Merge branch 'develop' into neoloc/nzbget

2024-07-09 22:25:28 +10:00 · 2024-07-09 22:25:28 +10:00 · fd5163d6e6
commit fd5163d6e6
parent d67eba5860 dacd2c6994
23 changed files with 414 additions and 14 deletions
--- a/1
+++ b/1
@ -38,6 +38,7 @@ mod 'puppet-extlib', '7.0.0'
 mod 'puppet-network', '2.2.0'
 mod 'puppet-kmod', '4.0.1'
 mod 'puppet-filemapper', '4.0.0'
 mod 'puppet-letsencrypt', '11.0.0'
 # other
 mod 'ghoneycutt-puppet', '3.3.0'
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@ -132,7 +132,9 @@ lookup_options:
  profiles::nginx::simpleproxy::locations:
    merge:
      strategy: deep
-
+  certbot::client::domains:
    merge:
      strategy: deep
 facts_path: '/opt/puppetlabs/facter/facts.d'
--- a/hieradata/country/au/region/syd1.yaml
+++ b/hieradata/country/au/region/syd1.yaml
@ -1,2 +1,3 @@
 ---
 timezone::timezone: 'Australia/Sydney'
 certbot::client::webserver: ausyd1nxvm1021.main.unkin.net
--- a/hieradata/country/au/region/syd1/infra/halb/haproxy.yaml
+++ b/hieradata/country/au/region/syd1/infra/halb/haproxy.yaml
@ -12,6 +12,7 @@ profiles::haproxy::mappings:
      - 'readarr.main.unkin.net be_readarr'
      - 'prowlarr.main.unkin.net be_prowlarr'
      - 'jellyfin.main.unkin.net be_jellyfin'
      - 'fafflix.unkin.net be_jellyfin'
  fe_https:
    ensure: present
    mappings:
@ -23,6 +24,7 @@ profiles::haproxy::mappings:
      - 'readarr.main.unkin.net be_readarr'
      - 'prowlarr.main.unkin.net be_prowlarr'
      - 'jellyfin.main.unkin.net be_jellyfin'
      - 'fafflix.unkin.net be_jellyfin'
 profiles::haproxy::frontends:
  fe_http:
@ -32,12 +34,14 @@ profiles::haproxy::frontends:
  fe_https:
    options:
      acl:
-        - 'acl_ausyd1pve req.hdr(host) -i https://au-syd1-pve.main.unkin.net'
+        - 'acl_ausyd1pve req.hdr(host) -i au-syd1-pve.main.unkin.net'
-        - 'acl_sonarr req.hdr(host) -i https://sonarr.main.unkin.net'
+        - 'acl_sonarr req.hdr(host) -i sonarr.main.unkin.net'
-        - 'acl_radarr req.hdr(host) -i https://radarr.main.unkin.net'
+        - 'acl_radarr req.hdr(host) -i radarr.main.unkin.net'
-        - 'acl_lidarr req.hdr(host) -i https://lidarr.main.unkin.net'
+        - 'acl_lidarr req.hdr(host) -i lidarr.main.unkin.net'
-        - 'acl_readarr req.hdr(host) -i https://readarr.main.unkin.net'
+        - 'acl_readarr req.hdr(host) -i readarr.main.unkin.net'
-        - 'acl_prowlarr req.hdr(host) -i https://prowlarr.main.unkin.net'
+        - 'acl_prowlarr req.hdr(host) -i prowlarr.main.unkin.net'
        - 'acl_jellyfin req.hdr(host) -i jellyfin.main.unkin.net'
        - 'acl_fafflix req.hdr(host) -i fafflix.unkin.net'
        - 'acl_internalsubnets src 198.18.0.0/16 10.10.12.0/24'
      use_backend:
        - "%[req.hdr(host),lower,map(/etc/haproxy/fe_https.map,be_default)]"
@ -50,6 +54,8 @@ profiles::haproxy::frontends:
        - 'set-header X-Frame-Options DENY if acl_lidarr'
        - 'set-header X-Frame-Options DENY if acl_readarr'
        - 'set-header X-Frame-Options DENY if acl_prowlarr'
        - 'set-header X-Frame-Options DENY if acl_jellyfin'
        - 'set-header X-Frame-Options DENY if acl_fafflix'
        - 'set-header X-Content-Type-Options nosniff'
        - 'set-header X-XSS-Protection 1;mode=block'
@ -184,10 +190,29 @@ profiles::haproxy::backends:
 profiles::haproxy::certlist::enabled: true
 profiles::haproxy::certlist::certificates:
