diff --git a/Puppetfile b/Puppetfile index ded5d58..6e43b91 100644 --- a/Puppetfile +++ b/Puppetfile @@ -38,6 +38,7 @@ mod 'puppet-extlib', '7.0.0' mod 'puppet-network', '2.2.0' mod 'puppet-kmod', '4.0.1' mod 'puppet-filemapper', '4.0.0' +mod 'puppet-letsencrypt', '11.0.0' # other mod 'ghoneycutt-puppet', '3.3.0' diff --git a/hieradata/common.yaml b/hieradata/common.yaml index 17e2ae0..ad6c16f 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -132,7 +132,9 @@ lookup_options: profiles::nginx::simpleproxy::locations: merge: strategy: deep - + certbot::client::domains: + merge: + strategy: deep facts_path: '/opt/puppetlabs/facter/facts.d' diff --git a/hieradata/country/au/region/syd1.yaml b/hieradata/country/au/region/syd1.yaml index 2a744b7..4175d66 100644 --- a/hieradata/country/au/region/syd1.yaml +++ b/hieradata/country/au/region/syd1.yaml @@ -1,2 +1,3 @@ --- timezone::timezone: 'Australia/Sydney' +certbot::client::webserver: ausyd1nxvm1021.main.unkin.net diff --git a/hieradata/country/au/region/syd1/infra/halb/haproxy.yaml b/hieradata/country/au/region/syd1/infra/halb/haproxy.yaml index c6e3cd1..78e59fc 100644 --- a/hieradata/country/au/region/syd1/infra/halb/haproxy.yaml +++ b/hieradata/country/au/region/syd1/infra/halb/haproxy.yaml @@ -12,6 +12,7 @@ profiles::haproxy::mappings: - 'readarr.main.unkin.net be_readarr' - 'prowlarr.main.unkin.net be_prowlarr' - 'jellyfin.main.unkin.net be_jellyfin' + - 'fafflix.unkin.net be_jellyfin' fe_https: ensure: present mappings: @@ -23,6 +24,7 @@ profiles::haproxy::mappings: - 'readarr.main.unkin.net be_readarr' - 'prowlarr.main.unkin.net be_prowlarr' - 'jellyfin.main.unkin.net be_jellyfin' + - 'fafflix.unkin.net be_jellyfin' profiles::haproxy::frontends: fe_http: @@ -32,12 +34,14 @@ profiles::haproxy::frontends: fe_https: options: acl: - - 'acl_ausyd1pve req.hdr(host) -i https://au-syd1-pve.main.unkin.net' - - 'acl_sonarr req.hdr(host) -i https://sonarr.main.unkin.net' - - 'acl_radarr req.hdr(host) -i https://radarr.main.unkin.net' - - 'acl_lidarr req.hdr(host) -i https://lidarr.main.unkin.net' - - 'acl_readarr req.hdr(host) -i https://readarr.main.unkin.net' - - 'acl_prowlarr req.hdr(host) -i https://prowlarr.main.unkin.net' + - 'acl_ausyd1pve req.hdr(host) -i au-syd1-pve.main.unkin.net' + - 'acl_sonarr req.hdr(host) -i sonarr.main.unkin.net' + - 'acl_radarr req.hdr(host) -i radarr.main.unkin.net' + - 'acl_lidarr req.hdr(host) -i lidarr.main.unkin.net' + - 'acl_readarr req.hdr(host) -i readarr.main.unkin.net' + - 'acl_prowlarr req.hdr(host) -i prowlarr.main.unkin.net' + - 'acl_jellyfin req.hdr(host) -i jellyfin.main.unkin.net' + - 'acl_fafflix req.hdr(host) -i fafflix.unkin.net' - 'acl_internalsubnets src 198.18.0.0/16 10.10.12.0/24' use_backend: - "%[req.hdr(host),lower,map(/etc/haproxy/fe_https.map,be_default)]" @@ -50,6 +54,8 @@ profiles::haproxy::frontends: - 'set-header X-Frame-Options DENY if acl_lidarr' - 'set-header X-Frame-Options DENY if acl_readarr' - 'set-header X-Frame-Options DENY if acl_prowlarr' + - 'set-header X-Frame-Options DENY if acl_jellyfin' + - 'set-header X-Frame-Options DENY if acl_fafflix' - 'set-header X-Content-Type-Options nosniff' - 'set-header X-XSS-Protection 1;mode=block' @@ -184,10 +190,29 @@ profiles::haproxy::backends: profiles::haproxy::certlist::enabled: true profiles::haproxy::certlist::certificates: + - /etc/pki/tls/letsencrypt/au-syd1-pve.main.unkin.net/fullchain_combined.pem + - /etc/pki/tls/letsencrypt/au-syd1-pve-api.main.unkin.net/fullchain_combined.pem + - /etc/pki/tls/letsencrypt/sonarr.main.unkin.net/fullchain_combined.pem + - /etc/pki/tls/letsencrypt/radarr.main.unkin.net/fullchain_combined.pem + - /etc/pki/tls/letsencrypt/lidarr.main.unkin.net/fullchain_combined.pem + - /etc/pki/tls/letsencrypt/readarr.main.unkin.net/fullchain_combined.pem + - /etc/pki/tls/letsencrypt/prowlarr.main.unkin.net/fullchain_combined.pem + - /etc/pki/tls/letsencrypt/fafflix.unkin.net/fullchain_combined.pem - /etc/pki/tls/vault/certificate.pem # additional altnames profiles::pki::vault::alt_names: + - au-syd1-pve.main.unkin.net + - au-syd1-pve-api.main.unkin.net + - jellyfin.main.unkin.net + +# additional cnames +profiles::haproxy::dns::cnames: + - au-syd1-pve.main.unkin.net + - au-syd1-pve-api.main.unkin.net + +# letsencrypt certificates +certbot::client::domains: - au-syd1-pve.main.unkin.net - au-syd1-pve-api.main.unkin.net - sonarr.main.unkin.net @@ -195,9 +220,4 @@ profiles::pki::vault::alt_names: - lidarr.main.unkin.net - readarr.main.unkin.net - prowlarr.main.unkin.net - - jellyfin.main.unkin.net - -# additional cnames -profiles::haproxy::dns::cnames: - - au-syd1-pve.main.unkin.net - - au-syd1-pve-api.main.unkin.net + - fafflix.unkin.net diff --git a/hieradata/nodes/ausyd1nxvm1048.main.unkin.net.yaml b/hieradata/nodes/ausyd1nxvm1048.main.unkin.net.yaml new file mode 100644 index 0000000..76a36c5 --- /dev/null +++ b/hieradata/nodes/ausyd1nxvm1048.main.unkin.net.yaml @@ -0,0 +1,7 @@ +--- +networking::interfaces: + eth0: + ipaddress: 198.18.13.58 +networking::routes: + default: + gateway: 198.18.13.254 \ No newline at end of file diff --git a/hieradata/os/AlmaLinux/all_releases.yaml b/hieradata/os/AlmaLinux/all_releases.yaml index c20b8bb..ef1ac42 100644 --- a/hieradata/os/AlmaLinux/all_releases.yaml +++ b/hieradata/os/AlmaLinux/all_releases.yaml @@ -73,4 +73,5 @@ profiles::yum::global::repos: target: /etc/yum.repos.d/unkin.repo baseurl: https://git.query.consul/api/packages/unkinben/rpm/el%{facts.os.release.major} gpgkey: https://git.query.consul/api/packages/unkinben/rpm/repository.key + gpgcheck: false mirrorlist: absent diff --git a/hieradata/roles/infra/auth/glauth.yaml b/hieradata/roles/infra/auth/glauth.yaml index b8ef783..cfa697c 100644 --- a/hieradata/roles/infra/auth/glauth.yaml +++ b/hieradata/roles/infra/auth/glauth.yaml @@ -48,7 +48,7 @@ glauth::users: user_name: 'benvin' givenname: 'Ben' sn: 'Vincent' - mail: 'ben@users.main.unkin.net' + mail: 'benvin@users.main.unkin.net' uidnumber: 20000 primarygroup: 20000 othergroups: @@ -64,6 +64,23 @@ glauth::users: passsha256: 'd2434f6b4764ef75d5b7b96a876a32deedbd6aa726a109c3f32e823ca66f604a' sshkeys: - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ8SRLlPiDylBpdWR9LpvPg4fDVD+DZst4yRPFwMMhta4mnB1H9XuvZkptDhXywWQ7QIcqa2WbhCen0OQJCtwn3s7EYtacmF5MxmwBYocPoK2AArGuh6NA9rwTdLrPdzhZ+gwe88PAzRLNzjm0ZBR+mA9saMbPJdqpKp0AWeAM8QofRQAWuCzQg9i0Pn1KDMvVDRHCZof4pVlHSTyHNektq4ifovn0zhKC8jD/cYu95mc5ftBbORexpGiQWwQ3HZw1IBe0ZETB1qPIPwsoJpt3suvMrL6T2//fcIIUE3TcyJKb/yhztja4TZs5jT8370G/vhlT70He0YPxqHub8ZfBv0khlkY93VBWYpNGJwM1fVqlw7XbfBNdOuJivJac8eW317ZdiDnKkBTxapThpPG3et9ib1HoPGKRsd/fICzNz16h2R3tddSdihTFL+bmTCa6Lo+5t5uRuFjQvhSLSgO2/gRAprc3scYOB4pY/lxOFfq3pU2VvSJtRgLNEYMUYKk= ben@unkin.net' + matsol: + user_name: 'matsol' + givenname: 'Matt' + sn: 'Solomon' + mail: 'matsol@users.main.unkin.net' + uidnumber: 20001 + primarygroup: 20000 + othergroups: + - 20010 + - 20011 + - 20012 + - 20013 + - 20014 + - 20015 + loginshell: '/bin/bash' + homedir: '/home/matsol' + passsha256: '369263e2455a57c8c21388860c417b640fcf045a303cfc88def18c5197493600' glauth::services: svc_jellyfin: diff --git a/hieradata/roles/infra/halb/haproxy.yaml b/hieradata/roles/infra/halb/haproxy.yaml index 7a0cca7..2c9a22d 100644 --- a/hieradata/roles/infra/halb/haproxy.yaml +++ b/hieradata/roles/infra/halb/haproxy.yaml @@ -53,6 +53,8 @@ profiles::haproxy::frontends: options: acl: - 'acl-letsencrypt path_beg /.well-known/acme-challenge/' + use_backend: + - 'be_letsencrypt if acl-letsencrypt' http-request: - 'set-header X-Forwarded-Proto https' - 'set-header X-Real-IP %[src]' @@ -68,6 +70,8 @@ profiles::haproxy::frontends: options: acl: - 'acl-letsencrypt path_beg /.well-known/acme-challenge/' + use_backend: + - 'be_letsencrypt if acl-letsencrypt' http-request: - 'set-header X-Forwarded-Proto https' - 'set-header X-Real-IP %[src]' diff --git a/hieradata/roles/infra/pki/certbot.eyaml b/hieradata/roles/infra/pki/certbot.eyaml new file mode 100644 index 0000000..12da70b --- /dev/null +++ b/hieradata/roles/infra/pki/certbot.eyaml @@ -0,0 +1,2 @@ +--- +certbot::contact: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJxDjhvXONEm7VoZ74dBxOPxFAw9RrI2WOK1P5YiIWiXUkoOhQpPzy0PUlI4970ActfTi9Kr9fnyZJWr/7TQ/5GQuYvVxMcfWbOmIOA+6CCjR/PWR06lWQuq7eTmwTzQjw7teFZrpXmqutAMNAUEAmPBBKNKfKbOaFz4IWwph1TuXtXDuveu/RE2+8znWukhF92DuFBJSuw6SMDympdbgceq/guQAInMjIXwmCIa7DWCWYDSKw04Ai8yDnYoqaNRs0acbZV6slH49i/cOE6GKTxO8+vR/3TkjEvKH8lY2l37ndH9+pe58arKflm/Inik0zy0TBnHq7/AMmEpRtV0usTA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBUgafckUM981Pb6hn2/9KMgBAblakRJjULF7aZwx/PT09s] diff --git a/hieradata/roles/infra/pki/certbot.yaml b/hieradata/roles/infra/pki/certbot.yaml new file mode 100644 index 0000000..40d8cba --- /dev/null +++ b/hieradata/roles/infra/pki/certbot.yaml @@ -0,0 +1,14 @@ +--- +hiera_include: + - certbot + - profiles::pki::puppetcerts + +certbot::domains: + - au-syd1-pve.main.unkin.net + - au-syd1-pve-api.main.unkin.net + - sonarr.main.unkin.net + - radarr.main.unkin.net + - lidarr.main.unkin.net + - readarr.main.unkin.net + - prowlarr.main.unkin.net + - fafflix.unkin.net diff --git a/modules/certbot/lib/facter/certbot_available_certs.rb b/modules/certbot/lib/facter/certbot_available_certs.rb new file mode 100644 index 0000000..cfbe2af --- /dev/null +++ b/modules/certbot/lib/facter/certbot_available_certs.rb @@ -0,0 +1,18 @@ +# frozen_string_literal: true + +Facter.add(:certbot_available_certs) do + confine enc_role: 'roles::infra::pki::certbot' + setcode do + certs_dir = '/etc/letsencrypt/live' + available_certs = [] + + if Dir.exist?(certs_dir) + Dir.children(certs_dir).each do |entry| + fullchain_pem = File.join(certs_dir, entry, 'fullchain.pem') + available_certs << entry if File.exist?(fullchain_pem) + end + end + + available_certs.join(',') + end +end diff --git a/modules/certbot/manifests/cert.pp b/modules/certbot/manifests/cert.pp new file mode 100644 index 0000000..f923769 --- /dev/null +++ b/modules/certbot/manifests/cert.pp @@ -0,0 +1,15 @@ +# certbot::cert +define certbot::cert ( + Stdlib::Fqdn $domain, + Array $additional_args = ['--http-01-port=8888'], + Boolean $manage_cron = true, +) { + + $location_environment = "${facts['country']}-${facts['region']}-${facts['environment']}" + + @@letsencrypt::certonly { $domain: + additional_args => $additional_args, + manage_cron => $manage_cron, + tag => $location_environment, + } +} diff --git a/modules/certbot/manifests/client.pp