New cookbook: fb_letsencrypt (facebook#248)

Summary:
This is a simple cookbook to manage letsencrypt/certbot on systems.

Signed-off-by: Phil Dibowitz <phil@ipom.com>

Pull Request resolved: facebook#248

Differential Revision: D69054634

fbshipit-source-id: 56dba1139faec86840ca14becdec9a5d4051ce79

Author: jaymzh

cookbooks/fb_letsencrypt/.delivery/project.toml

@@ -0,0 +1,32 @@
+# Delivery for Local Phases Execution
+#
+# This file allows you to execute test phases locally on a workstation or
+# in a CI pipeline. The delivery-cli will read this file and execute the
+# command(s) that are configured for each phase. You can customize them
+# by just modifying the phase key on this file.
+#
+# By default these phases are configured for Cookbook Workflow only
+#
+
+[local_phases]
+unit = "echo skipping unit phase."
+lint = "chef exec cookstyle"
+# foodcritic has been deprecated in favor of cookstyle so we skip the syntax
+# phase now.
+syntax = "echo skipping syntax phase. Use lint phase instead."
+provision = "chef exec kitchen create"
+deploy = "chef exec kitchen converge"
+smoke = "chef exec kitchen verify"
+# The functional phase is optional, you can define it by uncommenting
+# the line below and running the command: `delivery local functional`
+# functional = ""
+cleanup = "chef exec kitchen destroy"
+
+# Remote project.toml file
+#
+# Instead of the local phases above, you may specify a remote URI location for
+# the `project.toml` file. This is useful for teams that wish to centrally
+# manage the behavior of the `delivery local` command across many different
+# projects.
+#
+# remote_file = "https://url/project.toml"

cookbooks/fb_letsencrypt/.gitignore

@@ -0,0 +1,25 @@
+.vagrant
+*~
+*#
+.#*
+\#*#
+.*.sw[a-z]
+*.un~
+
+# Bundler
+Gemfile.lock
+gems.locked
+bin/*
+.bundle/*
+
+# test kitchen
+.kitchen/
+kitchen.local.yml
+
+# Chef Infra
+Berksfile.lock
+.zero-knife.rb
+Policyfile.lock.json
+
+.idea/
+

cookbooks/fb_letsencrypt/README.md

@@ -0,0 +1,75 @@
+fb_letsencrypt Cookbook
+=======================
+
+Requirements
+------------
+For RHEL or CentOS Stream, EPEL must be already setup.
+
+Attributes
+----------
+* node['fb_letsencrypt']['manage_packages']
+* node['fb_letsencrypt']['certbot_plugins']
+* node['fb_letsencrypt']['enable_package_timer']
+
+Usage
+-----
+### Managing packages
+
+By default, this cookbook will manage certbot-related packages. If you do not
+want this, set `node['fb_letsencrypt']['manage_packages']` to `false`.
+
+This cookbook will install both certbot itself as well as any plugin packages
+specified in `node['fb_letsencrypt']['certbot_plugins']`, which should only
+include the name of the plugin, not the name of the package.  For example:
+
+```ruby
+node.default['fb_letsencrypt']['certbot_plugins'] += [
+  'apache',
+  'dns-cloudflare',
+]
+```
+
+### Renewal Timers
+
+The certbot package includes a system timer to renew certificates, which we
+will keep enabled, by default. If you prefer to manage your own method of
+running reneals, you can set `node['fb_letsencrypt']['enable_package_timer']`
+to `false`, and this cookbook will disable it so that you may do whatever you
+like instead.
+
+### Renewal Configuration
+
+The configuration files for certificate renewals - while human-editable, are
+meant to be generated by initial certificate generation. As such we do not
+generate or manage them.
+
+### Helper functions
+
+This cookbook includes various helper functions to make it easy to reference
+your LetsEncrypt certificates from other cookbooks and to follow best
+practices.
+
+#### FB::LetsEncrypt.cert(node, name)
+
+This method returns the path you should use for the certificate in your
+service. It actually returns the `fullchain.pem` which is what you should pass
+to 'certificate' configuration for your service in nearly all cases.
+
+This method is also aliased as `certificate` and `fullchain`, should you prefer
+those.
+
+#### FB::LetsEncrypt.privkey(node, name)
+
+This method returns the path to the private key. It is aliased as `privatekey`
+if you prefer.
+
+#### FB::LetsEncrypt.minimal_cert(node, name)
+
+In the event you really want just the leaf certificate, you can call
+`minimal_cert` and it will return the path to `cert.pem`. Note that this is
+dangerous and will likely lead to certificate validation errors for your
+service.
+
+#### FB::LetsEncrypt.onlychain(node, name)
+
+This method returns the path to `chain.pem`. This is rarely needed.

