feat: enable retrieval of certbot certs

- refactor certbot
- add nginx to certbot hosts

hieradata/country/au/region/syd1.yaml

@@ -1,2 +1,3 @@
 ---
 timezone::timezone: 'Australia/Sydney'
+profiles::pki::letsencrypt: ausyd1nxvm1021.main.unkin.net

hieradata/roles/infra/pki/certbot.eyaml

@@ -1,2 +1,2 @@
 ---
-profiles::certbot::server::contact: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJxDjhvXONEm7VoZ74dBxOPxFAw9RrI2WOK1P5YiIWiXUkoOhQpPzy0PUlI4970ActfTi9Kr9fnyZJWr/7TQ/5GQuYvVxMcfWbOmIOA+6CCjR/PWR06lWQuq7eTmwTzQjw7teFZrpXmqutAMNAUEAmPBBKNKfKbOaFz4IWwph1TuXtXDuveu/RE2+8znWukhF92DuFBJSuw6SMDympdbgceq/guQAInMjIXwmCIa7DWCWYDSKw04Ai8yDnYoqaNRs0acbZV6slH49i/cOE6GKTxO8+vR/3TkjEvKH8lY2l37ndH9+pe58arKflm/Inik0zy0TBnHq7/AMmEpRtV0usTA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBUgafckUM981Pb6hn2/9KMgBAblakRJjULF7aZwx/PT09s]
+profiles::certbot::init::contact: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJxDjhvXONEm7VoZ74dBxOPxFAw9RrI2WOK1P5YiIWiXUkoOhQpPzy0PUlI4970ActfTi9Kr9fnyZJWr/7TQ/5GQuYvVxMcfWbOmIOA+6CCjR/PWR06lWQuq7eTmwTzQjw7teFZrpXmqutAMNAUEAmPBBKNKfKbOaFz4IWwph1TuXtXDuveu/RE2+8znWukhF92DuFBJSuw6SMDympdbgceq/guQAInMjIXwmCIa7DWCWYDSKw04Ai8yDnYoqaNRs0acbZV6slH49i/cOE6GKTxO8+vR/3TkjEvKH8lY2l37ndH9+pe58arKflm/Inik0zy0TBnHq7/AMmEpRtV0usTA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBUgafckUM981Pb6hn2/9KMgBAblakRJjULF7aZwx/PT09s]

hieradata/roles/infra/pki/certbot.yaml

@@ -1,5 +1,5 @@
 ---
-profiles::certbot::server::domains:
+profiles::certbot::init::domains:
   - au-syd1-pve.main.unkin.net
   - au-syd1-pve-api.main.unkin.net
   - sonarr.main.unkin.net

site/profiles/manifests/certbot/haproxy.pp

@@ -0,0 +1,9 @@
+# profiles::certbot::haproxy
+class profiles::certbot::haproxy {
+  # export haproxy balancemember
+  profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_8888":
+    service => 'be_letsencrypt',
+    ports   => [8888],
+    options => []
+  }
+}

site/profiles/manifests/certbot/init.pp

@@ -0,0 +1,11 @@
+# profiles::certbot::init
+class profiles::certbot::init (
+  String              $contact,
+  Array[Stdlib::Fqdn] $domains = [],
+) {
+
+  include profiles::certbot::nginx
+  include profiles::certbot::haproxy
+  include profiles::certbot::letsencrypt
+
+}

site/profiles/manifests/certbot/letsencrypt.pp

@@ -1,7 +1,7 @@
-# profiles::certbot::server
+# profiles::certbot::letsencrypt
-class profiles::certbot::server (
+class profiles::certbot::letsencrypt (
-  String              $contact,
+  String              $contact  = $profiles::certbot::init::contact,
-  Array[Stdlib::Fqdn] $domains = [],
+  Array[Stdlib::Fqdn] $domains  = $profiles::certbot::init::domains,
 ) {
 
   class { 'letsencrypt':
@@ -22,11 +22,4 @@ class profiles::certbot::server (
       domain => $domain,
     }
   }
-
-  # export haproxy balancemember
-  profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_8888":
-    service => 'be_letsencrypt',
-    ports   => [8888],
-    options => []
-  }
 }