  - /etc/pki/tls/letsencrypt/au-syd1-pve.main.unkin.net/fullchain_combined.pem
  - /etc/pki/tls/letsencrypt/au-syd1-pve-api.main.unkin.net/fullchain_combined.pem
  - /etc/pki/tls/letsencrypt/sonarr.main.unkin.net/fullchain_combined.pem
  - /etc/pki/tls/letsencrypt/radarr.main.unkin.net/fullchain_combined.pem
  - /etc/pki/tls/letsencrypt/lidarr.main.unkin.net/fullchain_combined.pem
  - /etc/pki/tls/letsencrypt/readarr.main.unkin.net/fullchain_combined.pem
  - /etc/pki/tls/letsencrypt/prowlarr.main.unkin.net/fullchain_combined.pem
  - /etc/pki/tls/letsencrypt/fafflix.unkin.net/fullchain_combined.pem
  - /etc/pki/tls/vault/certificate.pem
 # additional altnames
 profiles::pki::vault::alt_names:
  - au-syd1-pve.main.unkin.net
  - au-syd1-pve-api.main.unkin.net
  - jellyfin.main.unkin.net
 # additional cnames
 profiles::haproxy::dns::cnames:
  - au-syd1-pve.main.unkin.net
  - au-syd1-pve-api.main.unkin.net
 # letsencrypt certificates
 certbot::client::domains:
  - au-syd1-pve.main.unkin.net
  - au-syd1-pve-api.main.unkin.net
  - sonarr.main.unkin.net
@ -195,9 +220,4 @@ profiles::pki::vault::alt_names:
  - lidarr.main.unkin.net
  - readarr.main.unkin.net
  - prowlarr.main.unkin.net
-  - jellyfin.main.unkin.net
+  - fafflix.unkin.net
 # additional cnames
 profiles::haproxy::dns::cnames:
  - au-syd1-pve.main.unkin.net
  - au-syd1-pve-api.main.unkin.net
--- a/hieradata/nodes/ausyd1nxvm1048.main.unkin.net.yaml
+++ b/hieradata/nodes/ausyd1nxvm1048.main.unkin.net.yaml
@ -0,0 +1,7 @@
 ---
 networking::interfaces:
  eth0:
    ipaddress: 198.18.13.58
 networking::routes:
  default:
    gateway: 198.18.13.254
--- a/hieradata/os/AlmaLinux/all_releases.yaml
+++ b/hieradata/os/AlmaLinux/all_releases.yaml
@ -73,4 +73,5 @@ profiles::yum::global::repos:
    target: /etc/yum.repos.d/unkin.repo
    baseurl: https://git.query.consul/api/packages/unkinben/rpm/el%{facts.os.release.major}
    gpgkey: https://git.query.consul/api/packages/unkinben/rpm/repository.key
    gpgcheck: false
    mirrorlist: absent
--- a/hieradata/roles/infra/auth/glauth.yaml
+++ b/hieradata/roles/infra/auth/glauth.yaml
@ -48,7 +48,7 @@ glauth::users:
    user_name: 'benvin'
    givenname: 'Ben'
    sn: 'Vincent'
-    mail: 'ben@users.main.unkin.net'
+    mail: 'benvin@users.main.unkin.net'
    uidnumber: 20000
    primarygroup: 20000
    othergroups:
@ -64,6 +64,23 @@ glauth::users:
    passsha256: 'd2434f6b4764ef75d5b7b96a876a32deedbd6aa726a109c3f32e823ca66f604a'
    sshkeys:
      - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ8SRLlPiDylBpdWR9LpvPg4fDVD+DZst4yRPFwMMhta4mnB1H9XuvZkptDhXywWQ7QIcqa2WbhCen0OQJCtwn3s7EYtacmF5MxmwBYocPoK2AArGuh6NA9rwTdLrPdzhZ+gwe88PAzRLNzjm0ZBR+mA9saMbPJdqpKp0AWeAM8QofRQAWuCzQg9i0Pn1KDMvVDRHCZof4pVlHSTyHNektq4ifovn0zhKC8jD/cYu95mc5ftBbORexpGiQWwQ3HZw1IBe0ZETB1qPIPwsoJpt3suvMrL6T2//fcIIUE3TcyJKb/yhztja4TZs5jT8370G/vhlT70He0YPxqHub8ZfBv0khlkY93VBWYpNGJwM1fVqlw7XbfBNdOuJivJac8eW317ZdiDnKkBTxapThpPG3et9ib1HoPGKRsd/fICzNz16h2R3tddSdihTFL+bmTCa6Lo+5t5uRuFjQvhSLSgO2/gRAprc3scYOB4pY/lxOFfq3pU2VvSJtRgLNEYMUYKk= ben@unkin.net'
  matsol:
    user_name: 'matsol'
    givenname: 'Matt'
    sn: 'Solomon'
    mail: 'matsol@users.main.unkin.net'
    uidnumber: 20001
    primarygroup: 20000
    othergroups:
      - 20010
      - 20011
      - 20012
      - 20013
      - 20014
      - 20015
    loginshell: '/bin/bash'
    homedir: '/home/matsol'
    passsha256: '369263e2455a57c8c21388860c417b640fcf045a303cfc88def18c5197493600'
