diff --git a/.github/workflows/builder.yml b/.github/workflows/builder.yml index b1b1878..16c8799 100644 --- a/.github/workflows/builder.yml +++ b/.github/workflows/builder.yml @@ -21,12 +21,13 @@ jobs: changed: ${{ steps.changed_addons.outputs.changed }} steps: - name: Check out the repository - uses: actions/checkout@v3.0.2 + uses: actions/checkout@v4 - name: Get changed files id: changed_files - # pinning out of paranoia, this is the modern-node fork of jitterbit/get-changed-files - uses: masesgroup/retrieve-changed-files@076a92699259d81d1c607bd91f0e1e9d45fd3151 + # pinning out of paranoia; this is the modern-node fork of jitterbit/get-changed-files + # at v3.0.0 + uses: masesgroup/retrieve-changed-files@491e80760c0e28d36ca6240a27b1ccb8e1402c13 - name: Find add-on directories id: addons @@ -37,7 +38,11 @@ jobs: run: | declare -a changed_addons for addon in ${{ steps.addons.outputs.addons }}; do - if [[ "${{ steps.changed_files.outputs.all }}" =~ $addon ]]; then + # if one of the changed files was this action, we retry all the builds + if [[ "${{ steps.changed_files.outputs.all }}" =~ '.github/workflows/.*\.yml' ]]; then + changed_addons+=("\"${addon}\","); + echo "Including ${addon} because the build action changed" + elif [[ "${{ steps.changed_files.outputs.all }}" =~ $addon ]]; then for file in ${{ env.MONITORED_FILES }}; do if [[ "${{ steps.changed_files.outputs.all }}" =~ $addon/$file ]]; then if [[ ! "${changed_addons[@]}" =~ $addon ]]; then @@ -59,10 +64,39 @@ jobs: else echo "No add-on had any monitored files changed (${{ env.MONITORED_FILES }})"; fi + test: + needs: init + runs-on: ubuntu-latest + if: needs.init.outputs.changed == 'true' && github.event_name == 'pull_request' + name: Verify ${{ matrix.addon }} add-on before build/publish + strategy: + matrix: + addon: ${{ fromJson(needs.init.outputs.changed_addons) }} + + steps: + - name: Check out repository + uses: actions/checkout@v4 + + - name: Get information + id: info + uses: home-assistant/actions/helpers/info@master + with: + path: "./${{ matrix.addon }}" + + - name: Test ${{ matrix.addon }} add-on + uses: home-assistant/builder@master + with: + args: | + --test \ + --all \ + --target /data/${{ matrix.addon }} \ + --image "${{ matrix.addon }}" \ + --docker-hub "ghcr.io/${{ github.repository_owner }}" + build: needs: init runs-on: ubuntu-latest - if: needs.init.outputs.changed == 'true' + if: needs.init.outputs.changed == 'true' && github.event_name != 'pull_request' name: Build ${{ matrix.arch }} ${{ matrix.addon }} add-on strategy: matrix: @@ -71,7 +105,7 @@ jobs: steps: - name: Check out repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Get information id: info @@ -98,7 +132,7 @@ jobs: - name: Login to GitHub Container Registry if: env.BUILD_ARGS != '--test' - uses: docker/login-action@v2.0.0 + uses: docker/login-action@v3.0.0 with: registry: ghcr.io username: ${{ github.repository_owner }} @@ -106,7 +140,7 @@ jobs: - name: Build ${{ matrix.addon }} add-on if: steps.check.outputs.build_arch == 'true' - uses: home-assistant/builder@2022.11.0 + uses: home-assistant/builder@2023.09.0 with: args: | ${{ env.BUILD_ARGS }} \ diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 81b722c..9149f4b 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -18,7 +18,7 @@ jobs: addons: ${{ steps.addons.outputs.addons_list }} steps: - name: ⤵️ Check out code from GitHub - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: 🔍 Find add-on directories id: addons @@ -33,7 +33,7 @@ jobs: path: ${{ fromJson(needs.find.outputs.addons) }} steps: - name: ⤵️ Check out code from GitHub - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: 🚀 Run Home Assistant Add-on Lint uses: frenck/action-addon-linter@v2 diff --git a/iot-certbot/CHANGELOG.md b/iot-certbot/CHANGELOG.md index 3b46a43..cb75d2a 100644 --- a/iot-certbot/CHANGELOG.md +++ b/iot-certbot/CHANGELOG.md @@ -1,5 +1,12 @@ +## 1.1.1 + +- Switched to a forever-running script in `run` +- bump the build base image +- bump cryptography to 41.0.5 +- bump certbot to 2.7.4 + ## 1.1.0 Stop trying to run periodically, depend on automations diff --git a/iot-certbot/build.yaml b/iot-certbot/build.yaml index 1803512..b9b0447 100644 --- a/iot-certbot/build.yaml +++ b/iot-certbot/build.yaml @@ -1,10 +1,15 @@ --- build_from: - aarch64: ghcr.io/home-assistant/aarch64-base-python:3.9-alpine3.14 - amd64: ghcr.io/home-assistant/amd64-base-python:3.9-alpine3.14 - armhf: ghcr.io/home-assistant/armhf-base-python:3.9-alpine3.14 - armv7: ghcr.io/home-assistant/armv7-base-python:3.9-alpine3.14 - i386: ghcr.io/home-assistant/i386-base-python:3.9-alpine3.14 + aarch64: "ghcr.io/home-assistant/aarch64-base:3.15" + amd64: "ghcr.io/home-assistant/amd64-base:3.15" + armhf: "ghcr.io/home-assistant/armhf-base:3.15" + armv7: "ghcr.io/home-assistant/armv7-base:3.15" + i386: "ghcr.io/home-assistant/i386-base:3.15" +labels: + org.opencontainers.image.title: "Home Assistant Add-on: AWS IOT Certbot" + org.opencontainers.image.description: "Use AWS IOT and LetsEncrpyt for DNS challenge certs" + org.opencontainers.image.source: "https://github.com/offbyone/homeassistant-addons" + org.opencontainers.image.licenses: "BSD" args: - CRYPTOGRAPHY_VERSION: 39.0.0 - CERTBOT_VERSION: 2.1.0 + CRYPTOGRAPHY_VERSION: 41.0.5 + CERTBOT_VERSION: 2.7.4 diff --git a/iot-certbot/rootfs/etc/services.d/lets-encrypt/finish b/iot-certbot/rootfs/etc/services.d/lets-encrypt/finish index 0e3cee2..bfd45b2 100755 --- a/iot-certbot/rootfs/etc/services.d/lets-encrypt/finish +++ b/iot-certbot/rootfs/etc/services.d/lets-encrypt/finish @@ -1,4 +1,5 @@ #!/usr/bin/env bashio +# -*- shell-script -*- # ============================================================================== # Take down the S6 supervision tree when letsencrypt fails # s6-overlay docs: https://github.com/just-containers/s6-overlay diff --git a/iot-certbot/rootfs/etc/services.d/lets-encrypt/run b/iot-certbot/rootfs/etc/services.d/lets-encrypt/run index c77ba8b..f38fe41 100755 --- a/iot-certbot/rootfs/etc/services.d/lets-encrypt/run +++ b/iot-certbot/rootfs/etc/services.d/lets-encrypt/run @@ -1,58 +1,10 @@ #!