unkin/puppet-prod
2
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases Wiki Activity

neoloc/retrieve_certbot_certs #97

Merged
unkinben merged 4 commits from neoloc/retrieve_certbot_certs into develop 2024-07-08 23:27:21 +10:00
Conversation 0 Commits 4 Files Changed 19 +350 -50
19 changed files with 350 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
hieradata/common.yaml
View File

@ -132,7 +132,9 @@ lookup_options:
profiles::nginx::simpleproxy::locations:
merge:
strategy: deep
certbot::client::domains:
merge:
strategy: deep
facts_path: '/opt/puppetlabs/facter/facts.d'

1
hieradata/country/au/region/syd1.yaml
View File

@ -1,2 +1,3 @@
---
timezone::timezone: 'Australia/Sydney'
certbot::client::webserver: ausyd1nxvm1021.main.unkin.net

44
hieradata/country/au/region/syd1/infra/halb/haproxy.yaml
View File

@ -12,6 +12,7 @@ profiles::haproxy::mappings:
- 'readarr.main.unkin.net be_readarr'
- 'prowlarr.main.unkin.net be_prowlarr'
- 'jellyfin.main.unkin.net be_jellyfin'
- 'fafflix.unkin.net be_jellyfin'
fe_https:
ensure: present
mappings:
@ -23,6 +24,7 @@ profiles::haproxy::mappings:
- 'readarr.main.unkin.net be_readarr'
- 'prowlarr.main.unkin.net be_prowlarr'
- 'jellyfin.main.unkin.net be_jellyfin'
- 'fafflix.unkin.net be_jellyfin'
profiles::haproxy::frontends:
fe_http:
@ -32,12 +34,14 @@ profiles::haproxy::frontends:
fe_https:
options:
acl:
- 'acl_ausyd1pve req.hdr(host) -i https://au-syd1-pve.main.unkin.net'
- 'acl_sonarr req.hdr(host) -i https://sonarr.main.unkin.net'
- 'acl_radarr req.hdr(host) -i https://radarr.main.unkin.net'
- 'acl_lidarr req.hdr(host) -i https://lidarr.main.unkin.net'
- 'acl_readarr req.hdr(host) -i https://readarr.main.unkin.net'
- 'acl_prowlarr req.hdr(host) -i https://prowlarr.main.unkin.net'
- 'acl_ausyd1pve req.hdr(host) -i au-syd1-pve.main.unkin.net'
- 'acl_sonarr req.hdr(host) -i sonarr.main.unkin.net'
- 'acl_radarr req.hdr(host) -i radarr.main.unkin.net'
- 'acl_lidarr req.hdr(host) -i lidarr.main.unkin.net'
- 'acl_readarr req.hdr(host) -i readarr.main.unkin.net'
- 'acl_prowlarr req.hdr(host) -i prowlarr.main.unkin.net'
- 'acl_jellyfin req.hdr(host) -i jellyfin.main.unkin.net'
- 'acl_fafflix req.hdr(host) -i fafflix.unkin.net'
- 'acl_internalsubnets src 198.18.0.0/16 10.10.12.0/24'
use_backend:
- "%[req.hdr(host),lower,map(/etc/haproxy/fe_https.map,be_default)]"
@ -50,6 +54,8 @@ profiles::haproxy::frontends:
- 'set-header X-Frame-Options DENY if acl_lidarr'
- 'set-header X-Frame-Options DENY if acl_readarr'
- 'set-header X-Frame-Options DENY if acl_prowlarr'
- 'set-header X-Frame-Options DENY if acl_jellyfin'
- 'set-header X-Frame-Options DENY if acl_fafflix'
- 'set-header X-Content-Type-Options nosniff'
- 'set-header X-XSS-Protection 1;mode=block'
@ -184,10 +190,29 @@ profiles::haproxy::backends:
profiles::haproxy::certlist::enabled: true
profiles::haproxy::certlist::certificates:
- /etc/pki/tls/letsencrypt/au-syd1-pve.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/au-syd1-pve-api.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/sonarr.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/radarr.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/lidarr.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/readarr.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/prowlarr.main.unkin.net/fullchain_combined.pem
- /etc/pki/tls/letsencrypt/fafflix.unkin.net/fullchain_combined.pem
- /etc/pki/tls/vault/certificate.pem
# additional altnames
profiles::pki::vault::alt_names:
- au-syd1-pve.main.unkin.net
- au-syd1-pve-api.main.unkin.net
- jellyfin.main.unkin.net
# additional cnames
profiles::haproxy::dns::cnames:
- au-syd1-pve.main.unkin.net
- au-syd1-pve-api.main.unkin.net
# letsencrypt certificates
certbot::client::domains:
- au-syd1-pve.main.unkin.net
- au-syd1-pve-api.main.unkin.net
- sonarr.main.unkin.net
@ -195,9 +220,4 @@ profiles::pki::vault::alt_names:
- lidarr.main.unkin.net
- readarr.main.unkin.net
- prowlarr.main.unkin.net
- jellyfin.main.unkin.net
# additional cnames
profiles::haproxy::dns::cnames:
- au-syd1-pve.main.unkin.net
- au-syd1-pve-api.main.unkin.net
- fafflix.unkin.net

