vimc · weshinsley · Oct 23, 2025 · Oct 23, 2025 · Oct 23, 2025 · Oct 23, 2025
diff --git a/config/acme/montagu.yml b/config/acme/montagu.yml
@@ -1,3 +1,19 @@
+vault:
+  ## Address of the vault server.  This should be a string if it is
+  ## present.
+  addr: ~
+  auth:
+    ## Authentication type - must be either "token" or the name of a
+    ## supported authentication method.  These seem to be poorly
+    ## documented in the hvac, but include "github" for github
+    ## authentication.
+    ##
+    ## On a vault client object, see auth.implemented_class_names for
+    ## a list, which is currently
+    ##
+    ##     azure, github, gcp, kubernetes, ldap, mfa, okta
+    method: token
+
 ## Prefix for container names; we'll use {container_prefix}-(container_name)
 container_prefix: montagu
 
@@ -14,7 +30,7 @@ repo: vimc
 network: montagu-network
 
 # Domain where this instance of Montagu will be deployed. E.g. science.montagu.dide.ic.uk
-hostname: montagu.org
+hostname: localhost
 
 ## Names of the docker volumes to use
 volumes:
@@ -24,9 +40,7 @@ volumes:
   templates: template_volume
   guidance: guidance_volume
   mq: mq
-  acme-challenge: acme-challenge
-  certificates: certificates
-  certbot: certbot
+  montagu-tls: montagu-tls
 
 api:
   name: montagu-api
@@ -76,10 +90,17 @@ proxy:
     repo: nginx
     name: nginx-prometheus-exporter
     tag: 1.3.0
-  acme:
-    email: [email protected]
-    additional_domains:
-      - montagu-dev.org
+acme_buddy:
+  email: [email protected]
+  additional_domains:
+    - montagu-dev.org
+  repo: ghcr.io/reside-ic
+  name: acme-buddy
+  tag: main
+  hdb_username: VAULT:secret/certbot-hdb/credentials:username
+  hdb_password: VAULT:secret/certbot-hdb/credentials:password
+  port: 2112
+
 contrib:
   name: montagu-contrib-portal
   tag: master

diff --git a/config/complete/montagu.yml b/config/complete/montagu.yml
@@ -83,17 +83,6 @@ proxy:
     repo: nginx
     name: nginx-prometheus-exporter
     tag: 1.3.0
-  ## This section describes how to get the certificate in.  We
-  ## support two sources:
-  ##
-  ## 1. self signed certificates - just leave this section blank
-  ##
-  ## 2. certificates from strings - include the strings directly in
-  ##    the keys here, or more likely use a VAULT:<path>:<key>
-  ##    string to extract them from the vault.
-  ssl:
-    key: "k3y"
-    certificate: "cert"
 contrib:
   name: montagu-contrib-portal
   tag: master

diff --git a/src/montagu_deploy/__about__.py b/src/montagu_deploy/__about__.py
@@ -1,4 +1,4 @@
 # SPDX-FileCopyrightText: 2023-present Alex <[email protected]>
 #
 # SPDX-License-Identifier: MIT
-__version__ = "0.0.9"
+__version__ = "0.1.0"
diff --git a/src/montagu_deploy/certbot.py b/src/montagu_deploy/certbot.py
diff --git a/src/montagu_deploy/cli.py b/src/montagu_deploy/cli.py
@@ -5,7 +5,6 @@
   montagu status [--name=PATH]
   montagu stop [--name=PATH] [--volumes] [--network] [--kill] [--force]
     [--extra=PATH] [--option=OPTION]...
-  montagu renew-certificate [--name=PATH] [--option=OPTION]... [--] [ARGS...]
 
