Ben Vincent
bd5164fed3
- moved certbot into its own module - added fact to list available certificates - created systemd timer to rsync data to $data_dir/pub - ensure the $data_dir/pub exists - manage selinux for nginx
52 lines
1.4 KiB
Puppet
52 lines
1.4 KiB
Puppet
define certbot::client::cert (
|
|
Stdlib::Fqdn $domain,
|
|
Stdlib::Fqdn $webserver,
|
|
Stdlib::Absolutepath $destination = "/etc/pki/tls/letsencrypt/${domain}",
|
|
) {
|
|
|
|
file { $destination:
|
|
ensure => directory,
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0755',
|
|
}
|
|
|
|
$cert_ready_nodes = puppetdb_query("
|
|
facts {
|
|
name = 'certbot_available_certs' and value ~ '${domain}' and certname = '${webserver}'
|
|
}"
|
|
)
|
|
|
|
# Define the certificate files
|
|
$cert_files = ['cert.pem', 'chain.pem', 'fullchain.pem', 'privkey.pem']
|
|
|
|
if !empty($cert_ready_nodes) {
|
|
$files_to_create = $cert_files.reduce({}) |$acc, $file| {
|
|
$acc + {
|
|
"${destination}/${file}" => {
|
|
ensure => 'file',
|
|
source => "https://${webserver}/${domain}/${file}",
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0644',
|
|
notify => Exec["concat_${domain}_certs"],
|
|
}
|
|
}
|
|
}
|
|
|
|
create_resources(file, $files_to_create)
|
|
|
|
exec { "concat_${domain}_certs":
|
|
command => "cat ${destination}/fullchain.pem ${destination}/privkey.pem > ${destination}/fullchain_combined.pem",
|
|
path => ['/bin', '/usr/bin'],
|
|
refreshonly => true,
|
|
require => [
|
|
File["${destination}/fullchain.pem"],
|
|
File["${destination}/privkey.pem"],
|
|
],
|
|
}
|
|
} else {
|
|
notify { 'Certificates are not yet ready on the generator server.': }
|
|
}
|
|
}
|