b/modules/certbot/manifests/client.pp new file mode 100644 index 0000000..3ca6ef3 --- /dev/null +++ b/modules/certbot/manifests/client.pp @@ -0,0 +1,23 @@ +class certbot::client ( + Array[Stdlib::Fqdn] $domains, + Stdlib::Fqdn $webserver, + Stdlib::Absolutepath $data_dir = '/etc/pki/tls/letsencrypt/', +) { + + mkdir::p {$data_dir:} + file { $data_dir: + ensure => directory, + owner => 'root', + group => 'root', + mode => '0755', + } + + $domains.each |$domain| { + certbot::client::cert {"${facts['networking']['fqdn']}_download_${domain}": + domain => $domain, + destination => "${data_dir}/${domain}", + webserver => $webserver, + require => File[$data_dir], + } + } +} diff --git a/modules/certbot/manifests/client/cert.pp b/modules/certbot/manifests/client/cert.pp new file mode 100644 index 0000000..b4773dd --- /dev/null +++ b/modules/certbot/manifests/client/cert.pp @@ -0,0 +1,51 @@ +define certbot::client::cert ( + Stdlib::Fqdn $domain, + Stdlib::Fqdn $webserver, + Stdlib::Absolutepath $destination = "/etc/pki/tls/letsencrypt/${domain}", +) { + + file { $destination: + ensure => directory, + owner => 'root', + group => 'root', + mode => '0755', + } + + $cert_ready_nodes = puppetdb_query(" + facts { + name = 'certbot_available_certs' and value ~ '${domain}' and certname = '${webserver}' + }" + ) + + # Define the certificate files + $cert_files = ['cert.pem', 'chain.pem', 'fullchain.pem', 'privkey.pem'] + + if !empty($cert_ready_nodes) { + $files_to_create = $cert_files.reduce({}) |$acc, $file| { + $acc + { + "${destination}/${file}" => { + ensure => 'file', + source => "https://${webserver}/${domain}/${file}", + owner => 'root', + group => 'root', + mode => '0644', + notify => Exec["concat_${domain}_certs"], + } + } + } + + create_resources(file, $files_to_create) + + exec { "concat_${domain}_certs": + command => "cat ${destination}/fullchain.pem ${destination}/privkey.pem > ${destination}/fullchain_combined.pem", + path => ['/bin', '/usr/bin'], + refreshonly => true, + require => [ + File["${destination}/fullchain.pem"], + File["${destination}/privkey.pem"], + ], + } + } else { + notify { 'Certificates are not yet ready on the generator server.': } + } +} diff --git a/modules/certbot/manifests/haproxy.pp b/modules/certbot/manifests/haproxy.pp new file mode 100644 index 0000000..ea61ad5 --- /dev/null +++ b/modules/certbot/manifests/haproxy.pp @@ -0,0 +1,9 @@ +# certbot::haproxy +class certbot::haproxy { + # export haproxy balancemember + profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_8888": + service => 'be_letsencrypt', + ports => [8888], + options => [] + } +} diff --git a/modules/certbot/manifests/init.pp b/modules/certbot/manifests/init.pp new file mode 100644 index 0000000..a32914f --- /dev/null +++ b/modules/certbot/manifests/init.pp @@ -0,0 +1,19 @@ +# certbot::init +class certbot ( + String $contact, + Array[Stdlib::Fqdn] $domains = [], + Stdlib::Absolutepath $data_root = '/var/www', + Stdlib::Fqdn $nginx_vhost = $facts['networking']['fqdn'], + Array[Stdlib::Host] $nginx_aliases = [], + Stdlib::Port $nginx_port = 80, + Stdlib::Port $nginx_ssl_port = 443, + Enum['http','https','both'] $nginx_listen_mode = 'https', + Enum['puppet', 'vault'] $nginx_cert_type = 'puppet', +) { + + include certbot::nginx + include certbot::selinux + include certbot::haproxy + include certbot::letsencrypt + +} diff --git a/modules/certbot/manifests/letsencrypt.pp b/modules/certbot/manifests/letsencrypt.pp new file