2024-07-08 23:27:21 +10:00
19 changed files with 350 additions and 50 deletions
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@ -132,7 +132,9 @@ lookup_options:
  profiles::nginx::simpleproxy::locations:
    merge:
      strategy: deep
-
+  certbot::client::domains:
    merge:
      strategy: deep
 facts_path: '/opt/puppetlabs/facter/facts.d'
--- a/hieradata/country/au/region/syd1.yaml
+++ b/hieradata/country/au/region/syd1.yaml
@ -1,2 +1,3 @@
 ---
 timezone::timezone: 'Australia/Sydney'
 certbot::client::webserver: ausyd1nxvm1021.main.unkin.net
--- a/hieradata/country/au/region/syd1/infra/halb/haproxy.yaml
+++ b/hieradata/country/au/region/syd1/infra/halb/haproxy.yaml
@ -12,6 +12,7 @@ profiles::haproxy::mappings:
      - 'readarr.main.unkin.net be_readarr'
      - 'prowlarr.main.unkin.net be_prowlarr'
      - 'jellyfin.main.unkin.net be_jellyfin'
      - 'fafflix.unkin.net be_jellyfin'
  fe_https:
    ensure: present
    mappings:
@ -23,6 +24,7 @@ profiles::haproxy::mappings:
      - 'readarr.main.unkin.net be_readarr'
      - 'prowlarr.main.unkin.net be_prowlarr'
      - 'jellyfin.main.unkin.net be_jellyfin'
      - 'fafflix.unkin.net be_jellyfin'
 profiles::haproxy::frontends:
  fe_http:
@ -32,12 +34,14 @@ profiles::haproxy::frontends:
  fe_https:
    options:
      acl:
-        - 'acl_ausyd1pve req.hdr(host) -i https://au-syd1-pve.main.unkin.net'
+        - 'acl_ausyd1pve req.hdr(host) -i au-syd1-pve.main.unkin.net'
-        - 'acl_sonarr req.hdr(host) -i https://sonarr.main.unkin.net'
+        - 'acl_sonarr req.hdr(host) -i sonarr.main.unkin.net'
-        - 'acl_radarr req.hdr(host) -i https://radarr.main.unkin.net'
+        - 'acl_radarr req.hdr(host) -i radarr.main.unkin.net'
-        - 'acl_lidarr req.hdr(host) -i https://lidarr.main.unkin.net'
+        - 'acl_lidarr req.hdr(host) -i lidarr.main.unkin.net'
-        - 'acl_readarr req.hdr(host) -i https://readarr.main.unkin.net'
+        - 'acl_readarr req.hdr(host) -i readarr.main.unkin.net'
-        - 'acl_prowlarr req.hdr(host) -i https://prowlarr.main.unkin.net'
+        - 'acl_prowlarr req.hdr(host) -i prowlarr.main.unkin.net'
        - 'acl_jellyfin req.hdr(host) -i jellyfin.main.unkin.net'
        - 'acl_fafflix req.hdr(host) -i fafflix.unkin.net'
        - 'acl_internalsubnets src 198.18.0.0/16 10.10.12.0/24'
      use_backend:
        - "%[req.hdr(host),lower,map(/etc/haproxy/fe_https.map,be_default)]"
@ -50,6 +54,8 @@ profiles::haproxy::frontends:
        - 'set-header X-Frame-Options DENY if acl_lidarr'
        - 'set-header X-Frame-Options DENY if acl_readarr'
        - 'set-header X-Frame-Options DENY if acl_prowlarr'
        - 'set-header X-Frame-Options DENY if acl_jellyfin'
        - 'set-header X-Frame-Options DENY if acl_fafflix'
        - 'set-header X-Content-Type-Options nosniff'
        - 'set-header X-XSS-Protection 1;mode=block'
@ -184,10 +190,29 @@ profiles::haproxy::backends:
 profiles::haproxy::certlist::enabled: true
 profiles::haproxy::certlist::certificates:
  - /etc/pki/tls/letsencrypt/au-syd1-pve.main.unkin.net/fullchain_combined.pem
