From cb030b04acb9b1ef67343447448a97ffa2f2166a Mon Sep 17 00:00:00 2001
From: Maximilian Eschenbacher <maximilian@eschenbacher.email>
Date: Thu, 4 Oct 2018 16:26:37 +0200
Subject: [PATCH] deploy certificates directly from pillar

... by providing a pillar string. I developed this for use in
combination with ext_pillar and file_tree to deploy letsencrypt
certificates.
---
 nginx/ng/certificates.sls | 10 +++++++++-
 pillar.example            |  5 +++++
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/nginx/ng/certificates.sls b/nginx/ng/certificates.sls
index 17e2060..27e1396 100644
--- a/nginx/ng/certificates.sls
+++ b/nginx/ng/certificates.sls
@@ -36,17 +36,25 @@ nginx_{{ domain }}_ssl_certificate:
   file.managed:
     - name: {{ certificates_path }}/{{ domain }}.crt
     - makedirs: True
+{% if salt['pillar.get']("nginx:ng:certificates:{}:public_cert_pillar".format(domain)) %}
+    - contents_pillar: {{salt['pillar.get']('nginx:ng:certificates:{}:public_cert_pillar'.format(domain))}}
+{% else %}
     - contents_pillar: nginx:ng:certificates:{{ domain }}:public_cert
+{% endif %}
     - watch_in:
       - service: nginx_service
 
-{% if salt['pillar.get']("nginx:ng:certificates:{}:private_key".format(domain)) %}
+{% if salt['pillar.get']("nginx:ng:certificates:{}:private_key".format(domain)) or salt['pillar.get']("nginx:ng:certificates:{}:private_key_pillar".format(domain))%}
 nginx_{{ domain }}_ssl_key:
   file.managed:
     - name: {{ certificates_path }}/{{ domain }}.key
     - mode: 600
     - makedirs: True
+{% if salt['pillar.get']("nginx:ng:certificates:{}:private_key_pillar".format(domain)) %}
+    - contents_pillar: {{salt['pillar.get']('nginx:ng:certificates:{}:private_key_pillar'.format(domain))}}
+{% else %}
     - contents_pillar: nginx:ng:certificates:{{ domain }}:private_key
+{% endif %}
     - watch_in:
       - service: nginx_service
 {% endif %}
diff --git a/pillar.example b/pillar.example
index 310daec..3fe24b3 100644
--- a/pillar.example
+++ b/pillar.example
@@ -182,6 +182,11 @@ nginx:
     # control (or use encrypted pillar data).
     certificates:
       'www.example.com':
+
+        # choose one of: deploying this cert by pillar (e.g. in combination with ext_pillar and file_tree)
+        # public_cert_pillar: certs:example.com:fullchain.pem
+        # private_key_pillar: certs:example.com:privkey.pem
+        # or directly pasting the cert
         public_cert: |
           -----BEGIN CERTIFICATE-----
           (Your Primary SSL certificate: www.example.com.crt)