feat: certbot reorg
- moved certbot into its own module - added fact to list available certificates - created systemd timer to rsync data to $data_dir/pub - ensure the $data_dir/pub exists - manage selinux for nginx
This commit is contained in:
@@ -1,15 +0,0 @@
|
||||
# profiles::certbot::cert
|
||||
define profiles::certbot::cert (
|
||||
Stdlib::Fqdn $domain,
|
||||
Array $additional_args = ['--http-01-port=8888'],
|
||||
Boolean $manage_cron = true,
|
||||
) {
|
||||
|
||||
$location_environment = "${facts['country']}-${facts['region']}-${facts['environment']}"
|
||||
|
||||
@@letsencrypt::certonly { $domain:
|
||||
additional_args => $additional_args,
|
||||
manage_cron => $manage_cron,
|
||||
tag => $location_environment,
|
||||
}
|
||||
}
|
||||
@@ -1,9 +0,0 @@
|
||||
# profiles::certbot::haproxy
|
||||
class profiles::certbot::haproxy {
|
||||
# export haproxy balancemember
|
||||
profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_8888":
|
||||
service => 'be_letsencrypt',
|
||||
ports => [8888],
|
||||
options => []
|
||||
}
|
||||
}
|
||||
@@ -1,11 +0,0 @@
|
||||
# profiles::certbot::init
|
||||
class profiles::certbot::init (
|
||||
String $contact,
|
||||
Array[Stdlib::Fqdn] $domains = [],
|
||||
) {
|
||||
|
||||
include profiles::certbot::nginx
|
||||
include profiles::certbot::haproxy
|
||||
include profiles::certbot::letsencrypt
|
||||
|
||||
}
|
||||
@@ -1,25 +0,0 @@
|
||||
# profiles::certbot::letsencrypt
|
||||
class profiles::certbot::letsencrypt (
|
||||
String $contact = $profiles::certbot::init::contact,
|
||||
Array[Stdlib::Fqdn] $domains = $profiles::certbot::init::domains,
|
||||
) {
|
||||
|
||||
class { 'letsencrypt':
|
||||
configure_epel => false,
|
||||
package_ensure => 'latest',
|
||||
email => $contact,
|
||||
}
|
||||
|
||||
# set location_environment
|
||||
$location_environment = "${facts['country']}-${facts['region']}-${facts['environment']}"
|
||||
|
||||
# collect exported resources
|
||||
Letsencrypt::Certonly <<| tag == $location_environment |>>
|
||||
|
||||
# statically defined certificate
|
||||
$domains.each | $domain | {
|
||||
profiles::certbot::cert {$domain:
|
||||
domain => $domain,
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,89 +0,0 @@
|
||||
# profiles::certbot::nginx
|
||||
class profiles::certbot::nginx (
|
||||
Stdlib::Absolutepath $data_root = '/var/www/',
|
||||
Stdlib::Fqdn $nginx_vhost = $facts['networking']['fqdn'],
|
||||
Array[Stdlib::Host] $nginx_aliases = [],
|
||||
Stdlib::Port $nginx_port = 80,
|
||||
Stdlib::Port $nginx_ssl_port = 443,
|
||||
Enum['http','https','both'] $nginx_listen_mode = 'https',
|
||||
Enum['puppet', 'vault'] $nginx_cert_type = 'vault',
|
||||
) {
|
||||
|
||||
# select the certificates to use based on cert type
|
||||
case $nginx_cert_type {
|
||||
'puppet': {
|
||||
$selected_ssl_cert = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt"
|
||||
$selected_ssl_key = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key"
|
||||
}
|
||||
'vault': {
|
||||
$selected_ssl_cert = '/etc/pki/tls/vault/certificate.crt'
|
||||
$selected_ssl_key = '/etc/pki/tls/vault/private.key'
|
||||
}
|
||||
default: {
|
||||
# enum param prevents this ever being reached
|