  - /etc/pki/tls/letsencrypt/au-syd1-pve-api.main.unkin.net/fullchain_combined.pem
  - /etc/pki/tls/letsencrypt/sonarr.main.unkin.net/fullchain_combined.pem
  - /etc/pki/tls/letsencrypt/radarr.main.unkin.net/fullchain_combined.pem
  - /etc/pki/tls/letsencrypt/lidarr.main.unkin.net/fullchain_combined.pem
  - /etc/pki/tls/letsencrypt/readarr.main.unkin.net/fullchain_combined.pem
  - /etc/pki/tls/letsencrypt/prowlarr.main.unkin.net/fullchain_combined.pem
  - /etc/pki/tls/letsencrypt/fafflix.unkin.net/fullchain_combined.pem
  - /etc/pki/tls/vault/certificate.pem
 # additional altnames
 profiles::pki::vault::alt_names:
  - au-syd1-pve.main.unkin.net
  - au-syd1-pve-api.main.unkin.net
  - jellyfin.main.unkin.net
 # additional cnames
 profiles::haproxy::dns::cnames:
  - au-syd1-pve.main.unkin.net
  - au-syd1-pve-api.main.unkin.net
 # letsencrypt certificates
 certbot::client::domains:
  - au-syd1-pve.main.unkin.net
  - au-syd1-pve-api.main.unkin.net
  - sonarr.main.unkin.net
@ -195,9 +220,4 @@ profiles::pki::vault::alt_names:
  - lidarr.main.unkin.net
  - readarr.main.unkin.net
  - prowlarr.main.unkin.net
-  - jellyfin.main.unkin.net
+  - fafflix.unkin.net
 # additional cnames
 profiles::haproxy::dns::cnames:
  - au-syd1-pve.main.unkin.net
  - au-syd1-pve-api.main.unkin.net
--- a/hieradata/roles/infra/pki/certbot.eyaml
+++ b/hieradata/roles/infra/pki/certbot.eyaml
@ -1,2 +1,2 @@
 ---
-profiles::certbot::server::contact: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJxDjhvXONEm7VoZ74dBxOPxFAw9RrI2WOK1P5YiIWiXUkoOhQpPzy0PUlI4970ActfTi9Kr9fnyZJWr/7TQ/5GQuYvVxMcfWbOmIOA+6CCjR/PWR06lWQuq7eTmwTzQjw7teFZrpXmqutAMNAUEAmPBBKNKfKbOaFz4IWwph1TuXtXDuveu/RE2+8znWukhF92DuFBJSuw6SMDympdbgceq/guQAInMjIXwmCIa7DWCWYDSKw04Ai8yDnYoqaNRs0acbZV6slH49i/cOE6GKTxO8+vR/3TkjEvKH8lY2l37ndH9+pe58arKflm/Inik0zy0TBnHq7/AMmEpRtV0usTA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBUgafckUM981Pb6hn2/9KMgBAblakRJjULF7aZwx/PT09s]
+certbot::contact: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJxDjhvXONEm7VoZ74dBxOPxFAw9RrI2WOK1P5YiIWiXUkoOhQpPzy0PUlI4970ActfTi9Kr9fnyZJWr/7TQ/5GQuYvVxMcfWbOmIOA+6CCjR/PWR06lWQuq7eTmwTzQjw7teFZrpXmqutAMNAUEAmPBBKNKfKbOaFz4IWwph1TuXtXDuveu/RE2+8znWukhF92DuFBJSuw6SMDympdbgceq/guQAInMjIXwmCIa7DWCWYDSKw04Ai8yDnYoqaNRs0acbZV6slH49i/cOE6GKTxO8+vR/3TkjEvKH8lY2l37ndH9+pe58arKflm/Inik0zy0TBnHq7/AMmEpRtV0usTA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBUgafckUM981Pb6hn2/9KMgBAblakRJjULF7aZwx/PT09s]
--- a/hieradata/roles/infra/pki/certbot.yaml
+++ b/hieradata/roles/infra/pki/certbot.yaml
@ -1,5 +1,9 @@
 ---
-profiles::certbot::server::domains:
+hiera_include:
  - certbot
  - profiles::pki::puppetcerts
 certbot::domains:
  - au-syd1-pve.main.unkin.net
  - au-syd1-pve-api.main.unkin.net
  - sonarr.main.unkin.net
--- a/modules/certbot/lib/facter/certbot_available_certs.rb
+++ b/modules/certbot/lib/facter/certbot_available_certs.rb
@ -0,0 +1,18 @@
 # frozen_string_literal: true
 Facter.add(:certbot_available_certs) do
  confine enc_role: 'roles::infra::pki::certbot'
  setcode do
    certs_dir = '/etc/letsencrypt/live'
    available_certs = []
    if Dir.exist?(certs_dir)
      Dir.children(certs_dir).each do |entry|
