feat: starttls

pillar/dev/top.sls

@@ -8,6 +8,7 @@ base:
     - tls
     - users.*
     - postgres.clusters
+    - pebble # needing to do this to have pebble rum in dev
 
   'backup-server':
     - match: nodegroup

salt/bugs/config/postfix/main.cf

@@ -24,8 +24,8 @@ compatibility_level = 3.6
 
 
 # TLS parameters
-smtpd_tls_cert_file=ssl_certificate /etc/ssl/private/bugs.psf.io.pem;
-smtpd_tls_key_file=etc/ssl/private/bugs.psf.io.pem;
+smtpd_tls_cert_file=/etc/ssl/private/bugs.psf.io.pem
+smtpd_tls_key_file=/etc/ssl/private/bugs.psf.io.pem
 smtpd_tls_security_level=may
 
 smtp_tls_CApath=/etc/ssl/certs

salt/tls/init.sls

@@ -1,6 +1,12 @@
+include:
+  - .pebble
+  - .lego
+
 ssl-cert:
   pkg.installed
 
+certbot:
+  pkg.installed
 
 {% for name in salt["pillar.get"]("tls:ca", {}) %}  # " Syntax Hack
 /etc/ssl/certs/{{ name }}.pem:
@@ -25,3 +31,101 @@ ssl-cert:
     - require:
       - pkg: ssl-cert
 {% endfor %}
+
+# initial test
+{% if grains['id'] == 'salt.nyc1.psf.io' or grains['id'] == 'salt-master.vagrant.psf.io' %}
+pypa.io:
+  acme.cert:
+    - email: [email protected]
+    - webroot: /etc/lego
+    - renew: 14
+    {% if pillar["dc"] == "vagrant" %}
+    - server: https://salt-master.vagrant.psf.io:14000/dir
+    {% endif %}
+    - require:
+      - sls: tls.lego
+      - file: /etc/lego/.well-known/acme-challenge
+
+# DNS-validated domains
+# dns plugins do not exist yet for route53 & gandi
+{#star.python.org:#}
+{#  acme.cert:#}
+{#    - aliases:#}
+{#      - python.org#}
+{#    - email: [email protected]#}
+{##    - dns_plugin: route53#}
+{##    - dns_plugin_credentials: route53.python#}
+{#    - renew: 14#}
+{#    - server: https://localhost:14000/dir#}
+{#    - require:#}
+{#      - pkg: certbot#}
+{#
+- sls: tls.lego#}
+{#star.pycon.org:#}
+{#  acme.cert:#}
+{#    - aliases:#}
+{#      - pycon.org#}
+{#    - email: [email protected]#}
+{##    - dns_plugin: route53#}
+{##    - dns_plugin_credentials: route53.pycon#}
+{#    - renew: 14#}
+{#    - server: https://localhost:14000/dir#}
+{#    - require:#}
+{#      - sls: tls.lego#}
+
+{#star.pyfound.org:#}
+{#  acme.cert:#}
+{#    - aliases:#}
+{#      - pyfound.org#}
+{#    - email: [email protected]#}
+{##    - dns_plugin: gandiv5#}
+{##    - dns_plugin_credentials: gandi#}
+{#    - renew: 14#}
+{#    - require:#}
+{#      - sls: tls.lego#}
+
+# HTTP-validated domains
+{#{% for domain in [#}
+{#    'pypa.io',#}
+{#    'www.pycon.org',#}
+{#    'speed.pypy.org',#}
+{#    'salt-public.psf.io',#}
+{#    'planetpython.org',#}
+{#    'bugs.python.org'#}
+{#] %}#}
+{#{{ domain }}:#}
+{#  acme.cert:#}
+{#    - email: [email protected]#}
+{#    - webroot: /etc/lego#}
+{#    - renew: 14#}
+{#    - require:#}
+{#      - sls: tls.lego#}
+{#{% endfor %}#}
+
+# Multi-domain certificates
+{#jython.org:#}
+{#  acme.cert:#}
+{#    - aliases:#}
+{#      - www.jython.net#}
+{#      - jython.net#}
+{#      - www.jython.com#}
+{#      - jython.com#}
+{#    - email: [email protected]#}
+{#    - webroot: /etc/lego#}
+{#    - renew: 14#}
+{#    - require:#}
+{#      - sls: tls.lego#}
+
+{#bugs.python.org-multi:#}
+{#  acme.cert:#}
+{#    - name: bugs.python.org#}
+{#    - aliases:#}
+{#      - bugs.jython.org#}
+{#      - issues.roundup-tracker.org#}
+{#      - mail.roundup-tracker.org#}
+{#    - email: [email protected]#}
+{#    - webroot: /etc/lego#}
+{#    - renew: 14#}
+{#    - require:#}
+{#      - sls: tls.lego#}
+{% endif %}