puppet-certbot/manifests/cert.pp

# create a certificate using certbot
#
# @param email
#   email address to provide to letsencrypt
# @param preferred_challanges
#   value for the --preferred-challanges parameter to certbot
# @param auth_hook
#   Script to use as an auth hook to certbot. To use hooks provided by the puppet subclasses in this module,
#   set it to the subclass name (for example "loopia" to use the loopia auth hook)
# @param clean_hook
#   Script to use as a clean hook to certbot. See auth_hook.
# @param domain
#   Domain to get certificate for
# @param create_timeout
#   Timeout for certbot when fetching the certificate for the first time.
# @param cert_path
#   Path where the certificate will be "installed" when fetched.
# @param fullchain_path
#   Path where the file containing the full certificate chain will be "installed" when fetched.
# @param chain_path
#   Path where the pki chain file will be "installed" when fetched.
# @param key_path
#   Path where the key file will be "installed" when fetched.
# @param file_owner
#   User that should own the "installed" certificate/key files.
# @param file_group
#   Group that should own the "installed certificate/key files.
# @param public_files_perm
#   Permissions mode for the public certificate files.
# @param private_files_perm
#   Permissions mode fot the private key file.
#
define certbot::cert (
  String[1] $email,
  Optional[String[1]] $preferred_challanges = undef,
  Optional[String[1]] $auth_hook = undef,
  Optional[String[1]] $clean_hook = undef,
  String[1] $domain = $title,
  Integer $create_timeout = 900,
  Optional[String[1]] $cert_path = undef,
  Optional[String[1]] $fullchain_path = undef,
  Optional[String[1]] $chain_path = undef,
  Optional[String[1]] $key_path = undef,
  Variant[String[1], Integer] $file_owner = 0,
  Variant[String[1], Integer] $file_group = 0,
  String[1] $public_files_perm = '0644',
  String[1] $private_files_perm = '0400',
) {

  if $auth_hook or $clean_hook {
    $exec_manual = '--manual --manual-public-ip-logging-ok'
  }

  $exec_auth_hook = $auth_hook ? {
    'loopia' => "--manual-auth-hook ${certbot::cert::bin_dir}/acme-auth-loopia.py",
    undef    => '',
    default  => "--manual-auth-hook ${auth_hook}",
  }
  $exec_clean_hook = $auth_hook ? {
    'loopia' => "--manual-auth-hook ${certbot::cert::bin_dir}/acme-cleanup-loopia.py",
    undef    => '',
    default  => "--manual-auth-hook ${auth_hook}",
  }

  if $preferred_challanges {
    $exec_challanges = "--preferred-challenges=${preferred_challanges}"
  }

  $exec_cmd = "${certbot::params::certbot_bin} certonly --agree-tos -n -d ${domain} -m ${email} ${exec_challanges} ${exec_manual} ${exec_auth_hook} ${exec_clean_hook}" # lint:ignore:140chars

  exec {
    "certbot::cert::${title}":
      command => $exec_cmd,
      timeout => $create_timeout,
      creates => "${certbot::params::etc_dir}/letsencrypt/renewal/${domain}.conf";
  }

  if $cert_path {
    file {
      $cert_path:
        source  => "${certbot::params::etc_dir}/letsencrypt/live/${domain}/cert.pem",
        owner   => $file_owner,
        group   => $file_group,
        mode    => $public_files_perm,
        links   => 'follow',
        require => Exec[ "certbot::cert::${title}" ];
    }
  }
  if $fullchain_path {
    file {
      $fullchain_path:
        source  => "${certbot::params::etc_dir}/letsencrypt/live/${domain}/fullchain.pem",
        owner   => $file_owner,
        group   => $file_group,
        mode    => $public_files_perm,
        links   => 'follow',
        require => Exec[ "certbot::cert::${title}" ];
    }
  }
  if $chain_path {
    file {
      $chain_path:
        source  => "${certbot::params::etc_dir}/letsencrypt/live/${domain}/chain.pem",
        owner   => $file_owner,
        group   => $file_group,
        mode    => $public_files_perm,
        links   => 'follow',
        require => Exec[ "certbot::cert::${title}" ];
    }
  }
  if $key_path {
    file {
      $key_path:
        source  => "${certbot::params::etc_dir}/letsencrypt/live/${domain}/privkey.pem",
        owner   => $file_owner,
        group   => $file_group,
        mode    => $private_files_perm,
        links   => 'follow',
        require => Exec[ "certbot::cert::${title}" ];
    }
  }
}
add cert defined type 2020-12-02 17:18:32 +01:00			`# create a certificate using certbot`
			`#`
			`# @param email`
			`# email address to provide to letsencrypt`
			`# @param preferred_challanges`
			`# value for the --preferred-challanges parameter to certbot`
			`# @param auth_hook`
			`# Script to use as an auth hook to certbot. To use hooks provided by the puppet subclasses in this module,`
			`# set it to the subclass name (for example "loopia" to use the loopia auth hook)`
			`# @param clean_hook`
			`# Script to use as a clean hook to certbot. See auth_hook.`
			`# @param domain`
			`# Domain to get certificate for`
			`# @param create_timeout`
			`# Timeout for certbot when fetching the certificate for the first time.`
			`# @param cert_path`
			`# Path where the certificate will be "installed" when fetched.`
			`# @param fullchain_path`
			`# Path where the file containing the full certificate chain will be "installed" when fetched.`
			`# @param chain_path`
			`# Path where the pki chain file will be "installed" when fetched.`
			`# @param key_path`
			`# Path where the key file will be "installed" when fetched.`
			`# @param file_owner`
			`# User that should own the "installed" certificate/key files.`
			`# @param file_group`
			`# Group that should own the "installed certificate/key files.`
			`# @param public_files_perm`
			`# Permissions mode for the public certificate files.`
			`# @param private_files_perm`
			`# Permissions mode fot the private key file.`
			`#`
			`define certbot::cert (`
			`String[1] $email,`
			`Optional[String[1]] $preferred_challanges = undef,`
			`Optional[String[1]] $auth_hook = undef,`
			`Optional[String[1]] $clean_hook = undef,`
			`String[1] $domain = $title,`
			`Integer $create_timeout = 900,`
			`Optional[String[1]] $cert_path = undef,`
			`Optional[String[1]] $fullchain_path = undef,`
			`Optional[String[1]] $chain_path = undef,`
			`Optional[String[1]] $key_path = undef,`
			`Variant[String[1], Integer] $file_owner = 0,`
			`Variant[String[1], Integer] $file_group = 0,`
			`String[1] $public_files_perm = '0644',`
			`String[1] $private_files_perm = '0400',`
			`) {`