        fullchain_pem = File.join(certs_dir, entry, 'fullchain.pem')
        available_certs << entry if File.exist?(fullchain_pem)
      end
    end
    available_certs.join(',')
  end
 end
--- a/site/profiles/manifests/certbot/cert.pp
+++ b/site/profiles/manifests/certbot/cert.pp
@ -1,5 +1,5 @@
-# profiles::certbot::cert
+# certbot::cert
-define profiles::certbot::cert (
+define certbot::cert (
  Stdlib::Fqdn $domain,
  Array        $additional_args = ['--http-01-port=8888'],
  Boolean      $manage_cron     = true,
--- a/modules/certbot/manifests/client.pp
+++ b/modules/certbot/manifests/client.pp
@ -0,0 +1,23 @@
 class certbot::client (
  Array[Stdlib::Fqdn]   $domains,
  Stdlib::Fqdn          $webserver,
  Stdlib::Absolutepath  $data_dir = '/etc/pki/tls/letsencrypt/',
 ) {
  mkdir::p {$data_dir:}
  file { $data_dir:
    ensure => directory,
    owner  => 'root',
    group  => 'root',
    mode   => '0755',
  }
  $domains.each |$domain| {
    certbot::client::cert {"${facts['networking']['fqdn']}_download_${domain}":
      domain      => $domain,
      destination => "${data_dir}/${domain}",
      webserver   => $webserver,
      require     => File[$data_dir],
    }
  }
 }
--- a/modules/certbot/manifests/client/cert.pp
+++ b/modules/certbot/manifests/client/cert.pp
@ -0,0 +1,51 @@
 define certbot::client::cert (
  Stdlib::Fqdn          $domain,
  Stdlib::Fqdn          $webserver,
  Stdlib::Absolutepath  $destination = "/etc/pki/tls/letsencrypt/${domain}",
 ) {
  file { $destination:
    ensure => directory,
    owner  => 'root',
    group  => 'root',
    mode   => '0755',
  }
  $cert_ready_nodes = puppetdb_query("
    facts {
      name = 'certbot_available_certs' and value ~ '${domain}' and certname = '${webserver}'
    }"
  )
  # Define the certificate files
  $cert_files = ['cert.pem', 'chain.pem', 'fullchain.pem', 'privkey.pem']
  if !empty($cert_ready_nodes) {
    $files_to_create = $cert_files.reduce({}) |$acc, $file| {
      $acc + {
        "${destination}/${file}" => {
          ensure  => 'file',
          source  => "https://${webserver}/${domain}/${file}",
          owner   => 'root',
          group   => 'root',
          mode    => '0644',
          notify  => Exec["concat_${domain}_certs"],
        }
      }
    }
    create_resources(file, $files_to_create)
    exec { "concat_${domain}_certs":
      command     => "cat ${destination}/fullchain.pem ${destination}/privkey.pem > ${destination}/fullchain_combined.pem",
      path        => ['/bin', '/usr/bin'],
      refreshonly => true,
      require     => [
        File["${destination}/fullchain.pem"],
        File["${destination}/privkey.pem"],
      ],
    }
  } else {
    notify { 'Certificates are not yet ready on the generator server.': }
  }
 }
--- a/modules/certbot/manifests/haproxy.pp
+++ b/modules/certbot/manifests/haproxy.pp
@ -0,0 +1,9 @@
 # certbot::haproxy
 class certbot::haproxy {
  # export haproxy balancemember
  profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_8888":
    service => 'be_letsencrypt',
    ports   => [8888],
    options => []
  }
 }
