diff --git a/hieradata/country/au/region/syd1.yaml b/hieradata/country/au/region/syd1.yaml index 2a744b7..1fda3f9 100644 --- a/hieradata/country/au/region/syd1.yaml +++ b/hieradata/country/au/region/syd1.yaml @@ -1,2 +1,3 @@ --- timezone::timezone: 'Australia/Sydney' +profiles::pki::letsencrypt: ausyd1nxvm1021.main.unkin.net diff --git a/hieradata/roles/infra/pki/certbot.eyaml b/hieradata/roles/infra/pki/certbot.eyaml index cd3cd9c..d749727 100644 --- a/hieradata/roles/infra/pki/certbot.eyaml +++ b/hieradata/roles/infra/pki/certbot.eyaml @@ -1,2 +1,2 @@ --- -profiles::certbot::server::contact: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJxDjhvXONEm7VoZ74dBxOPxFAw9RrI2WOK1P5YiIWiXUkoOhQpPzy0PUlI4970ActfTi9Kr9fnyZJWr/7TQ/5GQuYvVxMcfWbOmIOA+6CCjR/PWR06lWQuq7eTmwTzQjw7teFZrpXmqutAMNAUEAmPBBKNKfKbOaFz4IWwph1TuXtXDuveu/RE2+8znWukhF92DuFBJSuw6SMDympdbgceq/guQAInMjIXwmCIa7DWCWYDSKw04Ai8yDnYoqaNRs0acbZV6slH49i/cOE6GKTxO8+vR/3TkjEvKH8lY2l37ndH9+pe58arKflm/Inik0zy0TBnHq7/AMmEpRtV0usTA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBUgafckUM981Pb6hn2/9KMgBAblakRJjULF7aZwx/PT09s] +profiles::certbot::init::contact: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJxDjhvXONEm7VoZ74dBxOPxFAw9RrI2WOK1P5YiIWiXUkoOhQpPzy0PUlI4970ActfTi9Kr9fnyZJWr/7TQ/5GQuYvVxMcfWbOmIOA+6CCjR/PWR06lWQuq7eTmwTzQjw7teFZrpXmqutAMNAUEAmPBBKNKfKbOaFz4IWwph1TuXtXDuveu/RE2+8znWukhF92DuFBJSuw6SMDympdbgceq/guQAInMjIXwmCIa7DWCWYDSKw04Ai8yDnYoqaNRs0acbZV6slH49i/cOE6GKTxO8+vR/3TkjEvKH8lY2l37ndH9+pe58arKflm/Inik0zy0TBnHq7/AMmEpRtV0usTA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBUgafckUM981Pb6hn2/9KMgBAblakRJjULF7aZwx/PT09s] diff --git a/hieradata/roles/infra/pki/certbot.yaml b/hieradata/roles/infra/pki/certbot.yaml index d37c8d5..d450604 100644 --- a/hieradata/roles/infra/pki/certbot.yaml +++ b/hieradata/roles/infra/pki/certbot.yaml @@ -1,5 +1,5 @@ --- -profiles::certbot::server::domains: +profiles::certbot::init::domains: - au-syd1-pve.main.unkin.net - au-syd1-pve-api.main.unkin.net - sonarr.main.unkin.net diff --git a/site/profiles/manifests/certbot/haproxy.pp b/site/profiles/manifests/certbot/haproxy.pp new file mode 100644 index 0000000..5fa264b --- /dev/null +++ b/site/profiles/manifests/certbot/haproxy.pp @@ -0,0 +1,9 @@ +# profiles::certbot::haproxy +class profiles::certbot::haproxy { + # export haproxy balancemember + profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_8888": + service => 'be_letsencrypt', + ports => [8888], + options => [] + } +} diff --git a/site/profiles/manifests/certbot/init.pp b/site/profiles/manifests/certbot/init.pp new file mode 100644 index 0000000..e03e311 --- /dev/null +++ b/site/profiles/manifests/certbot/init.pp @@ -0,0 +1,11 @@ +# profiles::certbot::init +class profiles::certbot::init ( + String $contact, + Array[Stdlib::Fqdn] $domains = [], +) { + + include profiles::certbot::nginx + include profiles::certbot::haproxy + include profiles::certbot::letsencrypt + +} diff --git a/site/profiles/manifests/certbot/server.pp b/site/profiles/manifests/certbot/letsencrypt.pp similarity index 60% rename from site/profiles/manifests/certbot/server.pp rename to site/profiles/manifests/certbot/letsencrypt.pp index 30b1179..be9299e 100644 --- a/site/profiles/manifests/certbot/server.pp +++ b/site/profiles/manifests/certbot/letsencrypt.pp @@ -1,7 +1,7 @@ -# profiles::certbot::server -class profiles::certbot::server ( - String $contact, - Array[Stdlib::Fqdn] $domains = [], +# profiles::certbot::letsencrypt +class profiles::certbot::letsencrypt ( + String $contact = $profiles::certbot::init::contact, + Array[Stdlib::Fqdn] $domains = $profiles::certbot::init::domains, ) { class { 'letsencrypt': @@ -22,11 +22,4 @@ class profiles::certbot::server ( domain => $domain, } } - - # export haproxy balancemember - profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_8888": - service => 'be_letsencrypt', - ports => [8888], - options => [] - } } diff --git