2
hieradata/roles/infra/pki/certbot.eyaml
View File

@ -1,2 +1,2 @@
---
profiles::certbot::server::contact: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJxDjhvXONEm7VoZ74dBxOPxFAw9RrI2WOK1P5YiIWiXUkoOhQpPzy0PUlI4970ActfTi9Kr9fnyZJWr/7TQ/5GQuYvVxMcfWbOmIOA+6CCjR/PWR06lWQuq7eTmwTzQjw7teFZrpXmqutAMNAUEAmPBBKNKfKbOaFz4IWwph1TuXtXDuveu/RE2+8znWukhF92DuFBJSuw6SMDympdbgceq/guQAInMjIXwmCIa7DWCWYDSKw04Ai8yDnYoqaNRs0acbZV6slH49i/cOE6GKTxO8+vR/3TkjEvKH8lY2l37ndH9+pe58arKflm/Inik0zy0TBnHq7/AMmEpRtV0usTA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBUgafckUM981Pb6hn2/9KMgBAblakRJjULF7aZwx/PT09s]
certbot::contact: ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAJxDjhvXONEm7VoZ74dBxOPxFAw9RrI2WOK1P5YiIWiXUkoOhQpPzy0PUlI4970ActfTi9Kr9fnyZJWr/7TQ/5GQuYvVxMcfWbOmIOA+6CCjR/PWR06lWQuq7eTmwTzQjw7teFZrpXmqutAMNAUEAmPBBKNKfKbOaFz4IWwph1TuXtXDuveu/RE2+8znWukhF92DuFBJSuw6SMDympdbgceq/guQAInMjIXwmCIa7DWCWYDSKw04Ai8yDnYoqaNRs0acbZV6slH49i/cOE6GKTxO8+vR/3TkjEvKH8lY2l37ndH9+pe58arKflm/Inik0zy0TBnHq7/AMmEpRtV0usTA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBUgafckUM981Pb6hn2/9KMgBAblakRJjULF7aZwx/PT09s]

6
hieradata/roles/infra/pki/certbot.yaml
View File

@ -1,5 +1,9 @@
---
profiles::certbot::server::domains:
hiera_include:
- certbot
- profiles::pki::puppetcerts
certbot::domains:
- au-syd1-pve.main.unkin.net
- au-syd1-pve-api.main.unkin.net
- sonarr.main.unkin.net

18
modules/certbot/lib/facter/certbot_available_certs.rb Normal file
View File

@ -0,0 +1,18 @@
# frozen_string_literal: true
Facter.add(:certbot_available_certs) do
confine enc_role: 'roles::infra::pki::certbot'
setcode do
certs_dir = '/etc/letsencrypt/live'
available_certs = []
if Dir.exist?(certs_dir)
Dir.children(certs_dir).each do |entry|
fullchain_pem = File.join(certs_dir, entry, 'fullchain.pem')
available_certs << entry if File.exist?(fullchain_pem)
end
end
available_certs.join(',')
end
end

4
site/profiles/manifests/certbot/cert.pp → modules/certbot/manifests/cert.pp
View File

@ -1,5 +1,5 @@
# profiles::certbot::cert
define profiles::certbot::cert (
# certbot::cert
define certbot::cert (
Stdlib::Fqdn $domain,
Array $additional_args = ['--http-01-port=8888'],
Boolean $manage_cron = true,

23
modules/certbot/manifests/client.pp Normal file
View File

@ -0,0 +1,23 @@
class certbot::client (
Array[Stdlib::Fqdn] $domains,
Stdlib::Fqdn $webserver,
Stdlib::Absolutepath $data_dir = '/etc/pki/tls/letsencrypt/',
) {
mkdir::p {$data_dir:}
file { $data_dir:
ensure => directory,
owner => 'root',
group => 'root',
mode => '0755',
}
$domains.each |$domain| {
certbot::client::cert {"${facts['networking']['fqdn']}_download_${domain}":
domain => $domain,
destination => "${data_dir}/${domain}",
webserver => $webserver,
require => File[$data_dir],
}
}
}

