fredrick/dynamic-infra-tooling
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: add certificate management module and schedule auto-renewal cron

Browse source
This commit is contained in:
Fredrick Amnehagen 2026-02-05 20:36:15 +01:00
parent 42767fd8bc
commit f793ddd02f
6 changed files with 214 additions and 198 deletions
Download patch file Download diff file Expand all files Collapse all files

40
infra_cli/cert.py Normal file
View file

@ -0,0 +1,40 @@
from .ssh import SSHClient
class CertificateManager:
def __init__(self, config):
# Certificate manager is on la-vmh-11 (LXC 11215)
node = config.get_node('la-vmh-11')
if not node:
raise ValueError("Node 'la-vmh-11' not found in config")
self.host = node['host']
self.password = node.get('pass')
self.user = config.get('proxmox.user', 'root')
self.ssh_key = config.get('proxmox.ssh_key_path')
self.client = SSHClient(self.host, self.user, self.ssh_key, self.password)
self.lxc_id = "11215"
self.shared_path = "/shared-certs"
def exec_cert(self, cmd):
return self.client.run(f"pct exec {self.lxc_id} -- {cmd}")
def list_certs(self):
res = self.exec_cert(f"ls -lh {self.shared_path}")
return res.stdout
def renew(self, force=False):
script_path = "/root/local-config/infra-cert-mgr/scripts/dynamic-san-manager.sh"
cmd = f"bash {script_path}"
if force:
cmd += " --force-update"
res = self.exec_cert(cmd)
if res.returncode != 0:
raise RuntimeError(f"Certificate renewal failed: {res.stderr}")
return res.stdout
def check_expiry(self):
# Checks expiry of the main wildcard cert
cmd = f"openssl x509 -enddate -noout -in {self.shared_path}/loopaware.com.pem"
res = self.exec_cert(cmd)
return res.stdout.strip()

45
infra_cli/database.py
View file

@ -1,4 +1,6 @@
from .ssh import SSHClient
import tempfile
import os
class DatabaseManager:
def __init__(self, config):
@ -9,24 +11,45 @@ class DatabaseManager:
self.client = SSHClient(self.host, self.user, self.ssh_key)
def exec_sql(self, sql):
# Runs SQL as postgres user via SSH
res = self.client.run(f"su - postgres -c \"psql -c \\"{sql}\"\"")
if res.returncode != 0:
raise RuntimeError(f"PostgreSQL command failed: {res.stderr}")
return res.stdout
# Use a temporary file to avoid shell quoting hell
with tempfile.NamedTemporaryFile(mode='w', suffix='.sql', delete=False) as tf:
tf.write(sql)
tf_name = tf.name
try:
remote_path = f"/tmp/exec_{os.path.basename(tf_name)}"
self.client.scp_to(tf_name, remote_path)
# Ensure the postgres user can read the file
self.client.run(f"chmod 644 {remote_path}")
# Execute the SQL file as postgres user
cmd = f"su - postgres -c 'psql -f {remote_path}'"
res = self.client.run(cmd)
# Cleanup remote file
self.client.run(f"rm {remote_path}")
if res.returncode != 0:
raise RuntimeError(f"PostgreSQL command failed: {res.stderr}")
return res.stdout
finally:
if os.path.exists(tf_name):
os.remove(tf_name)
def create_database(self, db_name, owner=None):
sql = f"CREATE DATABASE {db_name}"
sql = f"CREATE DATABASE {db_name};"
if owner:
sql += f" OWNER {owner}"
sql = f"CREATE DATABASE {db_name} OWNER {owner};"
return self.exec_sql(sql)
def create_user(self, username, password):
sql = f"CREATE USER {username} WITH PASSWORD '{password}'"
# SQL with proper quoting for the password
sql = f"CREATE USER {username} WITH PASSWORD '{password}';"
return self.exec_sql(sql)
def grant_privileges(self, db_name, username):
sql = f"GRANT ALL PRIVILEGES ON DATABASE {db_name} TO {username}"
sql = f"GRANT ALL PRIVILEGES ON DATABASE {db_name} TO {username};"
return self.exec_sql(sql)
def list_databases(self):
@ -36,7 +59,7 @@ class DatabaseManager:
return self.exec_sql("\du")
def drop_database(self, db_name):
return self.exec_sql(f"DROP DATABASE IF EXISTS {db_name}")
return self.exec_sql(f"DROP DATABASE IF EXISTS {db_name};")
def drop_user(self, username):
return self.exec_sql(f"DROP USER IF EXISTS {username}")
return self.exec_sql(f"DROP USER IF EXISTS {username};")

