Merge branch 'develop' into neoloc/nzbget

2024-07-09 22:25:28 +10:00 · 2024-07-09 22:25:28 +10:00 · fd5163d6e6
commit fd5163d6e6
parent d67eba5860 dacd2c6994
23 changed files with 414 additions and 14 deletions
--- a/1
+++ b/1
@ -38,6 +38,7 @@ mod 'puppet-extlib', '7.0.0'
 mod 'puppet-network', '2.2.0'
 mod 'puppet-kmod', '4.0.1'
 mod 'puppet-filemapper', '4.0.0'
+mod 'puppet-letsencrypt', '11.0.0'

 # other
 mod 'ghoneycutt-puppet', '3.3.0'
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@ -132,7 +132,9 @@ lookup_options:
  profiles::nginx::simpleproxy::locations:
    merge:
      strategy: deep
-
+  certbot::client::domains:
+    merge:
+      strategy: deep

 facts_path: '/opt/puppetlabs/facter/facts.d'

--- a/hieradata/country/au/region/syd1.yaml
+++ b/hieradata/country/au/region/syd1.yaml
@ -1,2 +1,3 @@
 ---
 timezone::timezone: 'Australia/Sydney'
+certbot::client::webserver: ausyd1nxvm1021.main.unkin.net
--- a/hieradata/country/au/region/syd1/infra/halb/haproxy.yaml
+++ b/hieradata/country/au/region/syd1/infra/halb/haproxy.yaml
@ -12,6 +12,7 @@ profiles::haproxy::mappings:
      - 'readarr.main.unkin.net be_readarr'
      - 'prowlarr.main.unkin.net be_prowlarr'
      - 'jellyfin.main.unkin.net be_jellyfin'
+      - 'fafflix.unkin.net be_jellyfin'
  fe_https:
    ensure: present
    mappings:
@ -23,6 +24,7 @@ profiles::haproxy::mappings:
      - 'readarr.main.unkin.net be_readarr'
      - 'prowlarr.main.unkin.net be_prowlarr'
      - 'jellyfin.main.unkin.net be_jellyfin'
+      - 'fafflix.unkin.net be_jellyfin'

 profiles::haproxy::frontends:
  fe_http:
@ -32,12 +34,14 @@ profiles::haproxy::frontends:
  fe_https:
    options:
      acl:
-        - 'acl_ausyd1pve req.hdr(host) -i https://au-syd1-pve.main.unkin.net'
-        - 'acl_sonarr req.hdr(host) -i https://sonarr.main.unkin.net'
-        - 'acl_radarr req.hdr(host) -i https://radarr.main.unkin.net'
-        - 'acl_lidarr req.hdr(host) -i https://lidarr.main.unkin.net'
-        - 'acl_readarr req.hdr(host) -i https://readarr.main.unkin.net'
-        - 'acl_prowlarr req.hdr(host) -i https://prowlarr.main.unkin.net'
+        - 'acl_ausyd1pve req.hdr(host) -i au-syd1-pve.main.unkin.net'
+        - 'acl_sonarr req.hdr(host) -i sonarr.main.unkin.net'
+        - 'acl_radarr req.hdr(host) -i radarr.main.unkin.net'
+        - 'acl_lidarr req.hdr(host) -i lidarr.main.unkin.net'
+        - 'acl_readarr req.hdr(host) -i readarr.main.unkin.net'
+        - 'acl_prowlarr req.hdr(host) -i prowlarr.main.unkin.net'
+        - 'acl_jellyfin req.hdr(host) -i jellyfin.main.unkin.net'
+        - 'acl_fafflix req.hdr(host) -i fafflix.unkin.net'
        - 'acl_internalsubnets src 198.18.0.0/16 10.10.12.0/24'
      use_backend:
        - "%[req.hdr(host),lower,map(/etc/haproxy/fe_https.map,be_default)]"
@ -50,6 +54,8 @@ profiles::haproxy::frontends:
        - 'set-header X-Frame-Options DENY if acl_lidarr'
        - 'set-header X-Frame-Options DENY if acl_readarr'
        - 'set-header X-Frame-Options DENY if acl_prowlarr'
+        - 'set-header X-Frame-Options DENY if acl_jellyfin'
+        - 'set-header X-Frame-Options DENY if acl_fafflix'
        - 'set-header X-Content-Type-Options nosniff'
        - 'set-header X-XSS-Protection 1;mode=block'

@ -184,10 +190,29 @@ profiles::haproxy::backends:

 profiles::haproxy::certlist::enabled: true
 profiles::haproxy::certlist::certificates:
+  - /etc/pki/tls/letsencrypt/au-syd1-pve.main.unkin.net/fullchain_combined.pem
+  - /etc/pki/tls/letsencrypt/au-syd1-pve-api.main.unkin.net/fullchain_combined.pem
+  - /etc/pki/tls/letsencrypt/sonarr.main.unkin.net/fullchain_combined.pem
+  - /etc/pki/tls/letsencrypt/radarr.main.unkin.net/fullchain_combined.pem
+  - /etc/pki/tls/letsencrypt/lidarr.main.unkin.net/fullchain_combined.pem
+  - /etc/pki/tls/letsencrypt/readarr.main.unkin.net/fullchain_combined.pem
+  - /etc/pki/tls/letsencrypt/prowlarr.main.unkin.net/fullchain_combined.pem
+  - /etc/pki/tls/letsencrypt/fafflix.unkin.net/fullchain_combined.pem
  - /etc/pki/tls/vault/certificate.pem

 # additional altnames
 profiles::pki::vault::alt_names:
+  - au-syd1-pve.main.unkin.net
+  - au-syd1-pve-api.main.unkin.net
+  - jellyfin.main.unkin.net
+
+# additional cnames
+profiles::haproxy::dns::cnames:
+  - au-syd1-pve.main.unkin.net
+  - au-syd1-pve-api.main.unkin.net
+
+# letsencrypt certificates
+certbot::client::domains:
  - au-syd1-pve.main.unkin.net
  - au-syd1-pve-api.main.unkin.net
  - sonarr.main.unkin.net
@ -195,9 +220,4 @@ profiles::pki::vault::alt_names:
  - lidarr.main.unkin.net
  - readarr.main.unkin.net
  - prowlarr.main.unkin.net
-  - jellyfin.main.unkin.net
-
-# additional cnames
-profiles::haproxy::dns::cnames:
-  - au-syd1-pve.main.unkin.net
-  - au-syd1-pve-api.main.unkin.net
+  - fafflix.unkin.net
--- a/hieradata/nodes/ausyd1nxvm1048.main.unkin.net.yaml
+++ b/hieradata/nodes/ausyd1nxvm1048.main.unkin.net.yaml
@ -0,0 +1,7 @@
+---
+networking::interfaces:
+  eth0:
+    ipaddress: 198.18.13.58
+networking::routes:
+  default:
+    gateway: 198.18.13.254
--- a/hieradata/os/AlmaLinux/all_releases.yaml
+++ b/hieradata/os/AlmaLinux/all_releases.yaml
@ -73,4 +73,5 @@ profiles::yum::global::repos:
    target: /etc/yum.repos.d/unkin.repo
    baseurl: https://git.query.consul/api/packages/unkinben/rpm/el%{facts.os.release.major}
    gpgkey: https://git.query.consul/api/packages/unkinben/rpm/repository.key
+    gpgcheck: false
    mirrorlist: absent
--- a/hieradata/roles/infra/auth/glauth.yaml
+++ b/hieradata/roles/infra/auth/glauth.yaml
@ -48,7 +48,7 @@ glauth::users:
    user_name: 'benvin'
    givenname: 'Ben'
    sn: 'Vincent'
-    mail: 'ben@users.main.unkin.net'
+    mail: 'benvin@users.main.unkin.net'
    uidnumber: 20000
    primarygroup: 20000
    othergroups:
@ -64,6 +64,23 @@ glauth::users:
    passsha256: 'd2434f6b4764ef75d5b7b96a876a32deedbd6aa726a109c3f32e823ca66f604a'
    sshkeys:
      - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ8SRLlPiDylBpdWR9LpvPg4fDVD+DZst4yRPFwMMhta4mnB1H9XuvZkptDhXywWQ7QIcqa2WbhCen0OQJCtwn3s7EYtacmF5MxmwBYocPoK2AArGuh6NA9rwTdLrPdzhZ+gwe88PAzRLNzjm0ZBR+mA9saMbPJdqpKp0AWeAM8QofRQAWuCzQg9i0Pn1KDMvVDRHCZof4pVlHSTyHNektq4ifovn0zhKC8jD/cYu95mc5ftBbORexpGiQWwQ3HZw1IBe0ZETB1qPIPwsoJpt3suvMrL6T2//fcIIUE3TcyJKb/yhztja4TZs5jT8370G/vhlT70He0YPxqHub8ZfBv0khlkY93VBWYpNGJwM1fVqlw7XbfBNdOuJivJac8eW317ZdiDnKkBTxapThpPG3et9ib1HoPGKRsd/fICzNz16h2R3tddSdihTFL+bmTCa6Lo+5t5uRuFjQvhSLSgO2/gRAprc3scYOB4pY/lxOFfq3pU2VvSJtRgLNEYMUYKk= ben@unkin.net'
+  matsol:
+    user_name: 'matsol'
+    givenname: 'Matt'
+    sn: 'Solomon'
+    mail: 'matsol@users.main.unkin.net'
+    uidnumber: 20001
+    primarygroup: 20000
+    othergroups:
+      - 20010
+      - 20011
+      - 20012
+      - 20013
+      - 20014