 glauth::services:
  svc_jellyfin:
--- a/hieradata/roles/infra/halb/haproxy.yaml
+++ b/hieradata/roles/infra/halb/haproxy.yaml
@ -53,6 +53,8 @@ profiles::haproxy::frontends:
    options:
      acl:
        - 'acl-letsencrypt path_beg /.well-known/acme-challenge/'
      use_backend:
        - 'be_letsencrypt if acl-letsencrypt'
      http-request:
        - 'set-header X-Forwarded-Proto https'
        - 'set-header X-Real-IP %[src]'
@ -68,6 +70,8 @@ profiles::haproxy::frontends:
    options:
      acl:
        - 'acl-letsencrypt path_beg /.well-known/acme-challenge/'
      use_backend:
        - 'be_letsencrypt if acl-letsencrypt'
      http-request:
        - 'set-header X-Forwarded-Proto https'
        - 'set-header X-Real-IP %[src]'
--- a/hieradata/roles/infra/pki/certbot.eyaml
+++ b/hieradata/roles/infra/pki/certbot.eyaml
@ -0,0 +1,2 @@
 ---
 certbot::contact: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJxDjhvXONEm7VoZ74dBxOPxFAw9RrI2WOK1P5YiIWiXUkoOhQpPzy0PUlI4970ActfTi9Kr9fnyZJWr/7TQ/5GQuYvVxMcfWbOmIOA+6CCjR/PWR06lWQuq7eTmwTzQjw7teFZrpXmqutAMNAUEAmPBBKNKfKbOaFz4IWwph1TuXtXDuveu/RE2+8znWukhF92DuFBJSuw6SMDympdbgceq/guQAInMjIXwmCIa7DWCWYDSKw04Ai8yDnYoqaNRs0acbZV6slH49i/cOE6GKTxO8+vR/3TkjEvKH8lY2l37ndH9+pe58arKflm/Inik0zy0TBnHq7/AMmEpRtV0usTA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBUgafckUM981Pb6hn2/9KMgBAblakRJjULF7aZwx/PT09s]
--- a/hieradata/roles/infra/pki/certbot.yaml
+++ b/hieradata/roles/infra/pki/certbot.yaml
@ -0,0 +1,14 @@
 ---
 hiera_include:
  - certbot
  - profiles::pki::puppetcerts
 certbot::domains:
  - au-syd1-pve.main.unkin.net
  - au-syd1-pve-api.main.unkin.net
  - sonarr.main.unkin.net
  - radarr.main.unkin.net
  - lidarr.main.unkin.net
  - readarr.main.unkin.net
  - prowlarr.main.unkin.net
  - fafflix.unkin.net
--- a/modules/certbot/lib/facter/certbot_available_certs.rb
+++ b/modules/certbot/lib/facter/certbot_available_certs.rb
@ -0,0 +1,18 @@
 # frozen_string_literal: true
 Facter.add(:certbot_available_certs) do
  confine enc_role: 'roles::infra::pki::certbot'
  setcode do
    certs_dir = '/etc/letsencrypt/live'
    available_certs = []
    if Dir.exist?(certs_dir)
      Dir.children(certs_dir).each do |entry|
        fullchain_pem = File.join(certs_dir, entry, 'fullchain.pem')
        available_certs << entry if File.exist?(fullchain_pem)
      end
    end
    available_certs.join(',')
  end
 end
--- a/modules/certbot/manifests/cert.pp
+++ b/modules/certbot/manifests/cert.pp
@ -0,0 +1,15 @@
 # certbot::cert
 define certbot::cert (
  Stdlib::Fqdn $domain,
  Array        $additional_args = ['--http-01-port=8888'],
  Boolean      $manage_cron     = true,
 ) {
  $location_environment = "${facts['country']}-${facts['region']}-${facts['environment']}"
  @@letsencrypt::certonly { $domain:
    additional_args => $additional_args,
    manage_cron     => $manage_cron,
    tag             => $location_environment,
  }
 }
--- a/modules/certbot/manifests/client.pp
+++ b/modules/certbot/manifests/client.pp
@ -0,0 +1,23 @@
 class certbot::client (
  Array[Stdlib::Fqdn]   $domains,
  Stdlib::Fqdn          $webserver,
  Stdlib::Absolutepath  $data_dir = '/etc/pki/tls/letsencrypt/',
 ) {
  mkdir::p {$data_dir:}
  file { $data_dir:
    ensure => directory,
    owner  => 'root',
    group  => 'root',
    mode   => '0755',
  }
  $domains.each |$domain| {
