1 files changed, 58 insertions, 24 deletions

diff --git a/manifests/cert.pp b/manifests/cert.pp
index 061ace1..13e1c82 100644
--- a/manifests/cert.pp
+++ b/manifests/cert.pp
@@ -1,44 +1,78 @@
 # @summary A single certificate
-# TODO possibly default cert_name to $::fqdn instead
-# @param cert_name Name of the certificate
+# @param cert_name
+#   Name of the certificate, can be anything, but $::fqdn is recommended
 # @param ensure    Present or absent (currently does nothing)
-# @param include_self Should the certificates name be one of its domains?
+# @param include_self
+#   Should the certificates name be one of its domains?
+# @param authenticator
+#   How should the challenge be handled.
+# @param domains
+#   List of domains to add to certificate
+# @param config
+#   Additional config for this entry
 define letsencrypt::cert (
+  Letsencrypt::Authenticator $authenticator,
   String $cert_name                 = $name,
   Enum['present', 'absent'] $ensure = 'present',
   Boolean $include_self             = true,
+  Array[String] $domains            = [],
+  Hash[String, Any] $config         = {},
 ) {
-  # TODO these env files are systemd specific
-  # TODO concat::fragment is clumsy, look at re-implementing the
-  # functionallity internally
+  $conf_file   = "${letsencrypt::config_dir}/${cert_name}.ini"
+  $domain_file = "${letsencrypt::config_dir}/${cert_name}.domains"
 
-  concat { "${letsencrypt::config_dir}/env/${cert_name}":
-    ensure => present,
-    warn   => true,
+  include "::letsencrypt::authenticator::${authenticator}"
+
+  $local_conf = {
+    'cert-name'           => $cert_name,
+    'rsa-key-size'        => 4096,
+    'authenticator'       => $authenticator,
+    'agree-tos'           => true,
+    'quiet'               => true,
+    'keep-until-expiring' => true,
+    'non-interactive'     => true,
   }
 
-  $cert_preamble = @(EOF)
-    AUTHENTICATOR = ''
-    POST_HOOK = ''
-    DOMAINS =
-    |- EOF
+  $conf = $letsencrypt::config_ + $local_conf + $config
 
-  concat::fragment { "letsencrypt ${cert_name} preamble":
-    target  => "${letsencrypt::config_dir}/env/${cert_name}",
-    order   => '0',
-    content => $cert_preamble,
+  file { $conf_file:
+    ensure  => file,
+    content => epp("${module_name}/ini.epp", { 'values' => $conf }),
   }
 
-  concat::fragment { "letsencrypt ${cert_name} postamble":
-    target  => "${letsencrypt::config_dir}/env/${cert_name}",
-    order   => '99',
-    content => "\n\n",
+  concat { $domain_file:
+    ensure_newline => true,
+    warn           => true,
   }
 
-  if $include_self {
-    letsencrypt::domain { $cert_name: }
+  $domains.each |$domain| {
+    letsencrypt::domain { $domain:
+      cert_name => $cert_name,
+    }
+  }
+  if $include_self and ! $cert_name in $domains {
+    letsencrypt::domain { $cert_name:
+      cert_name => $cert_name,
+    }
   }
 
   letsencrypt::renew { $cert_name:
   }
+
+  # This might be incorrect. If a certificate of that name already
+  # exists then the new certificate will instead be called
+  # ${cert-name}-0001. See
+  # https://eff-certbot.readthedocs.io/en/stable/using.html#where-are-my-certificates
+  exec { "letsencrypt - get initial ${cert_name}":
+    creates => "${letsencrypt::cert_dir}/${cert_name}",
+    command => [$letsencrypt::renew::setup::renew_script, $cert_name],
+    require => File[$letsencrypt::renew::setup::renew_script],
+  }
+
+  exec { "letsencrypt - refresh ${cert_name}":
+    command     => [$letsencrypt::renew::setup::renew_script, $cert_name],
+    subscribe   => [File[$conf_file], Concat[$domain_file]],
+    refreshonly => true,
+    require     => File[$letsencrypt::renew::setup::renew_script],
+  }
 }