--- a/modules/certbot/manifests/init.pp
+++ b/modules/certbot/manifests/init.pp
@ -0,0 +1,19 @@
 # certbot::init
 class certbot (
  String                $contact,
  Array[Stdlib::Fqdn]   $domains = [],
  Stdlib::Absolutepath  $data_root = '/var/www',
  Stdlib::Fqdn          $nginx_vhost = $facts['networking']['fqdn'],
  Array[Stdlib::Host]   $nginx_aliases = [],
  Stdlib::Port          $nginx_port = 80,
  Stdlib::Port          $nginx_ssl_port = 443,
  Enum['http','https','both'] $nginx_listen_mode = 'https',
  Enum['puppet', 'vault']     $nginx_cert_type = 'puppet',
 ) {
  include certbot::nginx
  include certbot::selinux
  include certbot::haproxy
  include certbot::letsencrypt
 }
--- a/modules/certbot/manifests/letsencrypt.pp
+++ b/modules/certbot/manifests/letsencrypt.pp
@ -0,0 +1,37 @@
 # certbot::letsencrypt
 class certbot::letsencrypt (
  String                $contact    = $certbot::contact,
  Array[Stdlib::Fqdn]   $domains    = $certbot::domains,
  Stdlib::Absolutepath  $data_root  = $certbot::data_root,
 ) {
  class { 'letsencrypt':
    configure_epel => false,
    package_ensure => 'latest',
    email          => $contact,
  }
  # set location_environment
  $location_environment = "${facts['country']}-${facts['region']}-${facts['environment']}"
  # collect exported resources
  Letsencrypt::Certonly <<| tag == $location_environment |>>
  # statically defined certificate
  $domains.each | $domain | {
    certbot::cert {$domain:
      domain  => $domain,
      require => Class['letsencrypt'],
    }
  }
  systemd::timer { 'certbot-syncer.timer':
    timer_content   => epp('certbot/certbot-syncer.timer.epp'),
    service_content => epp('certbot/certbot-syncer.service.epp', {
      'data_root' => $data_root,
    }),
    active          => true,
    enable          => true,
    require         => Class['letsencrypt'],
  }
 }
--- a/modules/certbot/manifests/nginx.pp
+++ b/modules/certbot/manifests/nginx.pp
@ -0,0 +1,91 @@
 # certbot::nginx
 class certbot::nginx (
  Stdlib::Absolutepath  $data_root = $certbot::data_root,
  Stdlib::Fqdn          $nginx_vhost = $certbot::nginx_vhost,
  Array[Stdlib::Host]   $nginx_aliases = $certbot::nginx_aliases,
  Stdlib::Port          $nginx_port = $certbot::nginx_port,
  Stdlib::Port          $nginx_ssl_port = $certbot::nginx_ssl_port,
  Enum['http','https','both'] $nginx_listen_mode = $certbot::nginx_listen_mode,
  Enum['puppet', 'vault']     $nginx_cert_type = $certbot::nginx_cert_type,
 ) {
  # select the certificates to use based on cert type
  case $nginx_cert_type {
    'puppet': {
      $selected_ssl_cert = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt"
      $selected_ssl_key  = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key"
    }
    'vault': {
      $selected_ssl_cert = '/etc/pki/tls/vault/certificate.crt'
      $selected_ssl_key  = '/etc/pki/tls/vault/private.key'
    }
    default: {
      # enum param prevents this ever being reached
    }
  }
  # set variables based on the listen_mode
  case $nginx_listen_mode {
    'http': {
      $enable_ssl = false
      $ssl_cert = undef
      $ssl_key = undef
      $listen_port = $nginx_port
