salt/base/admin/certbot.sls

{% import 'globals.jinja' as globals %}

include:
  - nginx
  - pip.virtualenvwrapper

{% for subdir in [
  'certbot-auto',
  'letsencrypt',
] %}
/data/admin/{{ subdir }}:
  file.directory:
    - mode: 700
    - require:
      - file: /data/admin
{% endfor %}

/data/virtualenvs/letsencrypt:
  file.directory:
    - require:
      - file: /data/virtualenvs
    
/root/.local/share:
  file.symlink:
    - target: /data/virtualenvs
    - makedirs: True
    - require:
      - file: /data/virtualenvs

/etc/letsencrypt:
  file.symlink:
    - target: /data/admin/letsencrypt
    - require:
      - file: /data/admin/letsencrypt

/data/certbot/.well-known:
  file.directory:
    - mode: 755
    - makedirs: True
    - require:
      - file: /data

/etc/nginx/sites-enabled/certbot:
  file.managed:
    - source: salt://admin/files/certbot.nginx
    - template: jinja
    - watch_in:
      - service: nginx

{% if grains['id'] == globals.primary_admin_host %}

# If the admin servers are replicated, then certbot must only be run on one
# of them and the information replicated to all the others.
/etc/cron.d/certbot:
  file.managed:
    - source: salt://admin/files/certbot.cron

{% else %}

/etc/cron.d/certbot:
  file.absent

{% endif %}