+      - 20015
+    loginshell: '/bin/bash'
+    homedir: '/home/matsol'
+    passsha256: '369263e2455a57c8c21388860c417b640fcf045a303cfc88def18c5197493600'

 glauth::services:
  svc_jellyfin:
--- a/hieradata/roles/infra/halb/haproxy.yaml
+++ b/hieradata/roles/infra/halb/haproxy.yaml
@ -53,6 +53,8 @@ profiles::haproxy::frontends:
    options:
      acl:
        - 'acl-letsencrypt path_beg /.well-known/acme-challenge/'
+      use_backend:
+        - 'be_letsencrypt if acl-letsencrypt'
      http-request:
        - 'set-header X-Forwarded-Proto https'
        - 'set-header X-Real-IP %[src]'
@ -68,6 +70,8 @@ profiles::haproxy::frontends:
    options:
      acl:
        - 'acl-letsencrypt path_beg /.well-known/acme-challenge/'
+      use_backend:
+        - 'be_letsencrypt if acl-letsencrypt'
      http-request:
        - 'set-header X-Forwarded-Proto https'
        - 'set-header X-Real-IP %[src]'
--- a/hieradata/roles/infra/pki/certbot.eyaml
+++ b/hieradata/roles/infra/pki/certbot.eyaml
@ -0,0 +1,2 @@
+---
+certbot::contact: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJxDjhvXONEm7VoZ74dBxOPxFAw9RrI2WOK1P5YiIWiXUkoOhQpPzy0PUlI4970ActfTi9Kr9fnyZJWr/7TQ/5GQuYvVxMcfWbOmIOA+6CCjR/PWR06lWQuq7eTmwTzQjw7teFZrpXmqutAMNAUEAmPBBKNKfKbOaFz4IWwph1TuXtXDuveu/RE2+8znWukhF92DuFBJSuw6SMDympdbgceq/guQAInMjIXwmCIa7DWCWYDSKw04Ai8yDnYoqaNRs0acbZV6slH49i/cOE6GKTxO8+vR/3TkjEvKH8lY2l37ndH9+pe58arKflm/Inik0zy0TBnHq7/AMmEpRtV0usTA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBUgafckUM981Pb6hn2/9KMgBAblakRJjULF7aZwx/PT09s]
--- a/hieradata/roles/infra/pki/certbot.yaml
+++ b/hieradata/roles/infra/pki/certbot.yaml
@ -0,0 +1,14 @@
+---
+hiera_include:
+  - certbot
+  - profiles::pki::puppetcerts
+
+certbot::domains:
+  - au-syd1-pve.main.unkin.net
+  - au-syd1-pve-api.main.unkin.net
+  - sonarr.main.unkin.net
+  - radarr.main.unkin.net
+  - lidarr.main.unkin.net
+  - readarr.main.unkin.net
+  - prowlarr.main.unkin.net
+  - fafflix.unkin.net
--- a/modules/certbot/lib/facter/certbot_available_certs.rb
+++ b/modules/certbot/lib/facter/certbot_available_certs.rb
@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+Facter.add(:certbot_available_certs) do
+  confine enc_role: 'roles::infra::pki::certbot'
+  setcode do
+    certs_dir = '/etc/letsencrypt/live'
+    available_certs = []
+
+    if Dir.exist?(certs_dir)
+      Dir.children(certs_dir).each do |entry|
+        fullchain_pem = File.join(certs_dir, entry, 'fullchain.pem')
+        available_certs << entry if File.exist?(fullchain_pem)
+      end
+    end
+
+    available_certs.join(',')
+  end
+end
--- a/modules/certbot/manifests/cert.pp
+++ b/modules/certbot/manifests/cert.pp
@ -0,0 +1,15 @@
+# certbot::cert
+define certbot::cert (
+  Stdlib::Fqdn $domain,
+  Array        $additional_args = ['--http-01-port=8888'],
+  Boolean      $manage_cron     = true,
+) {
+
+  $location_environment = "${facts['country']}-${facts['region']}-${facts['environment']}"
+
+  @@letsencrypt::certonly { $domain:
+    additional_args => $additional_args,
+    manage_cron     => $manage_cron,
+    tag             => $location_environment,
+  }
+}
--- a/modules/certbot/manifests/client.pp
+++ b/modules/certbot/manifests/client.pp
@ -0,0 +1,23 @@
+class certbot::client (
+  Array[Stdlib::Fqdn]   $domains,
+  Stdlib::Fqdn          $webserver,
+  Stdlib::Absolutepath  $data_dir = '/etc/pki/tls/letsencrypt/',