      $listen_ssl_port = undef
      $extras_hash = {}
    }
    'https': {
      $enable_ssl = true
      $ssl_cert = $selected_ssl_cert
      $ssl_key = $selected_ssl_key
      $listen_port = $nginx_ssl_port
      $listen_ssl_port = $nginx_ssl_port
      $extras_hash = {
        'subscribe' => [File[$ssl_cert], File[$ssl_key]],
      }
    }
    'both': {
      $enable_ssl = true
      $ssl_cert = $selected_ssl_cert
      $ssl_key = $selected_ssl_key
      $listen_port = $nginx_port
      $listen_ssl_port = $nginx_ssl_port
      $extras_hash = {
        'subscribe' => [File[$ssl_cert], File[$ssl_key]],
      }
    }
    default: {
      # enum param prevents this ever being reached
    }
  }
  mkdir::p {"${data_root}/pub":}
  # set the server_names
  $server_names = unique([$facts['networking']['fqdn'], $nginx_vhost] + $nginx_aliases)
  # define the default parameters for the nginx server
  $defaults = {
    'listen_port'          => $listen_port,
    'server_name'          => $server_names,
    'use_default_location' => true,
    'access_log'           => "/var/log/nginx/${nginx_vhost}_access.log",
    'error_log'            => "/var/log/nginx/${nginx_vhost}_error.log",
    'www_root'             => "${data_root}/pub",
    'autoindex'            => 'on',
    'ssl'                  => $enable_ssl,
    'ssl_cert'             => $ssl_cert,
    'ssl_key'              => $ssl_key,
    'ssl_port'             => $listen_ssl_port,
  }
  # merge the hashes conditionally
  $nginx_parameters = merge($defaults, $extras_hash)
  # manage the nginx class
  include nginx
  # create the nginx vhost with the merged parameters
  create_resources('nginx::resource::server', { $nginx_vhost => $nginx_parameters })
 }
--- a/modules/certbot/manifests/selinux.pp
+++ b/modules/certbot/manifests/selinux.pp
@ -0,0 +1,40 @@
 # certbot::selinux
 class certbot::selinux (
  Stdlib::Absolutepath  $data_root = $certbot::data_root,
 ) {
  if $::facts['os']['selinux']['config_mode'] == 'enforcing' {
    # set httpd_sys_content_t to all files under the www_root
    selinux::fcontext { "${data_root}/pub":
      ensure   => 'present',
      seltype  => 'httpd_sys_content_t',
      pathspec => "${data_root}/pub(/.*)?",
    }
    # make sure we can connect to other hosts
    selboolean { 'httpd_can_network_connect':
      persistent => true,
      value      => 'on',
    }
    selboolean { 'rsync_client':
      persistent => true,
      value      => 'on',
    }
    selboolean { 'rsync_export_all_ro':
      persistent => true,
      value      => 'on',
    }
    selboolean { 'rsync_full_access':
      persistent => true,
      value      => 'on',
    }
    exec { "restorecon_${data_root}/pub":
      path        => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
      command     => "restorecon -Rv ${data_root}/pub",
      refreshonly => true,
      subscribe   => Selinux::Fcontext["${data_root}/pub"],
    }
  }
 }
--- a/modules/certbot/templates/certbot-syncer.service.epp
+++ b/modules/certbot/templates/certbot-syncer.service.epp
@ -0,0 +1,8 @@
 [Unit]
 Description=certbot-syncer service