mode 100644 index 0000000..29b6c47 --- /dev/null +++ b/modules/certbot/manifests/letsencrypt.pp @@ -0,0 +1,37 @@ +# certbot::letsencrypt +class certbot::letsencrypt ( + String $contact = $certbot::contact, + Array[Stdlib::Fqdn] $domains = $certbot::domains, + Stdlib::Absolutepath $data_root = $certbot::data_root, +) { + + class { 'letsencrypt': + configure_epel => false, + package_ensure => 'latest', + email => $contact, + } + + # set location_environment + $location_environment = "${facts['country']}-${facts['region']}-${facts['environment']}" + + # collect exported resources + Letsencrypt::Certonly <<| tag == $location_environment |>> + + # statically defined certificate + $domains.each | $domain | { + certbot::cert {$domain: + domain => $domain, + require => Class['letsencrypt'], + } + } + + systemd::timer { 'certbot-syncer.timer': + timer_content => epp('certbot/certbot-syncer.timer.epp'), + service_content => epp('certbot/certbot-syncer.service.epp', { + 'data_root' => $data_root, + }), + active => true, + enable => true, + require => Class['letsencrypt'], + } +} diff --git a/modules/certbot/manifests/nginx.pp b/modules/certbot/manifests/nginx.pp new file mode 100644 index 0000000..5170aff --- /dev/null +++ b/modules/certbot/manifests/nginx.pp @@ -0,0 +1,91 @@ +# certbot::nginx +class certbot::nginx ( + Stdlib::Absolutepath $data_root = $certbot::data_root, + Stdlib::Fqdn $nginx_vhost = $certbot::nginx_vhost, + Array[Stdlib::Host] $nginx_aliases = $certbot::nginx_aliases, + Stdlib::Port $nginx_port = $certbot::nginx_port, + Stdlib::Port $nginx_ssl_port = $certbot::nginx_ssl_port, + Enum['http','https','both'] $nginx_listen_mode = $certbot::nginx_listen_mode, + Enum['puppet', 'vault'] $nginx_cert_type = $certbot::nginx_cert_type, +) { + + # select the certificates to use based on cert type + case $nginx_cert_type { + 'puppet': { + $selected_ssl_cert = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt" + $selected_ssl_key = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key" + } + 'vault': { + $selected_ssl_cert = '/etc/pki/tls/vault/certificate.crt' + $selected_ssl_key = '/etc/pki/tls/vault/private.key' + } + default: { + # enum param prevents this ever being reached + } + } + + # set variables based on the listen_mode + case $nginx_listen_mode { + 'http': { + $enable_ssl = false + $ssl_cert = undef + $ssl_key = undef + $listen_port = $nginx_port + $listen_ssl_port = undef + $extras_hash = {} + } + 'https': { + $enable_ssl = true + $ssl_cert = $selected_ssl_cert + $ssl_key = $selected_ssl_key + $listen_port = $nginx_ssl_port + $listen_ssl_port = $nginx_ssl_port + $extras_hash = { + 'subscribe' => [File[$ssl_cert], File[$ssl_key]], + } + } + 'both': { + $enable_ssl = true + $ssl_cert = $selected_ssl_cert + $ssl_key = $selected_ssl_key + $listen_port = $nginx_port + $listen_ssl_port = $nginx_ssl_port + $extras_hash = { + 'subscribe' => [File[$ssl_cert], File[$ssl_key]], + } + } + default: { + # enum param prevents this ever being reached + } + } + + mkdir::p {"${data_root}/pub":} + + # set the server_names + $server_names = unique([$facts['networking']['fqdn'], $nginx_vhost] + $nginx_aliases) + + # define the default parameters for the nginx server + $defaults = { + 'listen_port' => $listen_port, + 'server_name' => $server_names, + 'use_default_location' => true, + 'access_log' => "/var/log/nginx/${nginx_vhost}_access.log", + 'error_log' => "/var/log/nginx/${nginx_vhost}_error.log", + 'www_root' => "${data_root}/pub", + 