			`if $auth_hook or $clean_hook {`
			`$exec_manual = '--manual --manual-public-ip-logging-ok'`
			`}`

			`$exec_auth_hook = $auth_hook ? {`
			`'loopia' => "--manual-auth-hook ${certbot::cert::bin_dir}/acme-auth-loopia.py",`
			`undef => '',`
			`default => "--manual-auth-hook ${auth_hook}",`
			`}`
			`$exec_clean_hook = $auth_hook ? {`
			`'loopia' => "--manual-auth-hook ${certbot::cert::bin_dir}/acme-cleanup-loopia.py",`
			`undef => '',`
			`default => "--manual-auth-hook ${auth_hook}",`
			`}`

			`if $preferred_challanges {`
			`$exec_challanges = "--preferred-challenges=${preferred_challanges}"`
			`}`

			`$exec_cmd = "${certbot::params::certbot_bin} certonly --agree-tos -n -d ${domain} -m ${email} ${exec_challanges} ${exec_manual} ${exec_auth_hook} ${exec_clean_hook}" # lint:ignore:140chars`

			`exec {`
			`"certbot::cert::${title}":`
			`command => $exec_cmd,`
			`timeout => $create_timeout,`
			`creates => "${certbot::params::etc_dir}/letsencrypt/renewal/${domain}.conf";`
			`}`

			`if $cert_path {`
			`file {`
			`$cert_path:`
			`source => "${certbot::params::etc_dir}/letsencrypt/live/${domain}/cert.pem",`
			`owner => $file_owner,`
			`group => $file_group,`
			`mode => $public_files_perm,`
make sure links are followed so the certificates are installed correctly 2020-12-02 17:41:48 +01:00			`links => 'follow',`
add cert defined type 2020-12-02 17:18:32 +01:00			`require => Exec[ "certbot::cert::${title}" ];`
			`}`
			`}`
			`if $fullchain_path {`
			`file {`
			`$fullchain_path:`
			`source => "${certbot::params::etc_dir}/letsencrypt/live/${domain}/fullchain.pem",`
			`owner => $file_owner,`
			`group => $file_group,`
			`mode => $public_files_perm,`
make sure links are followed so the certificates are installed correctly 2020-12-02 17:41:48 +01:00			`links => 'follow',`
add cert defined type 2020-12-02 17:18:32 +01:00			`require => Exec[ "certbot::cert::${title}" ];`
			`}`
			`}`
			`if $chain_path {`
			`file {`
			`$chain_path:`
			`source => "${certbot::params::etc_dir}/letsencrypt/live/${domain}/chain.pem",`
			`owner => $file_owner,`
			`group => $file_group,`
			`mode => $public_files_perm,`
make sure links are followed so the certificates are installed correctly 2020-12-02 17:41:48 +01:00			`links => 'follow',`
add cert defined type 2020-12-02 17:18:32 +01:00			`require => Exec[ "certbot::cert::${title}" ];`
			`}`
			`}`
			`if $key_path {`
			`file {`
			`$key_path:`
			`source => "${certbot::params::etc_dir}/letsencrypt/live/${domain}/privkey.pem",`
			`owner => $file_owner,`
			`group => $file_group,`
			`mode => $private_files_perm,`
make sure links are followed so the certificates are installed correctly 2020-12-02 17:41:48 +01:00			`links => 'follow',`
add cert defined type 2020-12-02 17:18:32 +01:00			`require => Exec[ "certbot::cert::${title}" ];`
			`}`
			`}`
			`}`