+) {
+
+  mkdir::p {$data_dir:}
+  file { $data_dir:
+    ensure => directory,
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0755',
+  }
+
+  $domains.each |$domain| {
+    certbot::client::cert {"${facts['networking']['fqdn']}_download_${domain}":
+      domain      => $domain,
+      destination => "${data_dir}/${domain}",
+      webserver   => $webserver,
+      require     => File[$data_dir],
+    }
+  }
+}
--- a/modules/certbot/manifests/client/cert.pp
+++ b/modules/certbot/manifests/client/cert.pp
@ -0,0 +1,51 @@
+define certbot::client::cert (
+  Stdlib::Fqdn          $domain,
+  Stdlib::Fqdn          $webserver,
+  Stdlib::Absolutepath  $destination = "/etc/pki/tls/letsencrypt/${domain}",
+) {
+
+  file { $destination:
+    ensure => directory,
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0755',
+  }
+
+  $cert_ready_nodes = puppetdb_query("
+    facts {
+      name = 'certbot_available_certs' and value ~ '${domain}' and certname = '${webserver}'
+    }"
+  )
+
+  # Define the certificate files
+  $cert_files = ['cert.pem', 'chain.pem', 'fullchain.pem', 'privkey.pem']
+
+  if !empty($cert_ready_nodes) {
+    $files_to_create = $cert_files.reduce({}) |$acc, $file| {
+      $acc + {
+        "${destination}/${file}" => {
+          ensure  => 'file',
+          source  => "https://${webserver}/${domain}/${file}",
+          owner   => 'root',
+          group   => 'root',
+          mode    => '0644',
+          notify  => Exec["concat_${domain}_certs"],
+        }
+      }
+    }
+
+    create_resources(file, $files_to_create)
+
+    exec { "concat_${domain}_certs":
+      command     => "cat ${destination}/fullchain.pem ${destination}/privkey.pem > ${destination}/fullchain_combined.pem",
+      path        => ['/bin', '/usr/bin'],
+      refreshonly => true,
+      require     => [
+        File["${destination}/fullchain.pem"],
+        File["${destination}/privkey.pem"],
+      ],
+    }
+  } else {
+    notify { 'Certificates are not yet ready on the generator server.': }
+  }
+}
--- a/modules/certbot/manifests/haproxy.pp
+++ b/modules/certbot/manifests/haproxy.pp
@ -0,0 +1,9 @@
+# certbot::haproxy
+class certbot::haproxy {
+  # export haproxy balancemember
+  profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_8888":
+    service => 'be_letsencrypt',
+    ports   => [8888],
+    options => []
+  }
+}
--- a/modules/certbot/manifests/init.pp
+++ b/modules/certbot/manifests/init.pp
@ -0,0 +1,19 @@
+# certbot::init
+class certbot (
+  String                $contact,
+  Array[Stdlib::Fqdn]   $domains = [],
+  Stdlib::Absolutepath  $data_root = '/var/www',
+  Stdlib::Fqdn          $nginx_vhost = $facts['networking']['fqdn'],
+  Array[Stdlib::Host]   $nginx_aliases = [],
+  Stdlib::Port          $nginx_port = 80,
+  Stdlib::Port          $nginx_ssl_port = 443,
+  Enum['http','https','both'] $nginx_listen_mode = 'https',
+  Enum['puppet', 'vault']     $nginx_cert_type = 'puppet',
+) {
+
+  include certbot::nginx
+  include certbot::selinux
+  include certbot::haproxy
+  include certbot::letsencrypt
+
+}
--- a/modules/certbot/manifests/letsencrypt.pp
+++ b/modules/certbot/manifests/letsencrypt.pp
@ -0,0 +1,37 @@
+# certbot::letsencrypt
+class certbot::letsencrypt (
+  String                $contact    = $certbot::contact,
+  Array[Stdlib::Fqdn]   $domains    = $certbot::domains,
