From 6c2c73fb3304da6f35c7390b4a952bb7f51a4d5d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Hugo=20H=C3=B6rnquist?= <hugo@lysator.liu.se>
Date: Tue, 10 Jan 2023 12:57:19 +0100
Subject: Introduce profiles::certificates + repomaster work.

---
 manifests/certificate.pp | 19 +++++++++++++++++++
 manifests/repomaster.pp  | 26 +++++++++++++++++++++++++-
 2 files changed, 44 insertions(+), 1 deletion(-)
 create mode 100644 manifests/certificate.pp

(limited to 'manifests')

diff --git a/manifests/certificate.pp b/manifests/certificate.pp
new file mode 100644
index 0000000..829ae37
--- /dev/null
+++ b/manifests/certificate.pp
@@ -0,0 +1,19 @@
+# Sets up a certificate for this machine.
+# Should preferably be included before a letsencrypt::domain resource
+# is declared.
+class profiles::certificate (
+  String $cert_name = $::fqdn,
+  Letsencrypt::Authenticator $authenticator = 'nginx',
+  Hash[String,Any] $config = {
+    # more portable than 'systemctl reload nginx'
+    'post-hook' => 'nginx -s reload',
+  },
+) {
+  include ::letsencrypt
+
+  letsencrypt::cert { $cert_name:
+    domains       => [ $::fqdn, ],
+    authenticator => $authenticator,
+    config        => $config,
+  }
+}
diff --git a/manifests/repomaster.pp b/manifests/repomaster.pp
index 671b16f..d7143f6 100644
--- a/manifests/repomaster.pp
+++ b/manifests/repomaster.pp
@@ -2,10 +2,17 @@
 class profiles::repomaster (
   String $directory,
   String $hostname = "repo.${::fqdn}",
+  Boolean $publish_dns = false,
+  Optional[String] $dns_zone = undef,
 ) {
 
   include ::nginx
 
+  include ::profiles::certificate
+  letsencrypt::domain { $hostname:
+    cert_name => $profiles::certificate::cert_name,
+  }
+
   nginx::resource::server { $hostname:
     www_root             => $directory,
     autoindex            => 'on',
@@ -13,7 +20,24 @@ class profiles::repomaster (
     ipv6_enable          => true,
     ipv6_listen_options  => '',
     listen_options       => '',
-    # TODO ssl
+    *                    => letsencrypt::conf::nginx($hostname),
   }
 
+  if $publish_dns {
+    # TODO Separate toggles for ipv4 and ipv6
+    # Since ipv4 might be internal and shouldn't be exported.
+    # @@dns_record { "${hostname} A":
+    #   type  => 'A',
+    #   zone  => $dns_zone,
+    #   key   => $hostname,
+    #   value => $facts['ipaddress'],
+    # }
+
+    @@dns_record { "${hostname} AAAA":
+      type  => 'AAAA',
+      zone  => $dns_zone,
+      key   => $hostname,
+      value => $facts['ipaddress6'],
+    }
+  }
 }
-- 
cgit v1.2.3