From 0a07215d422f8f606a41d822436e6c6dd93d001f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hugo=20H=C3=B6rnquist?= Date: Tue, 10 Jan 2023 12:56:33 +0100 Subject: Working product. --- manifests/cert.pp | 82 +++++++++++++++++++++++++++++++++++++++---------------- 1 file changed, 58 insertions(+), 24 deletions(-) (limited to 'manifests/cert.pp') diff --git a/manifests/cert.pp b/manifests/cert.pp index 061ace1..13e1c82 100644 --- a/manifests/cert.pp +++ b/manifests/cert.pp @@ -1,44 +1,78 @@ # @summary A single certificate -# TODO possibly default cert_name to $::fqdn instead -# @param cert_name Name of the certificate +# @param cert_name +# Name of the certificate, can be anything, but $::fqdn is recommended # @param ensure Present or absent (currently does nothing) -# @param include_self Should the certificates name be one of its domains? +# @param include_self +# Should the certificates name be one of its domains? +# @param authenticator +# How should the challenge be handled. +# @param domains +# List of domains to add to certificate +# @param config +# Additional config for this entry define letsencrypt::cert ( + Letsencrypt::Authenticator $authenticator, String $cert_name = $name, Enum['present', 'absent'] $ensure = 'present', Boolean $include_self = true, + Array[String] $domains = [], + Hash[String, Any] $config = {}, ) { - # TODO these env files are systemd specific - # TODO concat::fragment is clumsy, look at re-implementing the - # functionallity internally + $conf_file = "${letsencrypt::config_dir}/${cert_name}.ini" + $domain_file = "${letsencrypt::config_dir}/${cert_name}.domains" - concat { "${letsencrypt::config_dir}/env/${cert_name}": - ensure => present, - warn => true, + include "::letsencrypt::authenticator::${authenticator}" + + $local_conf = { + 'cert-name' => $cert_name, + 'rsa-key-size' => 4096, + 'authenticator' => $authenticator, + 'agree-tos' => true, + 'quiet' => true, + 'keep-until-expiring' => true, + 'non-interactive' => true, } - $cert_preamble = @(EOF) - AUTHENTICATOR = '' - POST_HOOK = '' - DOMAINS = - |- EOF + $conf = $letsencrypt::config_ + $local_conf + $config - concat::fragment { "letsencrypt ${cert_name} preamble": - target => "${letsencrypt::config_dir}/env/${cert_name}", - order => '0', - content => $cert_preamble, + file { $conf_file: + ensure => file, + content => epp("${module_name}/ini.epp", { 'values' => $conf }), } - concat::fragment { "letsencrypt ${cert_name} postamble": - target => "${letsencrypt::config_dir}/env/${cert_name}", - order => '99', - content => "\n\n", + concat { $domain_file: + ensure_newline => true, + warn => true, } - if $include_self { - letsencrypt::domain { $cert_name: } + $domains.each |$domain| { + letsencrypt::domain { $domain: + cert_name => $cert_name, + } + } + if $include_self and ! $cert_name in $domains { + letsencrypt::domain { $cert_name: + cert_name => $cert_name, + } } letsencrypt::renew { $cert_name: } + + # This might be incorrect. If a certificate of that name already + # exists then the new certificate will instead be called + # ${cert-name}-0001. See + # https://eff-certbot.readthedocs.io/en/stable/using.html#where-are-my-certificates + exec { "letsencrypt - get initial ${cert_name}": + creates => "${letsencrypt::cert_dir}/${cert_name}", + command => [$letsencrypt::renew::setup::renew_script, $cert_name], + require => File[$letsencrypt::renew::setup::renew_script], + } + + exec { "letsencrypt - refresh ${cert_name}": + command => [$letsencrypt::renew::setup::renew_script, $cert_name], + subscribe => [File[$conf_file], Concat[$domain_file]], + refreshonly => true, + require => File[$letsencrypt::renew::setup::renew_script], + } } -- cgit v1.2.3