manifests/cert.pp


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76

# @summary A single certificate
# @param cert_name
#   Name of the certificate, can be anything, but $::fqdn is recommended
# @param ensure    Present or absent (currently does nothing)
# @param include_self
#   Should the certificates name be one of its domains?
# @param authenticator
#   How should the challenge be handled.
# @param domains
#   List of domains to add to certificate
# @param config
#   Additional config for this entry
define letsencrypt::cert (
  Letsencrypt::Authenticator $authenticator,
  String $cert_name                 = $name,
  Enum['present', 'absent'] $ensure = 'present',
  Boolean $include_self             = true,
  Array[String] $domains            = [],
  Hash[String, Any] $config         = {},
) {
  $conf_file   = "${letsencrypt::config_dir}/${cert_name}.ini"
  $domain_file = "${letsencrypt::config_dir}/${cert_name}.domains"

  include "::letsencrypt::authenticator::${authenticator}"

  $local_conf = {
    'cert-name'           => $cert_name,
    'rsa-key-size'        => 4096,
    'authenticator'       => $authenticator,
    'agree-tos'           => true,
    'quiet'               => true,
    'keep-until-expiring' => true,
    'non-interactive'     => true,
  }

  $conf = $letsencrypt::config_ + $local_conf + $config

  file { $conf_file:
    ensure  => file,
    content => epp("${module_name}/ini.epp", { 'values' => $conf }),
  }

  concat { $domain_file:
    ensure_newline => true,
    warn           => true,
  }

  ensure_resource('letsencrypt::domain', $domains, {
    cert_name => $cert_name,
  })
  if $include_self and ! $cert_name in $domains {
    ensure_resource('letsencrypt::domain', $cert_name, {
      cert_name => $cert_name,
    })
  }

  letsencrypt::renew { $cert_name:
  }

  # This might be incorrect. If a certificate of that name already
  # exists then the new certificate will instead be called
  # ${cert-name}-0001. See
  # https://eff-certbot.readthedocs.io/en/stable/using.html#where-are-my-certificates
  exec { "letsencrypt - get initial ${cert_name}":
    creates => "${letsencrypt::cert_dir}/${cert_name}",
    command => [$letsencrypt::renew::setup::renew_script, $cert_name],
    require => File[$letsencrypt::renew::setup::renew_script],
  }

  exec { "letsencrypt - refresh ${cert_name}":
    command     => [$letsencrypt::renew::setup::renew_script, $cert_name],
    subscribe   => [File[$conf_file], Concat[$domain_file]],
    refreshonly => true,
    require     => File[$letsencrypt::renew::setup::renew_script],
  }
}