51
modules/certbot/manifests/client/cert.pp Normal file
View File

@ -0,0 +1,51 @@
define certbot::client::cert (
Stdlib::Fqdn $domain,
Stdlib::Fqdn $webserver,
Stdlib::Absolutepath $destination = "/etc/pki/tls/letsencrypt/${domain}",
) {
file { $destination:
ensure => directory,
owner => 'root',
group => 'root',
mode => '0755',
}
$cert_ready_nodes = puppetdb_query("
facts {
name = 'certbot_available_certs' and value ~ '${domain}' and certname = '${webserver}'
}"
)
# Define the certificate files
$cert_files = ['cert.pem', 'chain.pem', 'fullchain.pem', 'privkey.pem']
if !empty($cert_ready_nodes) {
$files_to_create = $cert_files.reduce({}) |$acc, $file| {
$acc + {
"${destination}/${file}" => {
ensure => 'file',
source => "https://${webserver}/${domain}/${file}",
owner => 'root',
group => 'root',
mode => '0644',
notify => Exec["concat_${domain}_certs"],
}
}
}
create_resources(file, $files_to_create)
exec { "concat_${domain}_certs":
command => "cat ${destination}/fullchain.pem ${destination}/privkey.pem > ${destination}/fullchain_combined.pem",
path => ['/bin', '/usr/bin'],
refreshonly => true,
require => [
File["${destination}/fullchain.pem"],
File["${destination}/privkey.pem"],
],
}
} else {
notify { 'Certificates are not yet ready on the generator server.': }
}
}

9
modules/certbot/manifests/haproxy.pp Normal file
View File

@ -0,0 +1,9 @@
# certbot::haproxy
class certbot::haproxy {
# export haproxy balancemember
profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_8888":
service => 'be_letsencrypt',
ports => [8888],
options => []
}
}

19
modules/certbot/manifests/init.pp Normal file
View File

@ -0,0 +1,19 @@
# certbot::init
class certbot (
String $contact,
Array[Stdlib::Fqdn] $domains = [],
Stdlib::Absolutepath $data_root = '/var/www',
Stdlib::Fqdn $nginx_vhost = $facts['networking']['fqdn'],
Array[Stdlib::Host] $nginx_aliases = [],
Stdlib::Port $nginx_port = 80,
Stdlib::Port $nginx_ssl_port = 443,
Enum['http','https','both'] $nginx_listen_mode = 'https',
Enum['puppet', 'vault'] $nginx_cert_type = 'puppet',
) {
include certbot::nginx
include certbot::selinux
include certbot::haproxy
include certbot::letsencrypt
}

37
modules/certbot/manifests/letsencrypt.pp Normal file
View File

@ -0,0 +1,37 @@
# certbot::letsencrypt
class certbot::letsencrypt (
String $contact = $certbot::contact,
Array[Stdlib::Fqdn] $domains = $certbot::domains,
Stdlib::Absolutepath $data_root = $certbot::data_root,
) {
class { 'letsencrypt':
configure_epel => false,
package_ensure => 'latest',
email => $contact,
}
# set location_environment
$location_environment = "${facts['country']}-${facts['region']}-${facts['environment']}"
# collect exported resources
Letsencrypt::Certonly <<| tag == $location_environment |>>
# statically defined certificate
$domains.each | $domain | {
certbot::cert {$domain:
domain => $domain,
require => Class['letsencrypt'],
}
}
systemd::timer { 'certbot-syncer.timer':
timer_content => epp('certbot/certbot-syncer.timer.epp'),
service_content => epp('certbot/certbot-syncer.service.epp', {
'data_root' => $data_root,
}),
active => true,
enable => true,
require => Class['letsencrypt'],
}
}