 [Service]
 Type=oneshot
 ExecStart=/usr/bin/rsync --chmod=755 -aL /etc/letsencrypt/live/ <%= $data_root %>/pub/
 User=root
 Group=root
--- a/modules/certbot/templates/certbot-syncer.timer.epp
+++ b/modules/certbot/templates/certbot-syncer.timer.epp
@ -0,0 +1,9 @@
 [Unit]
 Description=certbot-syncer timer
 [Timer]
 OnCalendar=hourly
 Persistent=true
 [Install]
 WantedBy=timers.target
--- a/site/profiles/manifests/certbot/server.pp
+++ b/site/profiles/manifests/certbot/server.pp
@ -1,32 +0,0 @@
 # profiles::certbot::server
 class profiles::certbot::server (
  String              $contact,
  Array[Stdlib::Fqdn] $domains = [],
 ) {
  class { 'letsencrypt':
    configure_epel => false,
    package_ensure => 'latest',
    email          => $contact,
  }
  # set location_environment
  $location_environment = "${facts['country']}-${facts['region']}-${facts['environment']}"
  # collect exported resources
  Letsencrypt::Certonly <<| tag == $location_environment |>>
  # statically defined certificate
  $domains.each | $domain | {
    profiles::certbot::cert {$domain:
      domain => $domain,
    }
  }
  # export haproxy balancemember
  profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_8888":
    service => 'be_letsencrypt',
    ports   => [8888],
    options => []
  }
 }
--- a/site/profiles/manifests/haproxy/server.pp
+++ b/site/profiles/manifests/haproxy/server.pp
@ -48,6 +48,7 @@ class profiles::haproxy::server (
      require          => Class['profiles::haproxy::selinux']
    }
    include certbot::client              # download certbot certs
    include profiles::haproxy::certlist  # manage the certificate list file
    include profiles::haproxy::mappings  # manage the domain to backend mappings
    include profiles::haproxy::ls_stats  # default status listener
--- a/site/roles/manifests/infra/pki/certbot.pp
+++ b/site/roles/manifests/infra/pki/certbot.pp
@ -6,6 +6,5 @@ class roles::infra::pki::certbot {
  }else{
    include profiles::defaults
    include profiles::base
    include profiles::certbot::server
  }
 }
`@ -1,2 +1,2 @@`
	`---`	`---`
	profiles::certbot::server::contact: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJxDjhvXONEm7VoZ74dBxOPxFAw9RrI2WOK1P5YiIWiXUkoOhQpPzy0PUlI4970ActfTi9Kr9fnyZJWr/7TQ/5GQuYvVxMcfWbOmIOA+6CCjR/PWR06lWQuq7eTmwTzQjw7teFZrpXmqutAMNAUEAmPBBKNKfKbOaFz4IWwph1TuXtXDuveu/RE2+8znWukhF92DuFBJSuw6SMDympdbgceq/guQAInMjIXwmCIa7DWCWYDSKw04Ai8yDnYoqaNRs0acbZV6slH49i/cOE6GKTxO8+vR/3TkjEvKH8lY2l37ndH9+pe58arKflm/Inik0zy0TBnHq7/AMmEpRtV0usTA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBUgafckUM981Pb6hn2/9KMgBAblakRJjULF7aZwx/PT09s]	certbot::contact: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJxDjhvXONEm7VoZ74dBxOPxFAw9RrI2WOK1P5YiIWiXUkoOhQpPzy0PUlI4970ActfTi9Kr9fnyZJWr/7TQ/5GQuYvVxMcfWbOmIOA+6CCjR/PWR06lWQuq7eTmwTzQjw7teFZrpXmqutAMNAUEAmPBBKNKfKbOaFz4IWwph1TuXtXDuveu/RE2+8znWukhF92DuFBJSuw6SMDympdbgceq/guQAInMjIXwmCIa7DWCWYDSKw04Ai8yDnYoqaNRs0acbZV6slH49i/cOE6GKTxO8+vR/3TkjEvKH8lY2l37ndH9+pe58arKflm/Inik0zy0TBnHq7/AMmEpRtV0usTA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBUgafckUM981Pb6hn2/9KMgBAblakRJjULF7aZwx/PT09s]