65
infra_cli/dns.py
View file

@ -1,4 +1,5 @@
from .ssh import SSHClient
import re
class DNSManager:
def __init__(self, config):
@ -41,7 +42,8 @@ class DNSManager:
self.reload()
def remove_dns(self, domain):
cmd = f"sh -c \"sed -i '\#address=/{domain}/#d' {self.dns_file}\""
# Use raw string to avoid escape warnings
cmd = rf"sh -c \"sed -i '\#address=/{domain}/#d' {self.dns_file}\""
self.exec_lxc(cmd)
self.reload()
@ -57,46 +59,23 @@ class DNSManager:
dns = self.exec_lxc(f"cat {self.dns_file}").stdout
return {"hosts": hosts, "dns": dns}
def get_free_ips(self, start_subnet=70, end_subnet=80):
def get_free_ips(self, start_subnet=70, end_subnet=80):
"""Finds free IPs in the range 10.32.[70-80].1-254 by checking both static and dynamic leases"""
# 1. Get all static IPs from dhcp-hosts.conf and dynamic-hosts.conf
static_configs = self.exec_lxc(f"cat /etc/dnsmasq.d/dhcp-hosts.conf {self.hosts_file} 2>/dev/null").stdout
used_ips = set(re.findall(r'10\.32\.[0-9]{1,3}\.[0-9]{1,3}', static_configs))
# 2. Get all active dynamic leases
leases = self.exec_lxc("cat /var/lib/misc/dnsmasq.leases 2>/dev/null").stdout
used_ips.update(set(re.findall(r'10\.32\.[0-9]{1,3}\.[0-9]{1,3}', leases)))
"""Finds free IPs in the range 10.32.[70-80].1-254 by checking both static and dynamic leases"""
# 1. Get all static IPs from dhcp-hosts.conf and dynamic-hosts.conf
static_configs = self.exec_lxc(f"cat /etc/dnsmasq.d/dhcp-hosts.conf {self.hosts_file} 2>/dev/null").stdout
import re
used_ips = set(re.findall(r'10\.32\.[0-9]{1,3}\.[0-9]{1,3}', static_configs))
# 2. Get all active dynamic leases
leases = self.exec_lxc("cat /var/lib/misc/dnsmasq.leases 2>/dev/null").stdout
used_ips.update(set(re.findall(r'10\.32\.[0-9]{1,3}\.[0-9]{1,3}', leases)))
# 3. Find first available in the expanded agent range
free_ips = []
for subnet_idx in range(start_subnet, end_subnet + 1):
for host_idx in range(1, 255):
candidate = f"10.32.{subnet_idx}.{host_idx}"
if candidate not in used_ips:
free_ips.append(candidate)
if len(free_ips) >= 10: # Return top 10
return free_ips
return free_ips
# 3. Find first available in the expanded agent range
free_ips = []
for subnet_idx in range(start_subnet, end_subnet + 1):
for host_idx in range(1, 255):
candidate = f"10.32.{subnet_idx}.{host_idx}"
if candidate not in used_ips:
free_ips.append(candidate)
if len(free_ips) >= 10: # Return top 10
return free_ips
return free_ips

26
infra_cli/main.py
View file

@ -7,6 +7,7 @@ from .proxmox import ProxmoxManager
from .samba import SambaManager
from .cloudflare import CloudflareManager
from .database import DatabaseManager
from .cert import CertificateManager
import sys
@click.group()
@ -20,6 +21,31 @@ def cli(ctx, config):
click.echo(f"Error: {e}", err=True)
sys.exit(1)
@cli.group()
def cert():
"""Manage SSL/TLS Certificates"""
pass
@cert.command(name='list')
@click.pass_obj
def cert_list(config):
mgr = CertificateManager(config)
click.echo(mgr.list_certs())
@cert.command(name='status')
@click.pass_obj
def cert_status(config):
mgr = CertificateManager(config)
click.echo(f"Main Certificate Expiry: {mgr.check_expiry()}")
@cert.command(name='renew')
@click.option('--force', is_flag=True, help='Force full SAN discovery and renewal')
@click.pass_obj
def cert_renew(config, force):
mgr = CertificateManager(config)
click.echo("Running dynamic SAN manager...")
click.echo(mgr.renew(force))
@cli.group()
def db():
"""Manage PostgreSQL Databases and Users"""