unkin/puppet-prod
2
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases Wiki Activity

feat: update certbot module

Browse Source 
- update documentation
- add option to notify services
- set haproxy role to notify the haproxy service
This commit is contained in:
Ben Vincent 2024-10-07 13:16:41 +11:00
parent 4bf4b42fdf
commit 2ef4fb0bf8
3 changed files with 28 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
hieradata/country/au/region/syd1/infra/halb/haproxy.yaml
View File

@ -260,6 +260,7 @@ profiles::haproxy::dns::cnames:
- au-syd1-pve-api.main.unkin.net - au-syd1-pve-api.main.unkin.net
# letsencrypt certificates # letsencrypt certificates
certbot::client::service: haproxy
certbot::client::domains: certbot::client::domains:
- au-syd1-pve.main.unkin.net - au-syd1-pve.main.unkin.net
- au-syd1-pve-api.main.unkin.net - au-syd1-pve-api.main.unkin.net

16
modules/certbot/manifests/client.pp
View File

@ -1,7 +1,14 @@
# used by certbot clients to request letsencrypt certificates
# - domains: list of certificates to generate
# - webserver: where the client downloads certificates from
# - data_dir: where to store the certificates on the client
# - services: the services to notify when certificates change
#
class certbot::client ( class certbot::client (
Array[Stdlib::Fqdn] $domains, Array[Stdlib::Fqdn] $domains,
Stdlib::Fqdn $webserver, Stdlib::Fqdn $webserver,
Stdlib::Absolutepath $data_dir = '/etc/pki/tls/letsencrypt/', Stdlib::Absolutepath $data_dir = '/etc/pki/tls/letsencrypt/',
Optional[String] $service = undef,
) { ) {
mkdir::p {$data_dir:} mkdir::p {$data_dir:}
@ -14,10 +21,11 @@ class certbot::client (
$domains.each |$domain| { $domains.each |$domain| {
certbot::client::cert {"${facts['networking']['fqdn']}_download_${domain}": certbot::client::cert {"${facts['networking']['fqdn']}_download_${domain}":
domain => $domain, domain => $domain,
destination => "${data_dir}/${domain}", destination => "${data_dir}/${domain}",
webserver => $webserver, webserver => $webserver,
require => File[$data_dir], require => File[$data_dir],
notify_service => $service,
} }
} }
} }

15
modules/certbot/manifests/client/cert.pp
View File

@ -1,7 +1,13 @@
# a define for creating a single certificate
# - domain: the domain to generate a certificate for
# - webserver: where to download the certificate from
# - destination: the data directory on the client
# - notify_service: what service to notify when the concat exec completes
define certbot::client::cert ( define certbot::client::cert (
Stdlib::Fqdn $domain, Stdlib::Fqdn $domain,
Stdlib::Fqdn $webserver, Stdlib::Fqdn $webserver,
Stdlib::Absolutepath $destination = "/etc/pki/tls/letsencrypt/${domain}", Stdlib::Absolutepath $destination = "/etc/pki/tls/letsencrypt/${domain}",
Optional[String] $notify_service = undef,
) { ) {
file { $destination: file { $destination:
@ -34,8 +40,16 @@ define certbot::client::cert (
} }
} }
# create file resources
create_resources(file, $files_to_create) create_resources(file, $files_to_create)
# if notify_service is specified
if $notify_service != undef {
$service = Service[$notify_service]
}else{
$service = undef
}
exec { "concat_${domain}_certs": exec { "concat_${domain}_certs":
command => "cat ${destination}/fullchain.pem ${destination}/privkey.pem > ${destination}/fullchain_combined.pem", command => "cat ${destination}/fullchain.pem ${destination}/privkey.pem > ${destination}/fullchain_combined.pem",
path => ['/bin', '/usr/bin'], path => ['/bin', '/usr/bin'],
@ -44,6 +58,7 @@ define certbot::client::cert (
File["${destination}/fullchain.pem"], File["${destination}/fullchain.pem"],
File["${destination}/privkey.pem"], File["${destination}/privkey.pem"],
], ],
notify => $service,
} }
} else { } else {
notify { 'Certificates are not yet ready on the generator server.': } notify { 'Certificates are not yet ready on the generator server.': }