site/profiles/manifests/certbot/nginx.pp

@@ -0,0 +1,89 @@
+# profiles::certbot::nginx
+class profiles::certbot::nginx (
+  Stdlib::Absolutepath  $data_root = '/var/www/',
+  Stdlib::Fqdn $nginx_vhost = $facts['networking']['fqdn'],
+  Array[Stdlib::Host] $nginx_aliases = [],
+  Stdlib::Port $nginx_port = 80,
+  Stdlib::Port $nginx_ssl_port = 443,
+  Enum['http','https','both'] $nginx_listen_mode = 'https',
+  Enum['puppet', 'vault']     $nginx_cert_type = 'vault',
+) {
+
+  # select the certificates to use based on cert type
+  case $nginx_cert_type {
+    'puppet': {
+      $selected_ssl_cert = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt"
+      $selected_ssl_key  = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key"
+    }
+    'vault': {
+      $selected_ssl_cert = '/etc/pki/tls/vault/certificate.crt'
+      $selected_ssl_key  = '/etc/pki/tls/vault/private.key'
+    }
+    default: {
+      # enum param prevents this ever being reached
+    }
+  }
+
+  # set variables based on the listen_mode
+  case $nginx_listen_mode {
+    'http': {
+      $enable_ssl = false
+      $ssl_cert = undef
+      $ssl_key = undef
+      $listen_port = $nginx_port
+      $listen_ssl_port = undef
+      $extras_hash = {}
+    }
+    'https': {
+      $enable_ssl = true
+      $ssl_cert = $selected_ssl_cert
+      $ssl_key = $selected_ssl_key
+      $listen_port = $nginx_ssl_port
+      $listen_ssl_port = $nginx_ssl_port
+      $extras_hash = {
+        'subscribe' => [File[$ssl_cert], File[$ssl_key]],
+      }
+    }
+    'both': {
+      $enable_ssl = true
+      $ssl_cert = $selected_ssl_cert
+      $ssl_key = $selected_ssl_key
+      $listen_port = $nginx_port
+      $listen_ssl_port = $nginx_ssl_port
+      $extras_hash = {
+        'subscribe' => [File[$ssl_cert], File[$ssl_key]],
+      }
+    }
+    default: {
+      # enum param prevents this ever being reached
+    }
+  }
+
+  # set the server_names
+  $server_names = unique([$facts['networking']['fqdn'], $nginx_vhost] + $nginx_aliases)
+
+  # define the default parameters for the nginx server
+  $defaults = {
+    'listen_port'          => $listen_port,
+    'server_name'          => $server_names,
+    'use_default_location' => true,
+    'access_log'           => "/var/log/nginx/${nginx_vhost}_access.log",
+    'error_log'            => "/var/log/nginx/${nginx_vhost}_error.log",
+    'www_root'             => "${data_root}/pub",
+    'autoindex'            => 'on',
+    'ssl'                  => $enable_ssl,
+    'ssl_cert'             => $ssl_cert,
+    'ssl_key'              => $ssl_key,
+    'ssl_port'             => $listen_ssl_port,
+  }
+
+  # merge the hashes conditionally
+  $nginx_parameters = merge($defaults, $extras_hash)
+
+  # manage the nginx class
+  include nginx
+
+  # create the nginx vhost with the merged parameters
+  create_resources('nginx::resource::server', { $nginx_vhost => $nginx_parameters })
+
+}

site/profiles/manifests/pki/letsencrypt.pp

@@ -0,0 +1,26 @@
+define profiles::pki::letsencrypt (
+  Stdlib::Fqdn          $webserver,
+  Stdlib::Fqdn          $domain,
+  Stdlib::Absolutepath  $destination = "/etc/pki/tls/letsencrypt/${domain}",
+) {
+
+  file { $destination:
+    ensure => directory,
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0755',
+  }
+
+  $cert_files = ['cert.pem', 'chain.pem', 'fullchain.pem', 'privkey.pem']
+
+  $cert_files.each |String $file| {
+    file { "${destination}/${file}":
+      ensure  => file,
+      source  => "https://${webserver}/${domain}/${file}",
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0644',
+      require => File[$destination],
+    }
+  }
+}

site/roles/manifests/infra/pki/certbot.pp

@@ -6,6 +6,6 @@ class roles::infra::pki::certbot {
   }else{
     include profiles::defaults
     include profiles::base
-    include profiles::certbot::server
+    include profiles::certbot::init
   }
 }