'autoindex' => 'on', + 'ssl' => $enable_ssl, + 'ssl_cert' => $ssl_cert, + 'ssl_key' => $ssl_key, + 'ssl_port' => $listen_ssl_port, + } + + # merge the hashes conditionally + $nginx_parameters = merge($defaults, $extras_hash) + + # manage the nginx class + include nginx + + # create the nginx vhost with the merged parameters + create_resources('nginx::resource::server', { $nginx_vhost => $nginx_parameters }) + +} diff --git a/modules/certbot/manifests/selinux.pp b/modules/certbot/manifests/selinux.pp new file mode 100644 index 0000000..d2d5b0b --- /dev/null +++ b/modules/certbot/manifests/selinux.pp @@ -0,0 +1,40 @@ +# certbot::selinux +class certbot::selinux ( + Stdlib::Absolutepath $data_root = $certbot::data_root, +) { + + if $::facts['os']['selinux']['config_mode'] == 'enforcing' { + + # set httpd_sys_content_t to all files under the www_root + selinux::fcontext { "${data_root}/pub": + ensure => 'present', + seltype => 'httpd_sys_content_t', + pathspec => "${data_root}/pub(/.*)?", + } + + # make sure we can connect to other hosts + selboolean { 'httpd_can_network_connect': + persistent => true, + value => 'on', + } + selboolean { 'rsync_client': + persistent => true, + value => 'on', + } + selboolean { 'rsync_export_all_ro': + persistent => true, + value => 'on', + } + selboolean { 'rsync_full_access': + persistent => true, + value => 'on', + } + + exec { "restorecon_${data_root}/pub": + path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'], + command => "restorecon -Rv ${data_root}/pub", + refreshonly => true, + subscribe => Selinux::Fcontext["${data_root}/pub"], + } + } +} diff --git a/modules/certbot/templates/certbot-syncer.service.epp b/modules/certbot/templates/certbot-syncer.service.epp new file mode 100644 index 0000000..122ba93 --- /dev/null +++ b/modules/certbot/templates/certbot-syncer.service.epp @@ -0,0 +1,8 @@ +[Unit] +Description=certbot-syncer service + +[Service] +Type=oneshot +ExecStart=/usr/bin/rsync --chmod=755 -aL /etc/letsencrypt/live/ <%= $data_root %>/pub/ +User=root +Group=root diff --git a/modules/certbot/templates/certbot-syncer.timer.epp b/modules/certbot/templates/certbot-syncer.timer.epp new file mode 100644 index 0000000..52903b8 --- /dev/null +++ b/modules/certbot/templates/certbot-syncer.timer.epp @@ -0,0 +1,9 @@ +[Unit] +Description=certbot-syncer timer + +[Timer] +OnCalendar=hourly +Persistent=true + +[Install] +WantedBy=timers.target diff --git a/site/profiles/manifests/haproxy/server.pp b/site/profiles/manifests/haproxy/server.pp index b16da8e..b19ab18 100644 --- a/site/profiles/manifests/haproxy/server.pp +++ b/site/profiles/manifests/haproxy/server.pp @@ -48,6 +48,7 @@ class profiles::haproxy::server ( require => Class['profiles::haproxy::selinux'] } + include certbot::client # download certbot certs include profiles::haproxy::certlist # manage the certificate list file include profiles::haproxy::mappings # manage the domain to backend mappings include profiles::haproxy::ls_stats # default status listener diff --git a/site/roles/manifests/infra/pki/certbot.pp b/site/roles/manifests/infra/pki/certbot.pp new file mode 100644 index 0000000..357d1a6 --- /dev/null +++ b/site/roles/manifests/infra/pki/certbot.pp @@ -0,0 +1,10 @@ +# a role to deploy a certbot server +class roles::infra::pki::certbot { + if $facts['firstrun'] { + include profiles::defaults + include profiles::firstrun::init + }else{ + include profiles::defaults + include profiles::base + } +}