91
modules/certbot/manifests/nginx.pp Normal file
View File

@ -0,0 +1,91 @@
# certbot::nginx
class certbot::nginx (
Stdlib::Absolutepath $data_root = $certbot::data_root,
Stdlib::Fqdn $nginx_vhost = $certbot::nginx_vhost,
Array[Stdlib::Host] $nginx_aliases = $certbot::nginx_aliases,
Stdlib::Port $nginx_port = $certbot::nginx_port,
Stdlib::Port $nginx_ssl_port = $certbot::nginx_ssl_port,
Enum['http','https','both'] $nginx_listen_mode = $certbot::nginx_listen_mode,
Enum['puppet', 'vault'] $nginx_cert_type = $certbot::nginx_cert_type,
) {
# select the certificates to use based on cert type
case $nginx_cert_type {
'puppet': {
$selected_ssl_cert = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt"
$selected_ssl_key = "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key"
}
'vault': {
$selected_ssl_cert = '/etc/pki/tls/vault/certificate.crt'
$selected_ssl_key = '/etc/pki/tls/vault/private.key'
}
default: {
# enum param prevents this ever being reached
}
}
# set variables based on the listen_mode
case $nginx_listen_mode {
'http': {
$enable_ssl = false
$ssl_cert = undef
$ssl_key = undef
$listen_port = $nginx_port
$listen_ssl_port = undef
$extras_hash = {}
}
'https': {
$enable_ssl = true
$ssl_cert = $selected_ssl_cert
$ssl_key = $selected_ssl_key
$listen_port = $nginx_ssl_port
$listen_ssl_port = $nginx_ssl_port
$extras_hash = {
'subscribe' => [File[$ssl_cert], File[$ssl_key]],
}
}
'both': {
$enable_ssl = true
$ssl_cert = $selected_ssl_cert
$ssl_key = $selected_ssl_key
$listen_port = $nginx_port
$listen_ssl_port = $nginx_ssl_port
$extras_hash = {
'subscribe' => [File[$ssl_cert], File[$ssl_key]],
}
}
default: {
# enum param prevents this ever being reached
}
}
mkdir::p {"${data_root}/pub":}
# set the server_names
$server_names = unique([$facts['networking']['fqdn'], $nginx_vhost] + $nginx_aliases)
# define the default parameters for the nginx server
$defaults = {
'listen_port' => $listen_port,
'server_name' => $server_names,
'use_default_location' => true,
'access_log' => "/var/log/nginx/${nginx_vhost}_access.log",
'error_log' => "/var/log/nginx/${nginx_vhost}_error.log",
'www_root' => "${data_root}/pub",
'autoindex' => 'on',
'ssl' => $enable_ssl,
'ssl_cert' => $ssl_cert,
'ssl_key' => $ssl_key,
'ssl_port' => $listen_ssl_port,
}
# merge the hashes conditionally
$nginx_parameters = merge($defaults, $extras_hash)
# manage the nginx class
include nginx
# create the nginx vhost with the merged parameters
create_resources('nginx::resource::server', { $nginx_vhost => $nginx_parameters })
}

40
modules/certbot/manifests/selinux.pp Normal file
View File

@ -0,0 +1,40 @@
# certbot::selinux
class certbot::selinux (
Stdlib::Absolutepath $data_root = $certbot::data_root,
) {
if $::facts['os']['selinux']['config_mode'] == 'enforcing' {
# set httpd_sys_content_t to all files under the www_root
selinux::fcontext { "${data_root}/pub":
ensure => 'present',
seltype => 'httpd_sys_content_t',
pathspec => "${data_root}/pub(/.*)?",
}
# make sure we can connect to other hosts
selboolean { 'httpd_can_network_connect':
persistent => true,
value => 'on',
}
selboolean { 'rsync_client':
persistent => true,
value => 'on',
}
selboolean { 'rsync_export_all_ro':
persistent => true,
value => 'on',
}
selboolean { 'rsync_full_access':
persistent => true,
value => 'on',
}
exec { "restorecon_${data_root}/pub":
path => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
command => "restorecon -Rv ${data_root}/pub",
refreshonly => true,
subscribe => Selinux::Fcontext["${data_root}/pub"],
}
}
}

8
modules/certbot/templates/certbot-syncer.service.epp Normal file
View File

@ -0,0 +1,8 @@
[Unit]
Description=certbot-syncer service
[Service]
Type=oneshot
ExecStart=/usr/bin/rsync --chmod=755 -aL /etc/letsencrypt/live/ <%= $data_root %>/pub/
User=root
Group=root

9
modules/certbot/templates/certbot-syncer.timer.epp Normal file
View File

@ -0,0 +1,9 @@
[Unit]
Description=certbot-syncer timer
[Timer]
OnCalendar=hourly
Persistent=true
[Install]
WantedBy=timers.target

32
site/profiles/manifests/certbot/server.pp
View File

@ -1,32 +0,0 @@
# profiles::certbot::server
class profiles::certbot::server (
String $contact,
Array[Stdlib::Fqdn] $domains = [],
) {
class { 'letsencrypt':
configure_epel => false,
package_ensure => 'latest',
email => $contact,
}
# set location_environment
$location_environment = "${facts['country']}-${facts['region']}-${facts['environment']}"
# collect exported resources
Letsencrypt::Certonly <<| tag == $location_environment |>>
# statically defined certificate
$domains.each | $domain | {
profiles::certbot::cert {$domain:
domain => $domain,
}
}
# export haproxy balancemember
profiles::haproxy::balancemember { "${facts['networking']['fqdn']}_8888":
service => 'be_letsencrypt',
ports => [8888],
options => []
}
}

1
site/profiles/manifests/haproxy/server.pp
View File

@ -48,6 +48,7 @@ class profiles::haproxy::server (
require => Class['profiles::haproxy::selinux']
}
include certbot::client # download certbot certs
include profiles::haproxy::certlist # manage the certificate list file
include profiles::haproxy::mappings # manage the domain to backend mappings
include profiles::haproxy::ls_stats # default status listener

1
site/roles/manifests/infra/pki/certbot.pp
View File

@ -6,6 +6,5 @@ class roles::infra::pki::certbot {
}else{
include profiles::defaults
include profiles::base
include profiles::certbot::server
}
}