+  Stdlib::Absolutepath  $data_root  = $certbot::data_root,
+) {
+
+  class { 'letsencrypt':
+    configure_epel => false,
+    package_ensure => 'latest',
+    email          => $contact,
+  }
+
+  # set location_environment
+  $location_environment = "${facts['country']}-${facts['region']}-${facts['environment']}"
+
+  # collect exported resources
+  Letsencrypt::Certonly <<| tag == $location_environment |>>
+
+  # statically defined certificate
+  $domains.each | $domain | {
+    certbot::cert {$domain:
+      domain  => $domain,
+      require => Class['letsencrypt'],
+    }
+  }
+
+  systemd::timer { 'certbot-syncer.timer':
+    timer_content   => epp('certbot/certbot-syncer.timer.epp'),
+    service_content => epp('certbot/certbot-syncer.service.epp', {
+      'data_root' => $data_root,
+    }),
+    active          => true,
+    enable          => true,
+    require         => Class['letsencrypt'],
+  }
+}
--- a/modules/certbot/manifests/nginx.pp
+++ b/modules/certbot/manifests/nginx.pp
@ -0,0 +1,91 @@
+# certbot::nginx
+class certbot::nginx (
+  Stdlib::Absolutepath  $data_root = $certbot::data_root,
+  Stdlib::Fqdn          $nginx_vhost = $certbot::nginx_vhost,
+  Array[Stdlib::Host]   $nginx_aliases = $certbot::nginx_aliases,
+  Stdlib::Port          $nginx_port = $certbot::nginx_port,
+  Stdlib::Port          $nginx_ssl_port = $certbot::nginx_ssl_port,
+  Enum['http','https','both'] $nginx_listen_mode = $certbot::nginx_listen_mode,
+  Enum['puppet', 'vault']     $nginx_cert_type = $certbot::nginx_cert_type,
+) {
+
+  # select the certificates to use based on cert type
+  case $nginx_cert_type {
+    'puppet': {
+      $selected_ssl_cert = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt"
+      $selected_ssl_key  = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key"
+    }
+    'vault': {
+      $selected_ssl_cert = '/etc/pki/tls/vault/certificate.crt'
+      $selected_ssl_key  = '/etc/pki/tls/vault/private.key'
+    }
+    default: {
+      # enum param prevents this ever being reached
+    }
+  }
+
+  # set variables based on the listen_mode
+  case $nginx_listen_mode {
+    'http': {
+      $enable_ssl = false
+      $ssl_cert = undef
+      $ssl_key = undef
+      $listen_port = $nginx_port
+      $listen_ssl_port = undef
+      $extras_hash = {}
+    }
+    'https': {
+      $enable_ssl = true
+      $ssl_cert = $selected_ssl_cert
+      $ssl_key = $selected_ssl_key
+      $listen_port = $nginx_ssl_port
+      $listen_ssl_port = $nginx_ssl_port
+      $extras_hash = {
+        'subscribe' => [File[$ssl_cert], File[$ssl_key]],
+      }
+    }
+    'both': {
+      $enable_ssl = true
+      $ssl_cert = $selected_ssl_cert
+      $ssl_key = $selected_ssl_key
+      $listen_port = $nginx_port
+      $listen_ssl_port = $nginx_ssl_port
+      $extras_hash = {
+        'subscribe' => [File[$ssl_cert], File[$ssl_key]],
+      }
+    }
+    default: {
+      # enum param prevents this ever being reached
+    }
+  }
+
+  mkdir::p {"${data_root}/pub":}
+
+  # set the server_names
+  $server_names = unique([$facts['networking']['fqdn'], $nginx_vhost] + $nginx_aliases)
+
+  # define the default parameters for the nginx server
+  $defaults = {
+    'listen_port'          => $listen_port,
+    'server_name'          => $server_names,
+    'use_default_location' => true,
