def ensure_site(config_file,
cert=None,
csr=None,
key=None,
letsencrypt=False,
domain=None,
enabled=True):
assert not (letsencrypt and not enabled) # Online verification won't work
assert not (letsencrypt and not cert
) # As a hack, use an expired cert to bootstrap
assert not (letsencrypt and not csr
) # We've opted to use CSR as the input to acme.sh
assert not (
letsencrypt and not domain
) # we can't infer the well-known-path on disk without some extra help
ensure_sites_available()
placed_config = '/etc/nginx/sites-available/' + config_file.split("/")[-1]
util.put_file(config_file, placed_config, user='******', mode='0644')
if key is not None:
crypto.put_key(key)
if csr is not None:
remote_csr = crypto.put_csr(csr)
if cert is not None:
crypto.put_cert(cert)
if enabled:
sudo("ln -s -f {config} /etc/nginx/sites-enabled".format(
config=placed_config))
if letsencrypt:
import letsencrypt
reload(
) # Awkward... we need this to enable a site enough for the well-known path to work
letsencrypt.add_csr(remote_csr, domain)
reload() # And allow the key
def _dovecot(database_password):
select_package("apt")
package_ensure(["dovecot-imapd", "dovecot-lmtpd", "dovecot-pgsql", "dovecot-sieve", "dovecot-managesieved"]) # On debian will automatically be enabled
crypto.put_cert('config/certs/imap.za3k.com.pem')
crypto.put_key('config/keys/imap.za3k.com.key')
put('config/dovecot/dovecot.conf', '/etc/dovecot/dovecot.conf', mode='644')
put('config/dovecot/dovecot-sql.conf', '/etc/dovecot/dovecot-sql.conf', mode='600')
_replace('/etc/dovecot/dovecot-sql.conf', 'DOVECOT_DATABASE_PASSWORD', database_password)
dir_ensure("/etc/dovecot/sieve.d")
run("chown vmail:vmail /etc/dovecot/sieve.d")
def _postfix(database_password):
select_package("apt")
already_installed = package_ensure(["postfix", "postfix-pgsql"]) # On debian will automatically be enabled
crypto.put_cert('config/certs/smtp.za3k.com.pem')
crypto.put_key('config/keys/smtp.za3k.com.key')
crypto.ensure_dhparams('/etc/ssl/dhparams-postfix.pem', size=1024)
put('config/postfix/main.cf', '/etc/postfix', mode='644')
put('config/postfix/master.cf', '/etc/postfix', mode='644')
put('config/postfix/mailname', '/etc', mode='644')
put('config/postfix/pgsql-virtual-aliases.cf', '/etc/postfix', mode='600')
put('config/postfix/pgsql-virtual-mailbox.cf', '/etc/postfix', mode='600')
_replace('/etc/postfix/pgsql-virtual-aliases.cf', 'POSTFIX_DATABASE_PASSWORD', database_password)
_replace('/etc/postfix/pgsql-virtual-mailbox.cf', 'POSTFIX_DATABASE_PASSWORD', database_password)
def _dovecot(database_password):
select_package("apt")
package_ensure([
"dovecot-imapd", "dovecot-lmtpd", "dovecot-pgsql", "dovecot-sieve",
"dovecot-managesieved"
]) # On debian will automatically be enabled
crypto.put_cert('config/certs/imap.za3k.com.pem')
crypto.put_key('config/keys/imap.za3k.com.key')
put('config/dovecot/dovecot.conf', '/etc/dovecot/dovecot.conf', mode='644')
put('config/dovecot/dovecot-sql.conf',
'/etc/dovecot/dovecot-sql.conf',
mode='600')
_replace('/etc/dovecot/dovecot-sql.conf', 'DOVECOT_DATABASE_PASSWORD',
database_password)
dir_ensure("/etc/dovecot/sieve.d")
run("chown vmail:vmail /etc/dovecot/sieve.d")
def _postfix(database_password):
select_package("apt")
already_installed = package_ensure(
["postfix",
"postfix-pgsql"]) # On debian will automatically be enabled
crypto.put_cert('config/certs/smtp.za3k.com.pem')
crypto.put_key('config/keys/smtp.za3k.com.key')
crypto.ensure_dhparams('/etc/ssl/dhparams-postfix.pem', size=1024)
put('config/postfix/main.cf', '/etc/postfix', mode='644')
put('config/postfix/master.cf', '/etc/postfix', mode='644')
put('config/postfix/mailname', '/etc', mode='644')
put('config/postfix/pgsql-virtual-aliases.cf', '/etc/postfix', mode='600')
put('config/postfix/pgsql-virtual-mailbox.cf', '/etc/postfix', mode='600')
_replace('/etc/postfix/pgsql-virtual-aliases.cf',
'POSTFIX_DATABASE_PASSWORD', database_password)
_replace('/etc/postfix/pgsql-virtual-mailbox.cf',
'POSTFIX_DATABASE_PASSWORD', database_password)
def ensure_site(config_file, cert=None, csr=None, key=None, letsencrypt=False, domain=None, enabled=True):
assert not (letsencrypt and not enabled) # Online verification won't work
assert not (letsencrypt and not cert) # As a hack, use an expired cert to bootstrap
assert not (letsencrypt and not csr) # We've opted to use CSR as the input to acme.sh
assert not (letsencrypt and not domain) # we can't infer the well-known-path on disk without some extra help
ensure_sites_available()
placed_config = put(config_file, '/etc/nginx/sites-available')[0]
if key is not None:
crypto.put_key(key)
if csr is not None:
remote_csr = crypto.put_csr(csr)
if cert is not None:
crypto.put_cert(cert)
if enabled:
sudo("ln -s -f {config} /etc/nginx/sites-enabled".format(config=placed_config))
if letsencrypt:
import letsencrypt
reload() # Awkward... we need this to enable a site enough for the well-known path to work
letsencrypt.add_csr(remote_csr, domain)
reload() # And allow the key