feat: update certbot module

- update documentation - add option to notify services - set haproxy role to notify the haproxy service
2024-10-07 13:16:41 +11:00 · 2024-10-07 13:16:41 +11:00 · 2ef4fb0bf8
commit 2ef4fb0bf8
parent 4bf4b42fdf
3 changed files with 28 additions and 4 deletions
--- a/hieradata/country/au/region/syd1/infra/halb/haproxy.yaml
+++ b/hieradata/country/au/region/syd1/infra/halb/haproxy.yaml
@ -260,6 +260,7 @@ profiles::haproxy::dns::cnames:
  - au-syd1-pve-api.main.unkin.net

 # letsencrypt certificates
+certbot::client::service: haproxy
 certbot::client::domains:
  - au-syd1-pve.main.unkin.net
  - au-syd1-pve-api.main.unkin.net
--- a/modules/certbot/manifests/client.pp
+++ b/modules/certbot/manifests/client.pp
@ -1,7 +1,14 @@
+# used by certbot clients to request letsencrypt certificates
+# - domains: list of certificates to generate
+# - webserver: where the client downloads certificates from
+# - data_dir: where to store the certificates on the client
+# - services: the services to notify when certificates change
+#
 class certbot::client (
  Array[Stdlib::Fqdn]   $domains,
  Stdlib::Fqdn          $webserver,
  Stdlib::Absolutepath  $data_dir = '/etc/pki/tls/letsencrypt/',
+  Optional[String]      $service = undef,
 ) {

  mkdir::p {$data_dir:}
@ -14,10 +21,11 @@ class certbot::client (

  $domains.each |$domain| {
    certbot::client::cert {"${facts['networking']['fqdn']}_download_${domain}":
-      domain      => $domain,
-      destination => "${data_dir}/${domain}",
-      webserver   => $webserver,
-      require     => File[$data_dir],
+      domain         => $domain,
+      destination    => "${data_dir}/${domain}",
+      webserver      => $webserver,
+      require        => File[$data_dir],
+      notify_service => $service,
    }
  }
 }
--- a/modules/certbot/manifests/client/cert.pp
+++ b/modules/certbot/manifests/client/cert.pp
@ -1,7 +1,13 @@
+# a define for creating a single certificate
+# - domain: the domain to generate a certificate for
+# - webserver: where to download the certificate from
+# - destination: the data directory on the client
+# - notify_service: what service to notify when the concat exec completes
 define certbot::client::cert (
  Stdlib::Fqdn          $domain,
  Stdlib::Fqdn          $webserver,
  Stdlib::Absolutepath  $destination = "/etc/pki/tls/letsencrypt/${domain}",
+  Optional[String]      $notify_service = undef,
 ) {

  file { $destination:
@ -34,8 +40,16 @@ define certbot::client::cert (
      }
    }

+    # create file resources
    create_resources(file, $files_to_create)

+    # if notify_service is specified
+    if $notify_service != undef {
+      $service = Service[$notify_service]
+    }else{
+      $service = undef
+    }
+
    exec { "concat_${domain}_certs":
      command     => "cat ${destination}/fullchain.pem ${destination}/privkey.pem > ${destination}/fullchain_combined.pem",
      path        => ['/bin', '/usr/bin'],
@ -44,6 +58,7 @@ define certbot::client::cert (
        File["${destination}/fullchain.pem"],
        File["${destination}/privkey.pem"],
      ],
+      notify      => $service,
    }
  } else {
    notify { 'Certificates are not yet ready on the generator server.': }