cookbooks/fb_letsencrypt/attributes/default.rb

@@ -0,0 +1,5 @@
+default['fb_letsencrypt'] = {
+  'manage_packages' => true,
+  'certbot_plugins' => [],
+  'enable_package_timer' => true,
+}

cookbooks/fb_letsencrypt/libraries/default.rb

@@ -0,0 +1,63 @@
+#
+# Copyright:: 2025-present, Meta Platforms, Inc.
+# Copyright:: 2025-present, Phil Dibowitz
+# All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# rubocop:disable Style/ClassVars
+module FB
+  class LetsEncrypt
+    # Makes all these class methods without the `self.` and allows
+    # `alias` to work.
+    class << self
+      @@base_dir = nil
+
+      def _base_dir(node)
+        @@base_dir ||= node.value_for_platform(
+          :windows => {
+            :default => ::File.join('C:\certbot', 'live'),
+          },
+          :default => ::File.join('/etc', 'letsencrypt', 'live'),
+        )
+      end
+
+      def _pki_path(node, name, filetype)
+        ::File.join(_base_dir(node), name, "#{filetype}.pem")
+      end
+
+      def cert(node, name)
+        _pki_path(node, name, 'fullchain')
+      end
+      alias certificate cert
+      alias fullchain cert
+      alias crt cert
+
+      def privkey(node, name)
+        _pki_path(node, name, 'privkey')
+      end
+      alias privatekey privkey
+      alias key privkey
+
+      def minimal_cert(node, name)
+        _pki_path(node, name, 'cert')
+      end
+
+      def onlychain(node, name)
+        _pki_path(node, name, 'chain')
+      end
+    end
+  end
+end
+# rubocop:enable Style/ClassVars

cookbooks/fb_letsencrypt/metadata.rb

@@ -0,0 +1,6 @@
+name 'fb_letsencrypt'
+maintainer 'Meta Platforms, Inc.'
+maintainer_email 'noreply@facebook.com'
+license 'Apache-2.0'
+description 'Managed letsencrypt'
+version '0.1.0'

cookbooks/fb_letsencrypt/recipes/default.rb

@@ -0,0 +1,44 @@
+#
+# Cookbook:: fb_letsencrypt
+# Recipe:: default
+#
+# Copyright:: 2025-present, Meta Platforms, Inc.
+# Copyright:: 2025-present, Phil Dibowitz
+# All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+package 'certbot packages' do
+  only_if { node['fb_letsencrypt']['manage_packages'] }
+  package_name lazy {
+    (
+      %w{certbot} + node['fb_letsencrypt']['certbot_plugins'].map do |plugin|
+        "python3-certbot-#{plugin}"
+      end
+    ).uniq
+  }
+  action :upgrade
+end
+
+service 'conditionally enable certbot.timer' do
+  only_if { node['fb_letsencrypt']['enable_package_timer'] }
+  service_name 'certbot.timer'
+  action :enable
+end
+
+service 'conditionally disable certbot.timer' do
+  not_if { node['fb_letsencrypt']['enable_package_timer'] }
+  service_name 'certbot.timer'
+  action :disable
+end

cookbooks/fb_smartmon/metadata.rb

@@ -5,7 +5,6 @@
 license 'All Rights Reserved'
 source_url 'https://github.com/facebook/chef-cookbooks/'
 description 'Installs/Configures fb_smartmon'
-long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
 # never EVER change this number, ever.
 version '0.1.0'
 depends 'fb_helpers'