a/site/profiles/manifests/certbot/nginx.pp b/site/profiles/manifests/certbot/nginx.pp new file mode 100644 index 0000000..87d2cee --- /dev/null +++ b/site/profiles/manifests/certbot/nginx.pp @@ -0,0 +1,89 @@ +# profiles::certbot::nginx +class profiles::certbot::nginx ( + Stdlib::Absolutepath $data_root = '/var/www/', + Stdlib::Fqdn $nginx_vhost = $facts['networking']['fqdn'], + Array[Stdlib::Host] $nginx_aliases = [], + Stdlib::Port $nginx_port = 80, + Stdlib::Port $nginx_ssl_port = 443, + Enum['http','https','both'] $nginx_listen_mode = 'https', + Enum['puppet', 'vault'] $nginx_cert_type = 'vault', +) { + + # select the certificates to use based on cert type + case $nginx_cert_type { + 'puppet': { + $selected_ssl_cert = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt" + $selected_ssl_key = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key" + } + 'vault': { + $selected_ssl_cert = '/etc/pki/tls/vault/certificate.crt' + $selected_ssl_key = '/etc/pki/tls/vault/private.key' + } + default: { + # enum param prevents this ever being reached + } + } + + # set variables based on the listen_mode + case $nginx_listen_mode { + 'http': { + $enable_ssl = false + $ssl_cert = undef + $ssl_key = undef + $listen_port = $nginx_port + $listen_ssl_port = undef + $extras_hash = {} + } + 'https': { + $enable_ssl = true + $ssl_cert = $selected_ssl_cert + $ssl_key = $selected_ssl_key + $listen_port = $nginx_ssl_port + $listen_ssl_port = $nginx_ssl_port + $extras_hash = { + 'subscribe' => [File[$ssl_cert], File[$ssl_key]], + } + } + 'both': { + $enable_ssl = true + $ssl_cert = $selected_ssl_cert + $ssl_key = $selected_ssl_key + $listen_port = $nginx_port + $listen_ssl_port = $nginx_ssl_port + $extras_hash = { + 'subscribe' => [File[$ssl_cert], File[$ssl_key]], + } + } + default: { + # enum param prevents this ever being reached + } + } + + # set the server_names + $server_names = unique([$facts['networking']['fqdn'], $nginx_vhost] + $nginx_aliases) + + # define the default parameters for the nginx server + $defaults = { + 'listen_port' => $listen_port, + 'server_name' => $server_names, + 'use_default_location' => true, + 'access_log' => "/var/log/nginx/${nginx_vhost}_access.log", + 'error_log' => "/var/log/nginx/${nginx_vhost}_error.log", + 'www_root' => "${data_root}/pub", + 'autoindex' => 'on', + 'ssl' => $enable_ssl, + 'ssl_cert' => $ssl_cert, + 'ssl_key' => $ssl_key, + 'ssl_port' => $listen_ssl_port, + } + + # merge the hashes conditionally + $nginx_parameters = merge($defaults, $extras_hash) + + # manage the nginx class + include nginx + + # create the nginx vhost with the merged parameters + create_resources('nginx::resource::server', { $nginx_vhost => $nginx_parameters }) + +} diff --git a/site/profiles/manifests/pki/letsencrypt.pp b/site/profiles/manifests/pki/letsencrypt.pp new file mode 100644 index 0000000..f639673 --- /dev/null +++ b/site/profiles/manifests/pki/letsencrypt.pp @@ -0,0 +1,26 @@ +define profiles::pki::letsencrypt ( + Stdlib::Fqdn $webserver, + Stdlib::Fqdn $domain, + Stdlib::Absolutepath $destination = "/etc/pki/tls/letsencrypt/${domain}", +) { + + file { $destination: + ensure => directory, + owner => 'root', + group => 'root', + mode => '0755', + } + + $cert_files = ['cert.pem', 'chain.pem', 'fullchain.pem', 'privkey.pem'] + + $cert_files.each |String $file| { + file { "${destination}/${file}": + ensure => file, + source => "https://${webserver}/${domain}/${file}", + owner => 'root', + group => 'root', + mode => '0644', + require => File[$destination], + } + } +} diff --git a/site/roles/manifests/infra/pki/certbot.pp b/site/roles/manifests/infra/pki/certbot.pp index 1fa464c..e1cc2e6 100644 --- a/site/roles/manifests/infra/pki/certbot.pp +++ b/site/roles/manifests/infra/pki/certbot.pp @@ -6,6 +6,6 @@ class roles::infra::pki::certbot { }else{ include profiles::defaults include profiles::base - include profiles::certbot::server + include profiles::certbot::init } }