    certbot::client::cert {"${facts['networking']['fqdn']}_download_${domain}":
      domain      => $domain,
      destination => "${data_dir}/${domain}",
      webserver   => $webserver,
      require     => File[$data_dir],
    }
  }
 }
--- a/modules/certbot/manifests/client/cert.pp
+++ b/modules/certbot/manifests/client/cert.pp
@ -0,0 +1,51 @@
 define certbot::client::cert (
  Stdlib::Fqdn          $domain,
  Stdlib::Fqdn          $webserver,
  Stdlib::Absolutepath  $destination = "/etc/pki/tls/letsencrypt/${domain}",
 ) {
  file { $destination:
    ensure => directory,
    owner  => 'root',
    group  => 'root',
    mode   => '0755',
  }
  $cert_ready_nodes = puppetdb_query("
    facts {
      name = 'certbot_available_certs' and value ~ '${domain}' and certname = '${webserver}'
    }"
  )
  # Define the certificate files
  $cert_files = ['cert.pem', 'chain.pem', 'fullchain.pem', 'privkey.pem']
  if !empty($cert_ready_nodes) {
    $files_to_create = $cert_files.reduce({}) |$acc, $file| {
      $acc + {
        "${destination}/${file}" => {
          ensure  => 'file',
          source  => "https://${webserver}/${domain}/${file}",
          owner   => 'root',
          group   => 'root',
          mode    => '0644',
          notify  => Exec["concat_${domain}_certs"],
        }
      }
    }
    create_resources(file, $files_to_create)
    exec { "concat_${domain}_certs":
      command     => "cat ${destination}/fullchain.pem ${destination}/privkey.pem > ${destination}/fullchain_combined.pem",
      path        => ['/bin', '/usr/bin'],
      refreshonly => true,
      require     => [
        File["${destination}/fullchain.pem"],
        File["${destination}/privkey.pem"],
      ],
    }
  } else {
    notify { 'Certificates are not yet ready on the generator server.': }
  }
 }
--- a/modules/certbot/manifests/haproxy.pp
+++ b/modules/certbot/manifests/haproxy.pp
@ -0,0 +1,9 @@
 # certbot::haproxy
 class certbot::haproxy {
  # export haproxy balancemember
  profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_8888":
    service => 'be_letsencrypt',
    ports   => [8888],
    options => []
  }
 }
--- a/modules/certbot/manifests/init.pp
+++ b/modules/certbot/manifests/init.pp
@ -0,0 +1,19 @@
 # certbot::init
 class certbot (
  String                $contact,
  Array[Stdlib::Fqdn]   $domains = [],
  Stdlib::Absolutepath  $data_root = '/var/www',
  Stdlib::Fqdn          $nginx_vhost = $facts['networking']['fqdn'],
  Array[Stdlib::Host]   $nginx_aliases = [],
  Stdlib::Port          $nginx_port = 80,
  Stdlib::Port          $nginx_ssl_port = 443,
  Enum['http','https','both'] $nginx_listen_mode = 'https',
  Enum['puppet', 'vault']     $nginx_cert_type = 'puppet',
 ) {
  include certbot::nginx
  include certbot::selinux
  include certbot::haproxy
  include certbot::letsencrypt
 }
--- a/modules/certbot/manifests/letsencrypt.pp
+++ b/modules/certbot/manifests/letsencrypt.pp
@ -0,0 +1,37 @@
 # certbot::letsencrypt
 class certbot::letsencrypt (
  String                $contact    = $certbot::contact,
  Array[Stdlib::Fqdn]   $domains    = $certbot::domains,
  Stdlib::Absolutepath  $data_root  = $certbot::data_root,
 ) {
  class { 'letsencrypt':
    configure_epel => false,
    package_ensure => 'latest',
    email          => $contact,
  }
  # set location_environment
  $location_environment = "${facts['country']}-${facts['region']}-${facts['environment']}"
