feat(config): add sane defaults

Also specify `config` as a hash to make it easier to provide the config from multiple pillar values. Maintain backward compatibility (supplying `config` as a string) so that the formula continues to work as expected if a `config` string is already available. BREAKING CHANGE: `config` can now be provided as a hash or a string; defaults are modified and, while sane and desirable, do change the behavior of the formula.
saltstack-formulas · Jul 23, 2020 · d9afac9 · d9afac9
1 parent b889678
commit d9afac9
Show file tree

Hide file tree

Showing 8 changed files with 51 additions and 16 deletions.
diff --git a/letsencrypt/config.sls b/letsencrypt/config.sls
@@ -13,7 +13,10 @@ letsencrypt-config-directory:
 letsencrypt-config:
   file.managed:
     - name: {{ letsencrypt.config_dir.path }}/cli.ini
+    - template: jinja
+    - source: salt://letsencrypt/files/cli.ini.jinja
     - user: {{ letsencrypt.config_dir.user }}
     - group: {{ letsencrypt.config_dir.group }}
     - makedirs: true
-    - contents_pillar: letsencrypt:config
+    - context:
+        config: {{ letsencrypt.config | json }}
diff --git a/letsencrypt/defaults.yaml b/letsencrypt/defaults.yaml
@@ -17,6 +17,11 @@ letsencrypt:
     user: root
     group: root
     mode: 755
+  config:
+    agree-tos: true
+    keep-until-expiring: true
+    expand: true
+    max-log-backups: 0
   # The post_renew cmds are executed via renew_letsencrypt_cert.sh after every
   # run. For more fine grain control, consider placing scripts in the pre,
   # post, and/or deploy directories within /etc/letsencrypt/renewal-hooks/. For

diff --git a/letsencrypt/files/cli.ini.jinja b/letsencrypt/files/cli.ini.jinja
@@ -0,0 +1,11 @@
+########################################################################
+# File managed by Salt at <{{ source }}>.
+# Your changes will be overwritten.
+########################################################################
+{%- if config is string %}
+{{ config }}
+{%- else %}
+  {%- for k, v in config.items() %}
+{{ k }} = {{ v }}
+  {%- endfor %}
+{%- endif %}
diff --git a/pillar.example b/pillar.example
@@ -15,14 +15,27 @@ letsencrypt:
   # have specific version of certbot you can enable it. The version value
   # should match a certbot/certbot branch.
   version: 0.30.x
-  config: |
-    server = https://acme-v01.api.letsencrypt.org/directory
-    email = webmaster@example.com
-    authenticator = webroot
-    webroot-path = /var/lib/www
-    agree-tos = True
-    keep-until-expiring = True
-    expand = True
+  # Any parameter from the cli can be specified in the config file
+  # check https://certbot.eff.org/docs/using.html#configuration-file
+  config:
+    server: https://acme-v01.api.letsencrypt.org/directory
+    email: webmaster@example.com
+    authenticator: webroot
+    webroot-path: /var/lib/www
+    agree-tos: True
+    keep-until-expiring: True
+    expand: True
+  # For backward compatibility, config can be passed as a string
+  # (although it's discouraged, as this format might be dropped in a future
+  # release)
+  # config: |
+  #   server = https://acme-v01.api.letsencrypt.org/directory
+  #   email = webmaster@example.com
+  #   authenticator = webroot
+  #   webroot-path = /var/lib/www
+  #   agree-tos = True
+  #   keep-until-expiring = True
+  #   expand = True
   config_dir:
     path: /etc/letsencrypt
     user: root

diff --git a/test/integration/deb/controls/letsencrypt_spec.rb b/test/integration/deb/controls/letsencrypt_spec.rb
@@ -14,6 +14,7 @@
     should match 'server = https://acme-staging.api.letsencrypt.org/directory'
   end
   its('content') { should match 'authenticator = webroot' }
+  its('content') { should match 'File managed by Salt' }
 end
 
 describe file('/usr/bin/letsencrypt') do

diff --git a/test/integration/git/controls/letsencrypt_spec.rb b/test/integration/git/controls/letsencrypt_spec.rb
@@ -18,4 +18,5 @@
     should match 'server = https://acme-staging.api.letsencrypt.org/directory'
   end
   its('content') { should match 'authenticator = standalone' }
+  its('content') { should match 'File managed by Salt' }
 end
diff --git a/test/integration/rpm/controls/letsencrypt_spec.rb b/test/integration/rpm/controls/letsencrypt_spec.rb
@@ -15,6 +15,7 @@
     should match 'server = https://acme-staging.api.letsencrypt.org/directory'
   end
   its('content') { should match 'authenticator = webroot' }
+  its('content') { should match 'File managed by Salt' }
 end
 
 describe file('/usr/bin/letsencrypt') do

diff --git a/test/salt/pillar/rpm.sls b/test/salt/pillar/rpm.sls
@@ -3,13 +3,13 @@
 ---
 letsencrypt:
   use_package: true
-  config: |
-    server = https://acme-staging.api.letsencrypt.org/directory
-    email = saltstack-letsencrypt-formula@example.com
-    authenticator = webroot
-    webroot-path = /var/www/html
-    agree-tos = true
-    renew-by-default = true
+  config:
+    server: https://acme-staging.api.letsencrypt.org/directory
+    email: saltstack-letsencrypt-formula@example.com
+    authenticator: webroot
+    webroot-path: /var/www/html
+    agree-tos: true
+    renew-by-default: true
   domainsets:
     www:
       - letsencrypt-formula.example.com