From 2ef4fb0bf88a7c16d2a61136bb890324194bdd6a Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Mon, 7 Oct 2024 13:16:41 +1100
Subject: [PATCH] feat: update certbot module

- update documentation
- add option to notify services
- set haproxy role to notify the haproxy service
---
 .../au/region/syd1/infra/halb/haproxy.yaml       |  1 +
 modules/certbot/manifests/client.pp              | 16 ++++++++++++----
 modules/certbot/manifests/client/cert.pp         | 15 +++++++++++++++
 3 files changed, 28 insertions(+), 4 deletions(-)

diff --git a/hieradata/country/au/region/syd1/infra/halb/haproxy.yaml b/hieradata/country/au/region/syd1/infra/halb/haproxy.yaml
index 60af6c6..6c30b3c 100644
--- a/hieradata/country/au/region/syd1/infra/halb/haproxy.yaml
+++ b/hieradata/country/au/region/syd1/infra/halb/haproxy.yaml
@@ -260,6 +260,7 @@ profiles::haproxy::dns::cnames:
   - au-syd1-pve-api.main.unkin.net
 
 # letsencrypt certificates
+certbot::client::service: haproxy
 certbot::client::domains:
   - au-syd1-pve.main.unkin.net
   - au-syd1-pve-api.main.unkin.net
diff --git a/modules/certbot/manifests/client.pp b/modules/certbot/manifests/client.pp
index 3ca6ef3..fb018ca 100644
--- a/modules/certbot/manifests/client.pp
+++ b/modules/certbot/manifests/client.pp
@@ -1,7 +1,14 @@
+# used by certbot clients to request letsencrypt certificates
+# - domains: list of certificates to generate
+# - webserver: where the client downloads certificates from
+# - data_dir: where to store the certificates on the client
+# - services: the services to notify when certificates change
+#
 class certbot::client (
   Array[Stdlib::Fqdn]   $domains,
   Stdlib::Fqdn          $webserver,
   Stdlib::Absolutepath  $data_dir = '/etc/pki/tls/letsencrypt/',
+  Optional[String]      $service = undef,
 ) {
 
   mkdir::p {$data_dir:}
@@ -14,10 +21,11 @@ class certbot::client (
 
   $domains.each |$domain| {
     certbot::client::cert {"${facts['networking']['fqdn']}_download_${domain}":
-      domain      => $domain,
-      destination => "${data_dir}/${domain}",
-      webserver   => $webserver,
-      require     => File[$data_dir],
+      domain         => $domain,
+      destination    => "${data_dir}/${domain}",
+      webserver      => $webserver,
+      require        => File[$data_dir],
+      notify_service => $service,
     }
   }
 }
diff --git a/modules/certbot/manifests/client/cert.pp b/modules/certbot/manifests/client/cert.pp
index b4773dd..96f5a92 100644
--- a/modules/certbot/manifests/client/cert.pp
+++ b/modules/certbot/manifests/client/cert.pp
@@ -1,7 +1,13 @@
+# a define for creating a single certificate
+# - domain: the domain to generate a certificate for
+# - webserver: where to download the certificate from
+# - destination: the data directory on the client
+# - notify_service: what service to notify when the concat exec completes
 define certbot::client::cert (
   Stdlib::Fqdn          $domain,
   Stdlib::Fqdn          $webserver,
   Stdlib::Absolutepath  $destination = "/etc/pki/tls/letsencrypt/${domain}",
+  Optional[String]      $notify_service = undef,
 ) {
 
   file { $destination:
@@ -34,8 +40,16 @@ define certbot::client::cert (
       }
     }
 
+    # create file resources
     create_resources(file, $files_to_create)
 
+    # if notify_service is specified
+    if $notify_service != undef {
+      $service = Service[$notify_service]
+    }else{
+      $service = undef
+    }
+
     exec { "concat_${domain}_certs":
       command     => "cat ${destination}/fullchain.pem ${destination}/privkey.pem > ${destination}/fullchain_combined.pem",
       path        => ['/bin', '/usr/bin'],
@@ -44,6 +58,7 @@ define certbot::client::cert (
         File["${destination}/fullchain.pem"],
         File["${destination}/privkey.pem"],
       ],
+      notify      => $service,
     }
   } else {
     notify { 'Certificates are not yet ready on the generator server.': }