feat: certbot reorg
- moved certbot into its own module - added fact to list available certificates - created systemd timer to rsync data to $data_dir/pub - ensure the $data_dir/pub exists - manage selinux for nginx
This commit is contained in:
@@ -0,0 +1,51 @@
|
||||
define certbot::client::cert (
|
||||
Stdlib::Fqdn $domain,
|
||||
Stdlib::Fqdn $webserver,
|
||||
Stdlib::Absolutepath $destination = "/etc/pki/tls/letsencrypt/${domain}",
|
||||
) {
|
||||
|
||||
file { $destination:
|
||||
ensure => directory,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0755',
|
||||
}
|
||||
|
||||
$cert_ready_nodes = puppetdb_query("
|
||||
facts {
|
||||
name = 'certbot_available_certs' and value ~ '${domain}' and certname = '${webserver}'
|
||||
}"
|
||||
)
|
||||
|
||||
# Define the certificate files
|
||||
$cert_files = ['cert.pem', 'chain.pem', 'fullchain.pem', 'privkey.pem']
|
||||
|
||||
if !empty($cert_ready_nodes) {
|
||||
$files_to_create = $cert_files.reduce({}) |$acc, $file| {
|
||||
$acc + {
|
||||
"${destination}/${file}" => {
|
||||
ensure => 'file',
|
||||
source => "https://${webserver}/${domain}/${file}",
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0644',
|
||||
notify => Exec["concat_${domain}_certs"],
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
create_resources(file, $files_to_create)
|
||||
|
||||
exec { "concat_${domain}_certs":
|
||||
command => "cat ${destination}/fullchain.pem ${destination}/privkey.pem > ${destination}/fullchain_combined.pem",
|
||||
path => ['/bin', '/usr/bin'],
|
||||
refreshonly => true,
|
||||
require => [
|
||||
File["${destination}/fullchain.pem"],
|
||||
File["${destination}/privkey.pem"],
|
||||
],
|
||||
}
|
||||
} else {
|
||||
notify { 'Certificates are not yet ready on the generator server.': }
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user