From 9db714d02f2e4fc50c254555bf3990aa6ced517c Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 7 Jul 2024 16:12:53 +1000 Subject: [PATCH] feat: manage certbot - add haproxy backend for be_letsencrypt - manage the certbot role/profile - create define to export certificate requests --- Puppetfile | 1 + hieradata/roles/infra/halb/haproxy.yaml | 4 +++ hieradata/roles/infra/pki/certbot.eyaml | 2 ++ hieradata/roles/infra/pki/certbot.yaml | 10 +++++++ site/profiles/manifests/certbot/cert.pp | 15 +++++++++++ site/profiles/manifests/certbot/server.pp | 32 +++++++++++++++++++++++ site/roles/manifests/infra/pki/certbot.pp | 11 ++++++++ 7 files changed, 75 insertions(+) create mode 100644 hieradata/roles/infra/pki/certbot.eyaml create mode 100644 hieradata/roles/infra/pki/certbot.yaml create mode 100644 site/profiles/manifests/certbot/cert.pp create mode 100644 site/profiles/manifests/certbot/server.pp create mode 100644 site/roles/manifests/infra/pki/certbot.pp diff --git a/Puppetfile b/Puppetfile index ded5d58..6e43b91 100644 --- a/Puppetfile +++ b/Puppetfile @@ -38,6 +38,7 @@ mod 'puppet-extlib', '7.0.0' mod 'puppet-network', '2.2.0' mod 'puppet-kmod', '4.0.1' mod 'puppet-filemapper', '4.0.0' +mod 'puppet-letsencrypt', '11.0.0' # other mod 'ghoneycutt-puppet', '3.3.0' diff --git a/hieradata/roles/infra/halb/haproxy.yaml b/hieradata/roles/infra/halb/haproxy.yaml index 7a0cca7..2c9a22d 100644 --- a/hieradata/roles/infra/halb/haproxy.yaml +++ b/hieradata/roles/infra/halb/haproxy.yaml @@ -53,6 +53,8 @@ profiles::haproxy::frontends: options: acl: - 'acl-letsencrypt path_beg /.well-known/acme-challenge/' + use_backend: + - 'be_letsencrypt if acl-letsencrypt' http-request: - 'set-header X-Forwarded-Proto https' - 'set-header X-Real-IP %[src]' @@ -68,6 +70,8 @@ profiles::haproxy::frontends: options: acl: - 'acl-letsencrypt path_beg /.well-known/acme-challenge/' + use_backend: + - 'be_letsencrypt if acl-letsencrypt' http-request: - 'set-header X-Forwarded-Proto https' - 'set-header X-Real-IP %[src]' diff --git a/hieradata/roles/infra/pki/certbot.eyaml b/hieradata/roles/infra/pki/certbot.eyaml new file mode 100644 index 0000000..cd3cd9c --- /dev/null +++ b/hieradata/roles/infra/pki/certbot.eyaml @@ -0,0 +1,2 @@ +--- +profiles::certbot::server::contact: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJxDjhvXONEm7VoZ74dBxOPxFAw9RrI2WOK1P5YiIWiXUkoOhQpPzy0PUlI4970ActfTi9Kr9fnyZJWr/7TQ/5GQuYvVxMcfWbOmIOA+6CCjR/PWR06lWQuq7eTmwTzQjw7teFZrpXmqutAMNAUEAmPBBKNKfKbOaFz4IWwph1TuXtXDuveu/RE2+8znWukhF92DuFBJSuw6SMDympdbgceq/guQAInMjIXwmCIa7DWCWYDSKw04Ai8yDnYoqaNRs0acbZV6slH49i/cOE6GKTxO8+vR/3TkjEvKH8lY2l37ndH9+pe58arKflm/Inik0zy0TBnHq7/AMmEpRtV0usTA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBUgafckUM981Pb6hn2/9KMgBAblakRJjULF7aZwx/PT09s] diff --git a/hieradata/roles/infra/pki/certbot.yaml b/hieradata/roles/infra/pki/certbot.yaml new file mode 100644 index 0000000..d37c8d5 --- /dev/null +++ b/hieradata/roles/infra/pki/certbot.yaml @@ -0,0 +1,10 @@ +--- +profiles::certbot::server::domains: + - au-syd1-pve.main.unkin.net + - au-syd1-pve-api.main.unkin.net + - sonarr.main.unkin.net + - radarr.main.unkin.net + - lidarr.main.unkin.net + - readarr.main.unkin.net + - prowlarr.main.unkin.net + - fafflix.unkin.net diff --git a/site/profiles/manifests/certbot/cert.pp b/site/profiles/manifests/certbot/cert.pp new file mode 100644 index 0000000..0496095 --- /dev/null +++ b/site/profiles/manifests/certbot/cert.pp @@ -0,0 +1,15 @@ +# profiles::certbot::cert +define profiles::certbot::cert ( + Stdlib::Fqdn $domain, + Array $additional_args = ['--http-01-port=8888'], + Boolean $manage_cron = true, +) { + + $location_environment = "${facts['country']}-${facts['region']}-${facts['environment']}" + + @@letsencrypt::certonly { $domain: + additional_args => $additional_args, + manage_cron => $manage_cron, + tag => $location_environment, + } +} diff --git a/site/profiles/manifests/certbot/server.pp b/site/profiles/manifests/certbot/server.pp new file mode 100644 index 0000000..30b1179 --- /dev/null +++ b/site/profiles/manifests/certbot/server.pp @@ -0,0 +1,32 @@ +# profiles::certbot::server +class profiles::certbot::server ( + String $contact, + Array[Stdlib::Fqdn] $domains = [], +) { + + class { 'letsencrypt': + configure_epel => false, + package_ensure => 'latest', + email => $contact, + } + + # set location_environment + $location_environment = "${facts['country']}-${facts['region']}-${facts['environment']}" + + # collect exported resources + Letsencrypt::Certonly <<| tag == $location_environment |>> + + # statically defined certificate + $domains.each | $domain | { + profiles::certbot::cert {$domain: + domain => $domain, + } + } + + # export haproxy balancemember + profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_8888": + service => 'be_letsencrypt', + ports => [8888], + options => [] + } +} diff --git a/site/roles/manifests/infra/pki/certbot.pp b/site/roles/manifests/infra/pki/certbot.pp new file mode 100644 index 0000000..1fa464c --- /dev/null +++ b/site/roles/manifests/infra/pki/certbot.pp @@ -0,0 +1,11 @@ +# a role to deploy a certbot server +class roles::infra::pki::certbot { + if $facts['firstrun'] { + include profiles::defaults + include profiles::firstrun::init + }else{ + include profiles::defaults + include profiles::base + include profiles::certbot::server + } +}