  # collect exported resources
  Letsencrypt::Certonly <<| tag == $location_environment |>>
  # statically defined certificate
  $domains.each | $domain | {
    certbot::cert {$domain:
      domain  => $domain,
      require => Class['letsencrypt'],
    }
  }
  systemd::timer { 'certbot-syncer.timer':
    timer_content   => epp('certbot/certbot-syncer.timer.epp'),
    service_content => epp('certbot/certbot-syncer.service.epp', {
      'data_root' => $data_root,
    }),
    active          => true,
    enable          => true,
    require         => Class['letsencrypt'],
  }
 }
--- a/modules/certbot/manifests/nginx.pp
+++ b/modules/certbot/manifests/nginx.pp
@ -0,0 +1,91 @@
 # certbot::nginx
 class certbot::nginx (
  Stdlib::Absolutepath  $data_root = $certbot::data_root,
  Stdlib::Fqdn          $nginx_vhost = $certbot::nginx_vhost,
  Array[Stdlib::Host]   $nginx_aliases = $certbot::nginx_aliases,
  Stdlib::Port          $nginx_port = $certbot::nginx_port,
  Stdlib::Port          $nginx_ssl_port = $certbot::nginx_ssl_port,
  Enum['http','https','both'] $nginx_listen_mode = $certbot::nginx_listen_mode,
  Enum['puppet', 'vault']     $nginx_cert_type = $certbot::nginx_cert_type,
 ) {
  # select the certificates to use based on cert type
  case $nginx_cert_type {
    'puppet': {
      $selected_ssl_cert = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt"
      $selected_ssl_key  = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key"
    }
    'vault': {
      $selected_ssl_cert = '/etc/pki/tls/vault/certificate.crt'
      $selected_ssl_key  = '/etc/pki/tls/vault/private.key'
    }
    default: {
      # enum param prevents this ever being reached
    }
  }
  # set variables based on the listen_mode
  case $nginx_listen_mode {
    'http': {
      $enable_ssl = false
      $ssl_cert = undef
      $ssl_key = undef
      $listen_port = $nginx_port
      $listen_ssl_port = undef
      $extras_hash = {}
    }
    'https': {
      $enable_ssl = true
      $ssl_cert = $selected_ssl_cert
      $ssl_key = $selected_ssl_key
      $listen_port = $nginx_ssl_port
      $listen_ssl_port = $nginx_ssl_port
      $extras_hash = {
        'subscribe' => [File[$ssl_cert], File[$ssl_key]],
      }
    }
    'both': {
      $enable_ssl = true
      $ssl_cert = $selected_ssl_cert
      $ssl_key = $selected_ssl_key
      $listen_port = $nginx_port
      $listen_ssl_port = $nginx_ssl_port
      $extras_hash = {
        'subscribe' => [File[$ssl_cert], File[$ssl_key]],
      }
    }
    default: {
      # enum param prevents this ever being reached
    }
  }
  mkdir::p {"${data_root}/pub":}
  # set the server_names
  $server_names = unique([$facts['networking']['fqdn'], $nginx_vhost] + $nginx_aliases)
  # define the default parameters for the nginx server
  $defaults = {
    'listen_port'          => $listen_port,
    'server_name'          => $server_names,
    'use_default_location' => true,
    'access_log'           => "/var/log/nginx/${nginx_vhost}_access.log",
    'error_log'            => "/var/log/nginx/${nginx_vhost}_error.log",
    'www_root'             => "${data_root}/pub",
    'autoindex'            => 'on',
    'ssl'                  => $enable_ssl,
    'ssl_cert'             => $ssl_cert,
    'ssl_key'              => $ssl_key,
    'ssl_port'             => $listen_ssl_port,
  }
  # merge the hashes conditionally
  $nginx_parameters = merge($defaults, $extras_hash)