||||
}
|
||||
}
|
||||
|
||||
# set variables based on the listen_mode
|
||||
case $nginx_listen_mode {
|
||||
'http': {
|
||||
$enable_ssl = false
|
||||
$ssl_cert = undef
|
||||
$ssl_key = undef
|
||||
$listen_port = $nginx_port
|
||||
$listen_ssl_port = undef
|
||||
$extras_hash = {}
|
||||
}
|
||||
'https': {
|
||||
$enable_ssl = true
|
||||
$ssl_cert = $selected_ssl_cert
|
||||
$ssl_key = $selected_ssl_key
|
||||
$listen_port = $nginx_ssl_port
|
||||
$listen_ssl_port = $nginx_ssl_port
|
||||
$extras_hash = {
|
||||
'subscribe' => [File[$ssl_cert], File[$ssl_key]],
|
||||
}
|
||||
}
|
||||
'both': {
|
||||
$enable_ssl = true
|
||||
$ssl_cert = $selected_ssl_cert
|
||||
$ssl_key = $selected_ssl_key
|
||||
$listen_port = $nginx_port
|
||||
$listen_ssl_port = $nginx_ssl_port
|
||||
$extras_hash = {
|
||||
'subscribe' => [File[$ssl_cert], File[$ssl_key]],
|
||||
}
|
||||
}
|
||||
default: {
|
||||
# enum param prevents this ever being reached
|
||||
}
|
||||
}
|
||||
|
||||
# set the server_names
|
||||
$server_names = unique([$facts['networking']['fqdn'], $nginx_vhost] + $nginx_aliases)
|
||||
|
||||
# define the default parameters for the nginx server
|
||||
$defaults = {
|
||||
'listen_port' => $listen_port,
|
||||
'server_name' => $server_names,
|
||||
'use_default_location' => true,
|
||||
'access_log' => "/var/log/nginx/${nginx_vhost}_access.log",
|
||||
'error_log' => "/var/log/nginx/${nginx_vhost}_error.log",
|
||||
'www_root' => "${data_root}/pub",
|
||||
'autoindex' => 'on',
|
||||
'ssl' => $enable_ssl,
|
||||
'ssl_cert' => $ssl_cert,
|
||||
'ssl_key' => $ssl_key,
|
||||
'ssl_port' => $listen_ssl_port,
|
||||
}
|
||||
|
||||
# merge the hashes conditionally
|
||||
$nginx_parameters = merge($defaults, $extras_hash)
|
||||
|
||||
# manage the nginx class
|
||||
include nginx
|
||||
|
||||
# create the nginx vhost with the merged parameters
|
||||
create_resources('nginx::resource::server', { $nginx_vhost => $nginx_parameters })
|
||||
|
||||
}
|
||||
@@ -48,6 +48,7 @@ class profiles::haproxy::server (
|
||||
require => Class['profiles::haproxy::selinux']
|
||||
}
|
||||
|
||||
include certbot::client # download certbot certs
|
||||
include profiles::haproxy::certlist # manage the certificate list file
|
||||
include profiles::haproxy::mappings # manage the domain to backend mappings
|
||||
include profiles::haproxy::ls_stats # default status listener
|
||||
|
||||
@@ -1,26 +0,0 @@
|
||||
define profiles::pki::letsencrypt (
|
||||
Stdlib::Fqdn $webserver,
|
||||
Stdlib::Fqdn $domain,
|
||||
Stdlib::Absolutepath $destination = "/etc/pki/tls/letsencrypt/${domain}",
|
||||
) {
|
||||
|
||||
file { $destination:
|
||||
ensure => directory,
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0755',
|
||||
}
|
||||
|
||||
$cert_files = ['cert.pem', 'chain.pem', 'fullchain.pem', 'privkey.pem']
|
||||
|
||||
$cert_files.each |String $file| {
|
||||
file { "${destination}/${file}":
|
||||
ensure => file,
|
||||
source => "https://${webserver}/${domain}/${file}",
|
||||
owner => 'root',
|
||||
group => 'root',
|
||||
mode => '0644',
|
||||
require => File[$destination],
|
||||
}
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user