From efbb3d0e126721e0f9487f194379806c37f1988e Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Sun, 7 Feb 2016 21:57:35 -0400 Subject: rethought how letsencrypt cert change is handled Simply use onChange to let any other property by run after letsencrypt gets/renews the cert. Much simpler and allows for revertable properties too! --- src/Propellor/Property/Apache.hs | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) (limited to 'src/Propellor/Property/Apache.hs') diff --git a/src/Propellor/Property/Apache.hs b/src/Propellor/Property/Apache.hs index c2c32a3b..d0bcadfa 100644 --- a/src/Propellor/Property/Apache.hs +++ b/src/Propellor/Property/Apache.hs @@ -161,12 +161,12 @@ httpsVirtualHost domain docroot letos = httpsVirtualHost' domain docroot letos [ -- | Like `httpsVirtualHost` but with additional config lines added. httpsVirtualHost' :: Domain -> WebRoot -> LetsEncrypt.AgreeTOS -> [ConfigLine] -> Property NoInfo -httpsVirtualHost' domain docroot letos addedcfg = setup +httpsVirtualHost' domain docroot letos addedcfg = setuphttp `requires` modEnabled "rewrite" `requires` modEnabled "ssl" - `before` LetsEncrypt.letsEncrypt letos domain docroot certinstaller + `before` setuphttps where - setup = siteEnabled' domain $ + setuphttp = siteEnabled' domain $ -- The sslconffile is only created after letsencrypt gets -- the cert. The "*" is needed to make apache not error -- when the file doesn't exist. @@ -179,22 +179,21 @@ httpsVirtualHost' domain docroot letos addedcfg = setup -- Everything else redirects to https , "RewriteRule ^/(.*) https://" ++ domain ++ "/$1 [L,R,NE]" ] - certinstaller :: LetsEncrypt.CertInstaller - certinstaller newcert _domain certfile privkeyfile chainfile _fullchainfile = - combineProperties (domain ++ " ssl cert installed") + setuphttps = LetsEncrypt.letsEncrypt letos domain docroot + `onChange` combineProperties (domain ++ " ssl cert installed") [ File.dirExists (takeDirectory cf) , File.hasContent cf sslvhost `onChange` reloaded - -- always reload when the cert has changed - , check (return newcert :: IO Bool) reloaded + -- always reload since the cert has changed + , reloaded ] where cf = sslconffile "letsencrypt" sslvhost = vhost (Port 443) [ "SSLEngine on" - , "SSLCertificateFile " ++ certfile - , "SSLCertificateKeyFile " ++ privkeyfile - , "SSLCertificateChainFile " ++ chainfile + , "SSLCertificateFile " ++ LetsEncrypt.certFile domain + , "SSLCertificateKeyFile " ++ LetsEncrypt.privKeyFile domain + , "SSLCertificateChainFile " ++ LetsEncrypt.chainFile domain ] sslconffile s = "/etc/apache2/sites-available/ssl/" ++ domain ++ "/" ++ s ++ ".conf" vhost (Port p) ls = -- cgit v1.2.3