  # manage the nginx class
  include nginx
  # create the nginx vhost with the merged parameters
  create_resources('nginx::resource::server', { $nginx_vhost => $nginx_parameters })
 }
--- a/modules/certbot/manifests/selinux.pp
+++ b/modules/certbot/manifests/selinux.pp
@ -0,0 +1,40 @@
 # certbot::selinux
 class certbot::selinux (
  Stdlib::Absolutepath  $data_root = $certbot::data_root,
 ) {
  if $::facts['os']['selinux']['config_mode'] == 'enforcing' {
    # set httpd_sys_content_t to all files under the www_root
    selinux::fcontext { "${data_root}/pub":
      ensure   => 'present',
      seltype  => 'httpd_sys_content_t',
      pathspec => "${data_root}/pub(/.*)?",
    }
    # make sure we can connect to other hosts
    selboolean { 'httpd_can_network_connect':
      persistent => true,
      value      => 'on',
    }
    selboolean { 'rsync_client':
      persistent => true,
      value      => 'on',
    }
    selboolean { 'rsync_export_all_ro':
      persistent => true,
      value      => 'on',
    }
    selboolean { 'rsync_full_access':
      persistent => true,
      value      => 'on',
    }
    exec { "restorecon_${data_root}/pub":
      path        => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
      command     => "restorecon -Rv ${data_root}/pub",
      refreshonly => true,
      subscribe   => Selinux::Fcontext["${data_root}/pub"],
    }
  }
 }
--- a/modules/certbot/templates/certbot-syncer.service.epp
+++ b/modules/certbot/templates/certbot-syncer.service.epp
@ -0,0 +1,8 @@
 [Unit]
 Description=certbot-syncer service
 [Service]
 Type=oneshot
 ExecStart=/usr/bin/rsync --chmod=755 -aL /etc/letsencrypt/live/ <%= $data_root %>/pub/
 User=root
 Group=root
--- a/modules/certbot/templates/certbot-syncer.timer.epp
+++ b/modules/certbot/templates/certbot-syncer.timer.epp
@ -0,0 +1,9 @@
 [Unit]
 Description=certbot-syncer timer
 [Timer]
 OnCalendar=hourly
 Persistent=true
 [Install]
 WantedBy=timers.target
--- a/site/profiles/manifests/haproxy/server.pp
+++ b/site/profiles/manifests/haproxy/server.pp
@ -48,6 +48,7 @@ class profiles::haproxy::server (
      require          => Class['profiles::haproxy::selinux']
    }
    include certbot::client              # download certbot certs
    include profiles::haproxy::certlist  # manage the certificate list file
    include profiles::haproxy::mappings  # manage the domain to backend mappings
    include profiles::haproxy::ls_stats  # default status listener
--- a/site/roles/manifests/infra/pki/certbot.pp
+++ b/site/roles/manifests/infra/pki/certbot.pp
@ -0,0 +1,10 @@
 # a role to deploy a certbot server
 class roles::infra::pki::certbot {
  if $facts['firstrun'] {
    include profiles::defaults
    include profiles::firstrun::init
  }else{
    include profiles::defaults
    include profiles::base
  }
 }
		`@ -0,0 +1,2 @@`
							`---`
							certbot::contact: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJxDjhvXONEm7VoZ74dBxOPxFAw9RrI2WOK1P5YiIWiXUkoOhQpPzy0PUlI4970ActfTi9Kr9fnyZJWr/7TQ/5GQuYvVxMcfWbOmIOA+6CCjR/PWR06lWQuq7eTmwTzQjw7teFZrpXmqutAMNAUEAmPBBKNKfKbOaFz4IWwph1TuXtXDuveu/RE2+8znWukhF92DuFBJSuw6SMDympdbgceq/guQAInMjIXwmCIa7DWCWYDSKw04Ai8yDnYoqaNRs0acbZV6slH49i/cOE6GKTxO8+vR/3TkjEvKH8lY2l37ndH9+pe58arKflm/Inik0zy0TBnHq7/AMmEpRtV0usTA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBUgafckUM981Pb6hn2/9KMgBAblakRJjULF7aZwx/PT09s]