+    'access_log'           => "/var/log/nginx/${nginx_vhost}_access.log",
+    'error_log'            => "/var/log/nginx/${nginx_vhost}_error.log",
+    'www_root'             => "${data_root}/pub",
+    'autoindex'            => 'on',
+    'ssl'                  => $enable_ssl,
+    'ssl_cert'             => $ssl_cert,
+    'ssl_key'              => $ssl_key,
+    'ssl_port'             => $listen_ssl_port,
+  }
+
+  # merge the hashes conditionally
+  $nginx_parameters = merge($defaults, $extras_hash)
+
+  # manage the nginx class
+  include nginx
+
+  # create the nginx vhost with the merged parameters
+  create_resources('nginx::resource::server', { $nginx_vhost => $nginx_parameters })
+
+}
--- a/modules/certbot/manifests/selinux.pp
+++ b/modules/certbot/manifests/selinux.pp
@ -0,0 +1,40 @@
+# certbot::selinux
+class certbot::selinux (
+  Stdlib::Absolutepath  $data_root = $certbot::data_root,
+) {
+
+  if $::facts['os']['selinux']['config_mode'] == 'enforcing' {
+
+    # set httpd_sys_content_t to all files under the www_root
+    selinux::fcontext { "${data_root}/pub":
+      ensure   => 'present',
+      seltype  => 'httpd_sys_content_t',
+      pathspec => "${data_root}/pub(/.*)?",
+    }
+
+    # make sure we can connect to other hosts
+    selboolean { 'httpd_can_network_connect':
+      persistent => true,
+      value      => 'on',
+    }
+    selboolean { 'rsync_client':
+      persistent => true,
+      value      => 'on',
+    }
+    selboolean { 'rsync_export_all_ro':
+      persistent => true,
+      value      => 'on',
+    }
+    selboolean { 'rsync_full_access':
+      persistent => true,
+      value      => 'on',
+    }
+
+    exec { "restorecon_${data_root}/pub":
+      path        => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
+      command     => "restorecon -Rv ${data_root}/pub",
+      refreshonly => true,
+      subscribe   => Selinux::Fcontext["${data_root}/pub"],
+    }
+  }
+}
--- a/modules/certbot/templates/certbot-syncer.service.epp
+++ b/modules/certbot/templates/certbot-syncer.service.epp
@ -0,0 +1,8 @@
+[Unit]
+Description=certbot-syncer service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/rsync --chmod=755 -aL /etc/letsencrypt/live/ <%= $data_root %>/pub/
+User=root
+Group=root
--- a/modules/certbot/templates/certbot-syncer.timer.epp
+++ b/modules/certbot/templates/certbot-syncer.timer.epp
@ -0,0 +1,9 @@
+[Unit]
+Description=certbot-syncer timer
+
+[Timer]
+OnCalendar=hourly
+Persistent=true
+
+[Install]
+WantedBy=timers.target
--- a/site/profiles/manifests/haproxy/server.pp
+++ b/site/profiles/manifests/haproxy/server.pp
@ -48,6 +48,7 @@ class profiles::haproxy::server (
      require          => Class['profiles::haproxy::selinux']
    }

+    include certbot::client              # download certbot certs
    include profiles::haproxy::certlist  # manage the certificate list file
    include profiles::haproxy::mappings  # manage the domain to backend mappings
    include profiles::haproxy::ls_stats  # default status listener
--- a/site/roles/manifests/infra/pki/certbot.pp
+++ b/site/roles/manifests/infra/pki/certbot.pp
@ -0,0 +1,10 @@
+# a role to deploy a certbot server
+class roles::infra::pki::certbot {
+  if $facts['firstrun'] {
+    include profiles::defaults
+    include profiles::firstrun::init
+  }else{
+    include profiles::defaults
+    include profiles::base
+  }
+}