feat: enable retrieval of certbot certs

- refactor certbot
- add nginx to certbot hosts
This commit is contained in:
2024-07-07 22:24:24 +10:00
parent 9db714d02f
commit 30ec8c1bb1
9 changed files with 143 additions and 14 deletions
@@ -0,0 +1,9 @@
# profiles::certbot::haproxy
class profiles::certbot::haproxy {
# export haproxy balancemember
profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_8888":
service => 'be_letsencrypt',
ports => [8888],
options => []
}
}
+11
View File
@@ -0,0 +1,11 @@
# profiles::certbot::init
class profiles::certbot::init (
String $contact,
Array[Stdlib::Fqdn] $domains = [],
) {
include profiles::certbot::nginx
include profiles::certbot::haproxy
include profiles::certbot::letsencrypt
}
@@ -1,7 +1,7 @@
# profiles::certbot::server
class profiles::certbot::server (
String $contact,
Array[Stdlib::Fqdn] $domains = [],
# profiles::certbot::letsencrypt
class profiles::certbot::letsencrypt (
String $contact = $profiles::certbot::init::contact,
Array[Stdlib::Fqdn] $domains = $profiles::certbot::init::domains,
) {
class { 'letsencrypt':
@@ -22,11 +22,4 @@ class profiles::certbot::server (
domain => $domain,
}
}
# export haproxy balancemember
profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_8888":
service => 'be_letsencrypt',
ports => [8888],
options => []
}
}
+89
View File
@@ -0,0 +1,89 @@
# profiles::certbot::nginx
class profiles::certbot::nginx (
Stdlib::Absolutepath $data_root = '/var/www/',
Stdlib::Fqdn $nginx_vhost = $facts['networking']['fqdn'],
Array[Stdlib::Host] $nginx_aliases = [],
Stdlib::Port $nginx_port = 80,
Stdlib::Port $nginx_ssl_port = 443,
Enum['http','https','both'] $nginx_listen_mode = 'https',
Enum['puppet', 'vault'] $nginx_cert_type = 'vault',
) {
# select the certificates to use based on cert type
case $nginx_cert_type {
'puppet': {
$selected_ssl_cert = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt"
$selected_ssl_key = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key"
}
'vault': {
$selected_ssl_cert = '/etc/pki/tls/vault/certificate.crt'
$selected_ssl_key = '/etc/pki/tls/vault/private.key'
}
default: {
# enum param prevents this ever being reached
}
}
# set variables based on the listen_mode
case $nginx_listen_mode {
'http': {
$enable_ssl = false
$ssl_cert = undef
$ssl_key = undef
$listen_port = $nginx_port
$listen_ssl_port = undef
$extras_hash = {}
}
'https': {
$enable_ssl = true
$ssl_cert = $selected_ssl_cert
$ssl_key = $selected_ssl_key
$listen_port = $nginx_ssl_port
$listen_ssl_port = $nginx_ssl_port
$extras_hash = {
'subscribe' => [File[$ssl_cert], File[$ssl_key]],
}
}
'both': {
$enable_ssl = true
$ssl_cert = $selected_ssl_cert
$ssl_key = $selected_ssl_key
$listen_port = $nginx_port
$listen_ssl_port = $nginx_ssl_port
$extras_hash = {
'subscribe' => [File[$ssl_cert], File[$ssl_key]],
}
}
default: {
# enum param prevents this ever being reached
}
}
# set the server_names
$server_names = unique([$facts['networking']['fqdn'], $nginx_vhost] + $nginx_aliases)
# define the default parameters for the nginx server
$defaults = {
'listen_port' => $listen_port,
'server_name' => $server_names,
'use_default_location' => true,
'access_log' => "/var/log/nginx/${nginx_vhost}_access.log",
'error_log' => "/var/log/nginx/${nginx_vhost}_error.log",
'www_root' => "${data_root}/pub",
'autoindex' => 'on',
'ssl' => $enable_ssl,
'ssl_cert' => $ssl_cert,
'ssl_key' => $ssl_key,
'ssl_port' => $listen_ssl_port,
}
# merge the hashes conditionally
$nginx_parameters = merge($defaults, $extras_hash)
# manage the nginx class
include nginx
# create the nginx vhost with the merged parameters
create_resources('nginx::resource::server', { $nginx_vhost => $nginx_parameters })
}