 Options:
   --name=PATH      Override the configured name, use with care!
@@ -26,9 +25,8 @@
 import yaml
 
 import montagu_deploy.__about__ as about
-from montagu_deploy.certbot import obtain_certificate
 from montagu_deploy.config import MontaguConfig
-from montagu_deploy.montagu_constellation import montagu_constellation, proxy_update_certificate
+from montagu_deploy.montagu_constellation import montagu_constellation
 
 
 def main(argv=None):
@@ -49,8 +47,6 @@ def main(argv=None):
             montagu_status(obj)
         elif args.action == "stop":
             montagu_stop(obj, args, cfg)
-        elif args.action == "renew-certificate":
-            montagu_renew_certificate(obj, cfg, args.extra_args)
 
 
 def parse_args(argv=None):
@@ -90,18 +86,6 @@ def montagu_status(obj):
     obj.status()
 
 
-def montagu_renew_certificate(obj, cfg, extra_args):
-    if cfg.ssl_mode != "acme":
-        msg = "Proxy is not configured to use automatic certificates"
-        raise Exception(msg)
-
-    print("Renewing certificates")
-    (cert, key) = obtain_certificate(cfg, extra_args)
-
-    container = obj.containers.get("proxy", cfg.container_prefix)
-    proxy_update_certificate(container, cert, key, reload=True)
-
-
 def montagu_stop(obj, args, cfg):
     if args.volumes:
         verify_data_loss(cfg)
@@ -164,8 +148,6 @@ def __init__(self, args):
             self.action = "status"
         elif args["stop"]:
             self.action = "stop"
-        elif args["renew-certificate"]:
-            self.action = "renew-certificate"
         elif args["configure"]:
             self.action = "configure"
 
@@ -174,7 +156,6 @@ def __init__(self, args):
         self.volumes = args["--volumes"]
         self.network = args["--network"]
         self.version = args["--version"]
-        self.extra_args = args["ARGS"]
 
 
 IDENTITY_FILE = Path(".montagu_identity")

diff --git a/src/montagu_deploy/config.py b/src/montagu_deploy/config.py
@@ -56,21 +56,14 @@ def __init__(self, path, extra=None, options=None):
         self.proxy_port_metrics = config.config_integer(dat, ["proxy", "port_metrics"], is_optional=True, default=9000)
         self.proxy_metrics_ref = self.build_ref(dat["proxy"], "metrics")
 
-        if "ssl" in dat["proxy"] and "acme" in dat["proxy"]:
-            msg = "Cannot specify both ssl and acme options in proxy options."
-            raise Exception(msg)
-        if "ssl" in dat["proxy"]:
-            self.ssl_mode = "static"
-            self.ssl_certificate = config.config_string(dat, ["proxy", "ssl", "certificate"])
-            self.ssl_key = config.config_string(dat, ["proxy", "ssl", "key"])
-        elif "acme" in dat["proxy"]:
+        if "acme_buddy" in dat:
             self.ssl_mode = "acme"
-            self.acme_email = config.config_string(dat, ["proxy", "acme", "email"])
-            self.acme_server = config.config_string(dat, ["proxy", "acme", "server"], is_optional=True)
-            self.acme_no_verify_ssl = config.config_boolean(dat, ["proxy", "acme", "no_verify_ssl"], is_optional=True)
-            self.acme_additional_domains = config.config_list(
-                dat, ["proxy", "acme", "additional_domains"], is_optional=True, default=[]
-            )
+            self.acme_buddy_ref = self.build_ref(dat, "acme_buddy")
+            self.acme_buddy_port = config.config_integer(dat, ["acme_buddy", "port"])
+            self.acme_buddy_hdb_username = config.config_string(dat, ["acme_buddy", "hdb_username"])
+            self.acme_buddy_hdb_password = config.config_string(dat, ["acme_buddy", "hdb_password"])
+            self.acme_buddy_email = config.config_string(dat, ["acme_buddy", "email"])
+            self.acme_additional_domains = config.config_list(dat, ["acme_buddy", "additional_domains"])
         else:
             self.ssl_mode = "self-signed"
 
@@ -106,6 +99,9 @@ def __init__(self, path, extra=None, options=None):
         if self.fake_smtp_ref:
             self.containers["fake_smtp"] = "fake-smtp"
 
+        if self.ssl_mode == "acme":
+            self.containers["acme-buddy"] = "acme-buddy"
+
         self.images = {
             "db": self.db_ref,
             "api": self.api_ref,
@@ -123,6 +119,9 @@ def __init__(self, path, extra=None, options=None):
         if self.fake_smtp_ref:
             self.images["fake_smtp"] = self.fake_smtp_ref
 
+        if self.ssl_mode == "acme":
+            self.images["acme-buddy"] = self.acme_buddy_ref
+
     def build_ref(self, dat, section):
         name = config.config_string(dat, [section, "name"])
         tag = config.config_string(dat, [section, "tag"])