puppet-certbot/manifests/cert.pp

123 lines
4.2 KiB
ObjectPascal
Raw Normal View History

2020-12-02 17:18:32 +01:00
# create a certificate using certbot
#
# @param email
# email address to provide to letsencrypt
# @param preferred_challanges
# value for the --preferred-challanges parameter to certbot
# @param auth_hook
# Script to use as an auth hook to certbot. To use hooks provided by the puppet subclasses in this module,
# set it to the subclass name (for example "loopia" to use the loopia auth hook)
# @param clean_hook
# Script to use as a clean hook to certbot. See auth_hook.
# @param domain
# Domain to get certificate for
# @param create_timeout
# Timeout for certbot when fetching the certificate for the first time.
# @param cert_path
# Path where the certificate will be "installed" when fetched.
# @param fullchain_path
# Path where the file containing the full certificate chain will be "installed" when fetched.
# @param chain_path
# Path where the pki chain file will be "installed" when fetched.
# @param key_path
# Path where the key file will be "installed" when fetched.
# @param file_owner
# User that should own the "installed" certificate/key files.
# @param file_group
# Group that should own the "installed certificate/key files.
# @param public_files_perm
# Permissions mode for the public certificate files.
# @param private_files_perm
# Permissions mode fot the private key file.
#
define certbot::cert (
String[1] $email,
Optional[String[1]] $preferred_challanges = undef,
Optional[String[1]] $auth_hook = undef,
Optional[String[1]] $clean_hook = undef,
String[1] $domain = $title,
Integer $create_timeout = 900,
Optional[String[1]] $cert_path = undef,
Optional[String[1]] $fullchain_path = undef,
Optional[String[1]] $chain_path = undef,
Optional[String[1]] $key_path = undef,
Variant[String[1], Integer] $file_owner = 0,
Variant[String[1], Integer] $file_group = 0,
String[1] $public_files_perm = '0644',
String[1] $private_files_perm = '0400',
) {
if $auth_hook or $clean_hook {
$exec_manual = '--manual --manual-public-ip-logging-ok'
}
$exec_auth_hook = $auth_hook ? {
2020-12-02 20:43:10 +01:00
'loopia' => "--manual-auth-hook ${certbot::params::bin_dir}/acme-auth-loopia.py",
2020-12-02 17:18:32 +01:00
undef => '',
default => "--manual-auth-hook ${auth_hook}",
}
2020-12-06 14:32:57 +01:00
$exec_clean_hook = $clean_hook ? {
'loopia' => "--manual-cleanup-hook ${certbot::params::bin_dir}/acme-cleanup-loopia.py",
2020-12-02 17:18:32 +01:00
undef => '',
2020-12-06 14:32:57 +01:00
default => "--manual-cleanup-hook ${auth_hook}",
2020-12-02 17:18:32 +01:00
}
if $preferred_challanges {
$exec_challanges = "--preferred-challenges=${preferred_challanges}"
}
$exec_cmd = "${certbot::params::certbot_bin} certonly --agree-tos -n -d ${domain} -m ${email} ${exec_challanges} ${exec_manual} ${exec_auth_hook} ${exec_clean_hook}" # lint:ignore:140chars
exec {
"certbot::cert::${title}":
command => $exec_cmd,
timeout => $create_timeout,
creates => "${certbot::params::etc_dir}/letsencrypt/renewal/${domain}.conf";
}
if $cert_path {
file {
$cert_path:
source => "${certbot::params::etc_dir}/letsencrypt/live/${domain}/cert.pem",
owner => $file_owner,
group => $file_group,
mode => $public_files_perm,
links => 'follow',
2020-12-02 17:18:32 +01:00
require => Exec[ "certbot::cert::${title}" ];
}
}
if $fullchain_path {
file {
$fullchain_path:
source => "${certbot::params::etc_dir}/letsencrypt/live/${domain}/fullchain.pem",
owner => $file_owner,
group => $file_group,
mode => $public_files_perm,
links => 'follow',
2020-12-02 17:18:32 +01:00
require => Exec[ "certbot::cert::${title}" ];
}
}
if $chain_path {
file {
$chain_path:
source => "${certbot::params::etc_dir}/letsencrypt/live/${domain}/chain.pem",
owner => $file_owner,
group => $file_group,
mode => $public_files_perm,
links => 'follow',
2020-12-02 17:18:32 +01:00
require => Exec[ "certbot::cert::${title}" ];
}
}
if $key_path {
file {
$key_path:
source => "${certbot::params::etc_dir}/letsencrypt/live/${domain}/privkey.pem",
owner => $file_owner,
group => $file_group,
mode => $private_files_perm,
links => 'follow',
2020-12-02 17:18:32 +01:00
require => Exec[ "certbot::cert::${title}" ];
}
}
}