemd/certbot-renew.service conf/systemd/certbot-renew.timer diff --git a/conf/ovh.ini b/conf/certbot/ovh.ini similarity index 100% rename from conf/ovh.ini rename to conf/certbot/ovh.ini diff --git a/conf/_security.conf b/conf/nginx/0_security.conf similarity index 100% rename from conf/_security.conf rename to conf/nginx/0_security.conf diff --git a/conf/nginx/default.conf b/conf/nginx/default.conf new file mode 100644 index 0000000..2b2ed0a --- /dev/null +++ b/conf/nginx/default.conf @@ -0,0 +1,13 @@ +server { + listen 443 default_server; + server_name _; + + return 404; +} + +server { + listen 80 default_server; + server_name _; + + return 301 https://$host$request_uri; +} diff --git a/conf/systemd/certbot-renew.service b/conf/systemd/certbot-renew.service new file mode 100644 index 0000000..17663e1 --- /dev/null +++ b/conf/systemd/certbot-renew.service @@ -0,0 +1,5 @@ +[Unit] +Description=Renew certbot certificates + +[Service] +ExecStart=sleep $RANDOM && /opt/certbot/bin/pip install --upgrade certbot certbot-nginx certbot-dns-ovh && certbot renew diff --git a/conf/systemd/certbot-renew.timer b/conf/systemd/certbot-renew.timer new file mode 100644 index 0000000..95a0a9a --- /dev/null +++ b/conf/systemd/certbot-renew.timer @@ -0,0 +1,8 @@ +[Unit] +Description=Daily renew certbot certificates + +[Timer] +OnCalendar=Daily + +[Install] +WantedBy=multi-user.target diff --git a/netoik-rp.spec b/netoik-rp.spec index fa49388..cea0afd 100644 --- a/netoik-rp.spec +++ b/netoik-rp.spec @@ -24,30 +24,29 @@ Install the reverse proxy called nginx with a predefined configuration and with %post # After install if [ $1 == 1 ]; then - # Replace secrets in ovh.ini - %{_bindir}/env envsubst < %{_sysconfdir}/certbot/ovh.ini > %{_sysconfdir}/certbot/.ovh.ini.swp - %{_bindir}/env mv %{_sysconfdir}/certbot/.ovh.ini.swp %{_sysconfdir}/certbot/ovh.ini - %{_bindir}/env chmod 600 %{_sysconfdir}/certbot/ovh.ini + # Replace secrets in ovh.ini + %{_bindir}/env envsubst < %{_sysconfdir}/certbot/ovh.ini > %{_sysconfdir}/certbot/.ovh.ini.swp + %{_bindir}/env mv %{_sysconfdir}/certbot/.ovh.ini.swp %{_sysconfdir}/certbot/ovh.ini + %{_bindir}/env chmod 600 %{_sysconfdir}/certbot/ovh.ini - # Create virutal env with certbot - %{_bindir}/env python3 -m venv /opt/certbot - /opt/certbot/bin/pip install --upgrade pip certbot certbot-nginx certbot-dns-ovh - %{_bindir}/env ln --symbolic --force --target-directory %{_sbindir} /opt/certbot/bin/certbot + # Create virutal env with certbot + %{_bindir}/env python3 -m venv /opt/certbot + /opt/certbot/bin/pip install --upgrade pip certbot certbot-nginx certbot-dns-ovh + %{_bindir}/env ln --symbolic --force --target-directory %{_sbindir} /opt/certbot/bin/certbot - # Create certificate with certbot - %{_bindir}/env certbot certonly --non-interactive --agree-tos --email "samuel.campos@netoik.io" --dns-ovh --dns-ovh-credentials "%{_sysconfdir}/certbot/ovh.ini" -d "*.netoik.io" -d "*.samuel-campos.fr" - - # Add crontab rule for automatic renew - %{_bindir}/env printf "\nAutomatic certbot renew\n0 12 * * * root sleep $((RANDOM % 3600)) && certbot renew -q\n" >> %{_sysconfdir}/crontab + # Create certificate with certbot + %{_bindir}/env certbot certonly --non-interactive --agree-tos --email "samuel.campos@netoik.io" --dns-ovh --dns-ovh-credentials "%{_sysconfdir}/certbot/ovh.ini" -d "*.netoik.io" -d "*.samuel-campos.fr" # Create ssl dh params %{_bindir}/env openssl dhparam -out %{_sysconfdir}/letsencrypt/ssl-dhparams.pem 2048 - # Stop nginx to be sure changes are taken in account - %{_bindir}/env systemctl stop nginx + # Stop services to be sure changes are taken in account + %{_bindir}/env systemctl stop nginx certbot-renew fi -%{_bindir}/env systemctl enable nginx -%{_bindir}/env systemctl start nginx + +# Start services +%{_bindir}/env systemctl daemon-reload +%{_bindir}/env systemctl enable --now nginx certbot-renew %postun # After uninstall @@ -58,13 +57,16 @@ if [ $1 == 0 ]; then fi %files -%attr(644, root, root) %{_sysconfdir}/nginx/conf.d/_security.conf +%attr(644, root, root) %{_sysconfdir}/nginx/conf.d/0_security.conf +%attr(644, root, root) %{_sysconfdir}/nginx/conf.d/default.conf + %attr(755, root, root) %dir %{_sysconfdir}/certbot %attr(600, root, root) %config %{_sysconfdir}/certbot/ovh.ini + %ghost %attr(755, root, root) %dir /opt/certbot %ghost %attr(755, root, root) %{_sbindir}/certbot %ghost %attr(755, root, root) %dir %{_sysconfdir}/letsencrypt -%ghost %attr(755, root, root) %{_sysconfdir}/letsencrypt/ssl-dhparams.pem +%ghost %attr(644, root, root) %{_sysconfdir}/letsencrypt/ssl-dhparams.pem %changelog %autochangelog