feat: manage certbot

- add haproxy backend for be_letsencrypt
- manage the certbot role/profile
- create define to export certificate requests

Puppetfile

@@ -38,6 +38,7 @@ mod 'puppet-extlib', '7.0.0'
 mod 'puppet-network', '2.2.0'
 mod 'puppet-kmod', '4.0.1'
 mod 'puppet-filemapper', '4.0.0'
+mod 'puppet-letsencrypt', '11.0.0'
 
 # other
 mod 'ghoneycutt-puppet', '3.3.0'

hieradata/roles/infra/halb/haproxy.yaml

@@ -53,6 +53,8 @@ profiles::haproxy::frontends:
     options:
       acl:
         - 'acl-letsencrypt path_beg /.well-known/acme-challenge/'
+      use_backend:
+        - 'be_letsencrypt if acl-letsencrypt'
       http-request:
         - 'set-header X-Forwarded-Proto https'
         - 'set-header X-Real-IP %[src]'
@@ -68,6 +70,8 @@ profiles::haproxy::frontends:
     options:
       acl:
         - 'acl-letsencrypt path_beg /.well-known/acme-challenge/'
+      use_backend:
+        - 'be_letsencrypt if acl-letsencrypt'
       http-request:
         - 'set-header X-Forwarded-Proto https'
         - 'set-header X-Real-IP %[src]'

hieradata/roles/infra/pki/certbot.eyaml

@@ -0,0 +1,2 @@
+---
+profiles::certbot::server::contact: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJxDjhvXONEm7VoZ74dBxOPxFAw9RrI2WOK1P5YiIWiXUkoOhQpPzy0PUlI4970ActfTi9Kr9fnyZJWr/7TQ/5GQuYvVxMcfWbOmIOA+6CCjR/PWR06lWQuq7eTmwTzQjw7teFZrpXmqutAMNAUEAmPBBKNKfKbOaFz4IWwph1TuXtXDuveu/RE2+8znWukhF92DuFBJSuw6SMDympdbgceq/guQAInMjIXwmCIa7DWCWYDSKw04Ai8yDnYoqaNRs0acbZV6slH49i/cOE6GKTxO8+vR/3TkjEvKH8lY2l37ndH9+pe58arKflm/Inik0zy0TBnHq7/AMmEpRtV0usTA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBUgafckUM981Pb6hn2/9KMgBAblakRJjULF7aZwx/PT09s]

hieradata/roles/infra/pki/certbot.yaml

@@ -0,0 +1,10 @@
+---
+profiles::certbot::server::domains:
+  - au-syd1-pve.main.unkin.net
+  - au-syd1-pve-api.main.unkin.net
+  - sonarr.main.unkin.net
+  - radarr.main.unkin.net
+  - lidarr.main.unkin.net
+  - readarr.main.unkin.net
+  - prowlarr.main.unkin.net
+  - fafflix.unkin.net

site/profiles/manifests/certbot/cert.pp

@@ -0,0 +1,15 @@
+# profiles::certbot::cert
+define profiles::certbot::cert (
+  Stdlib::Fqdn $domain,
+  Array        $additional_args = ['--http-01-port=8888'],
+  Boolean      $manage_cron     = true,
+) {
+
+  $location_environment = "${facts['country']}-${facts['region']}-${facts['environment']}"
+
+  @@letsencrypt::certonly { $domain:
+    additional_args => $additional_args,
+    manage_cron     => $manage_cron,
+    tag             => $location_environment,
+  }
+}

site/profiles/manifests/certbot/server.pp

@@ -0,0 +1,32 @@
+# profiles::certbot::server
+class profiles::certbot::server (
+  String              $contact,
+  Array[Stdlib::Fqdn] $domains = [],
+) {
+
+  class { 'letsencrypt':
+    configure_epel => false,
+    package_ensure => 'latest',
+    email          => $contact,
+  }
+
+  # set location_environment
+  $location_environment = "${facts['country']}-${facts['region']}-${facts['environment']}"
+
+  # collect exported resources
+  Letsencrypt::Certonly <<| tag == $location_environment |>>
+
+  # statically defined certificate
+  $domains.each | $domain | {
+    profiles::certbot::cert {$domain:
+      domain => $domain,
+    }
+  }
+
+  # export haproxy balancemember
+  profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_8888":
+    service => 'be_letsencrypt',
+    ports   => [8888],
+    options => []
+  }
+}

site/roles/manifests/infra/pki/certbot.pp

@@ -0,0 +1,11 @@
+# a role to deploy a certbot server
+class roles::infra::pki::certbot {
+  if $facts['firstrun'] {
+    include profiles::defaults
+    include profiles::firstrun::init
+  }else{
+    include profiles::defaults
+    include profiles::base
+    include profiles::certbot::server
+  }
+}