aboutsummaryrefslogtreecommitdiff
path: root/manifests/cert.pp
blob: 9da7c348aa4f5ed586fb9882366e74f097a5b940 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82

# @summary A single certificate
# @param cert_name
#   Name of the certificate, can be anything, but $::fqdn is recommended
# @param ensure    Present or absent (currently does nothing)
# @param include_self
#   Should the certificates name be one of its domains?
# @param authenticator
#   How should the challenge be handled.
# @param domains
#   List of domains to add to certificate
# @param config
#   Additional config for this entry
define letsencrypt::cert (
  Letsencrypt::Authenticator $authenticator,
  String $cert_name                 = $name,
  Enum['present', 'absent'] $ensure = 'present',
  Boolean $include_self             = true,
  Array[String] $domains            = [],
  Hash[String, Any] $config         = {},
) {
  $conf_file   = "${letsencrypt::config_dir}/${cert_name}.ini"
  $domain_file = "${letsencrypt::config_dir}/${cert_name}.domains"

  include "::letsencrypt::authenticator::${authenticator}"

  $local_conf = {
    'cert-name'           => $cert_name,
    'rsa-key-size'        => 4096,
    'authenticator'       => $authenticator,
    'agree-tos'           => true,
    'quiet'               => true,
    'keep-until-expiring' => true,
    'non-interactive'     => true,
  }

  $conf = $letsencrypt::config_ + $local_conf + $config

  file { $conf_file:
    ensure  => file,
    content => epp("${module_name}/ini.epp", { 'values' => $conf }),
  }

  concat { $domain_file:
    ensure_newline => true,
    warn           => true,
  }

  ensure_resource('letsencrypt::domain', $domains, {
      cert_name => $cert_name,
  })
  if $include_self and ! ($cert_name in $domains) {
    ensure_resource('letsencrypt::domain', $cert_name, {
        cert_name => $cert_name,
    })
  }

  letsencrypt::renew { $cert_name:
  }

  if ! ($cert_name in $facts['letsencrypt_bycertname']) {
    exec { "letsencrypt - get initial ${cert_name}":
      creates => "${letsencrypt::cert_dir}/${cert_name}",
      command => [$letsencrypt::renew::setup::renew_script, $cert_name],
      require => [
        Concat[$domain_file],
        File[$conf_file],
        File[$letsencrypt::renew::setup::renew_script],
      ],
    }
  }

  exec { "letsencrypt - refresh ${cert_name}":
    command     => [$letsencrypt::renew::setup::renew_script, $cert_name],
    subscribe   => [File[$conf_file], Concat[$domain_file]],
    refreshonly => true,
    require     => [
      Concat[$domain_file],
      File[$conf_file],
      File[$letsencrypt::renew::setup::renew_script],
    ],
  }
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-28 18:02:32 +0200