/usr/bin/with-contenv bashio +# -*- shell-script -*- # ============================================================================== -# Start sshd service if enabled +# Re-run the renew script forever, until the addon is stopped. Hourly ought to +# be good enough. # ============================================================================== -CERT_DIR=/data/letsencrypt -WORK_DIR=/data/workdir -PROVIDER_ARGUMENTS=() -ACME_CUSTOM_SERVER_ARGUMENTS=() - -EMAIL=$(bashio::config 'email') -DOMAINS=$(bashio::config 'domains') -KEYFILE=$(bashio::config 'keyfile') -CERTFILE=$(bashio::config 'certfile') -ACME_SERVER=$(bashio::config 'acme_server') -ACME_ROOT_CA=$(bashio::config 'acme_root_ca_cert') - -PROPAGATION_SECONDS=60 -if bashio::config.exists 'dns.propagation_seconds'; then - PROPAGATION_SECONDS="$(bashio::config 'dns.propagation_seconds')" -fi -bashio::log.info "Use propagation seconds: ${PROPAGATION_SECONDS}" - -# ensure our current credentials are up to date -/opt/iot/bin/update-credentials.sh - -# Source our current credentials -AWS_CONFIG_FILE=/opt/iot/credentials/default -export AWS_CONFIG_FILE -PROVIDER_ARGUMENTS+=("--dns-route53") - -if bashio::config.has_value 'acme_server' ; then - ACME_CUSTOM_SERVER_ARGUMENTS+=("--server" "${ACME_SERVER}") - - if bashio::config.has_value 'acme_root_ca_cert'; then - echo "${ACME_ROOT_CA}" > /tmp/root-ca-cert.crt - # Certbot will automatically open the filepath contained in REQUESTS_CA_BUNDLE for extra CA cert - export REQUESTS_CA_BUNDLE=/tmp/root-ca-cert.crt - fi -fi - -# Gather all domains into a plaintext file -DOMAIN_ARR=() -for line in $DOMAINS; do - DOMAIN_ARR+=(-d "$line") +while true; do + /opt/letsencrypt/bin/renew || bashio::log.error "Most recent letsencrypt run failed; check your logs" + sleep 3600 done -echo "$DOMAINS" > /data/domains.gen - -certbot certonly --non-interactive --keep-until-expiring --expand \ - --email "$EMAIL" --agree-tos \ - --config-dir "$CERT_DIR" --work-dir "$WORK_DIR" \ - --preferred-challenges "dns" "${DOMAIN_ARR[@]}" "${PROVIDER_ARGUMENTS[@]}" \ - --preferred-chain "ISRG Root X1" - -# Get the last modified cert directory and copy the cert and private key to store -# shellcheck disable=SC2012 -CERT_DIR_LATEST="$(ls -td $CERT_DIR/live/*/ | head -1)" -cp "${CERT_DIR_LATEST}privkey.pem" "/ssl/$KEYFILE" -cp "${CERT_DIR_LATEST}fullchain.pem" "/ssl/$CERTFILE" diff --git a/iot-certbot/rootfs/opt/letsencrypt/bin/renew b/iot-certbot/rootfs/opt/letsencrypt/bin/renew new file mode 100755 index 0000000..cd54b04 --- /dev/null +++ b/iot-certbot/rootfs/opt/letsencrypt/bin/renew @@ -0,0 +1,59 @@ +#!/usr/bin/with-contenv bashio +# -*- shell-script -*- +# ============================================================================== +# Start sshd service if enabled +# ============================================================================== +CERT_DIR=/data/letsencrypt +WORK_DIR=/data/workdir +PROVIDER_ARGUMENTS=() +ACME_CUSTOM_SERVER_ARGUMENTS=() + +EMAIL=$(bashio::config 'email') +DOMAINS=$(bashio::config 'domains') +KEYFILE=$(bashio::config 'keyfile') +CERTFILE=$(bashio::config 'certfile') +ACME_SERVER=$(bashio::config 'acme_server') +ACME_ROOT_CA=$(bashio::config 'acme_root_ca_cert') + +PROPAGATION_SECONDS=60 +if bashio::config.exists 'dns.propagation_seconds'; then + PROPAGATION_SECONDS="$(bashio::config 'dns.propagation_seconds')" +fi +bashio::log.info "Use propagation seconds: ${PROPAGATION_SECONDS}" + +# ensure our current credentials are up to date +/opt/iot/bin/update-credentials.sh + +# Source our current credentials +AWS_CONFIG_FILE=/opt/iot/credentials/default +export AWS_CONFIG_FILE +PROVIDER_ARGUMENTS+=("--dns-route53") + +if bashio::config.has_value 'acme_server' ; then + ACME_CUSTOM_SERVER_ARGUMENTS+=("--server" "${ACME_SERVER}") + + if bashio::config.has_value 'acme_root_ca_cert'; then + echo "${ACME_ROOT_CA}" > /tmp/root-ca-cert.crt + # Certbot will automatically open the filepath contained in REQUESTS_CA_BUNDLE for extra CA cert + export REQUESTS_CA_BUNDLE=/tmp/root-ca-cert.crt + fi +fi + +# Gather all domains into a plaintext file +DOMAIN_ARR=() +for line in $DOMAINS; do + DOMAIN_ARR+=(-d "$line") +done +echo "$DOMAINS" > /data/domains.gen + +certbot certonly --non-interactive --keep-until-expiring --expand \ + --email "$EMAIL" --agree-tos \ + --config-dir "$CERT_DIR" --work-dir "$WORK_DIR" \ + --preferred-challenges "dns" "${DOMAIN_ARR[@]}" "${PROVIDER_ARGUMENTS[@]}" \ + --preferred-chain "ISRG Root X1" + +# Get the last modified cert directory and copy the cert and private key to store +# shellcheck disable=SC2012 +CERT_DIR_LATEST="$(ls -td $CERT_DIR/live/*/ | head -1)" +cp "${CERT_DIR_LATEST}privkey.pem" "/ssl/$KEYFILE" +cp "${CERT_DIR_LATEST}fullchain.pem" "/ssl/$CERTFILE" diff --git a/iot-certbot/test/.gitignore b/iot-certbot/test/.gitignore new file mode 100644 index 0000000..5a54e9e --- /dev/null +++ b/iot-certbot/test/.gitignore @@ -0,0 +1,4 @@ +config/* +data/* +ssl/* +!.gitignore diff --git a/iot-certbot/test/README.md b/iot-certbot/test/README.md new file mode 100644 index 0000000..1b229ff --- /dev/null +++ b/iot-certbot/test/README.md @@ -0,0 +1,16 @@ +# Test data for the container. + +This directory can be used to provide the necessary set of mounts for the container to act "home-assistant-ish". + +Here's a shell invocation that runs this container: + +``` shellsession +docker run --rm -it \ + -v (pwd)/test/ssl:/ssl \ + -v (pwd)/test/data:/data \ + -v (pwd)/test/cache:/tmp/.bashio/ \ + -v (pwd)/test/config:/config \ + --name iot-certbot local/iot_certbot +``` + +You should set up the necessary addon config in `test/cache` (there's an example in there that I have _not_ done the necessary work to correct, sorry :( ) diff --git a/iot-certbot/test/cache/addons.self.options.config.cache b/iot-certbot/test/cache/addons.self.options.config.cache new file mode 100644 index 0000000..97297c2 --- /dev/null +++ b/iot-certbot/test/cache/addons.self.options.config.cache @@ -0,0 +1,5 @@ +{ + "email": "le-iot-ha-addon-dev@example.com", + "domains": ["a.b.c"], + "acme_server": "https://acme-staging-v02.api.letsencrypt.org/directory" +} diff --git a/iot-certbot/test/config/.gitignore b/iot-certbot/test/config/.gitignore new file mode 100644 index 0000000..e69de29 diff --git a/iot-certbot/test/data/.gitignore b/iot-certbot/test/data/.gitignore new file mode 100644 index 0000000..e69de29 diff --git a/iot-certbot/test/ssl/.gitignore b/iot-certbot/test/ssl/.gitignore new file mode 100644 index 0000000..e69de29