diff --git a/manifests/cert.pp b/manifests/cert.pp new file mode 100644 index 0000000..b4efa3e --- /dev/null +++ b/manifests/cert.pp @@ -0,0 +1,118 @@ +# create a certificate using certbot +# +# @param email +# email address to provide to letsencrypt +# @param preferred_challanges +# value for the --preferred-challanges parameter to certbot +# @param auth_hook +# Script to use as an auth hook to certbot. To use hooks provided by the puppet subclasses in this module, +# set it to the subclass name (for example "loopia" to use the loopia auth hook) +# @param clean_hook +# Script to use as a clean hook to certbot. See auth_hook. +# @param domain +# Domain to get certificate for +# @param create_timeout +# Timeout for certbot when fetching the certificate for the first time. +# @param cert_path +# Path where the certificate will be "installed" when fetched. +# @param fullchain_path +# Path where the file containing the full certificate chain will be "installed" when fetched. +# @param chain_path +# Path where the pki chain file will be "installed" when fetched. +# @param key_path +# Path where the key file will be "installed" when fetched. +# @param file_owner +# User that should own the "installed" certificate/key files. +# @param file_group +# Group that should own the "installed certificate/key files. +# @param public_files_perm +# Permissions mode for the public certificate files. +# @param private_files_perm +# Permissions mode fot the private key file. +# +define certbot::cert ( + String[1] $email, + Optional[String[1]] $preferred_challanges = undef, + Optional[String[1]] $auth_hook = undef, + Optional[String[1]] $clean_hook = undef, + String[1] $domain = $title, + Integer $create_timeout = 900, + Optional[String[1]] $cert_path = undef, + Optional[String[1]] $fullchain_path = undef, + Optional[String[1]] $chain_path = undef, + Optional[String[1]] $key_path = undef, + Variant[String[1], Integer] $file_owner = 0, + Variant[String[1], Integer] $file_group = 0, + String[1] $public_files_perm = '0644', + String[1] $private_files_perm = '0400', +) { + + if $auth_hook or $clean_hook { + $exec_manual = '--manual --manual-public-ip-logging-ok' + } + + $exec_auth_hook = $auth_hook ? { + 'loopia' => "--manual-auth-hook ${certbot::cert::bin_dir}/acme-auth-loopia.py", + undef => '', + default => "--manual-auth-hook ${auth_hook}", + } + $exec_clean_hook = $auth_hook ? { + 'loopia' => "--manual-auth-hook ${certbot::cert::bin_dir}/acme-cleanup-loopia.py", + undef => '', + default => "--manual-auth-hook ${auth_hook}", + } + + if $preferred_challanges { + $exec_challanges = "--preferred-challenges=${preferred_challanges}" + } + + $exec_cmd = "${certbot::params::certbot_bin} certonly --agree-tos -n -d ${domain} -m ${email} ${exec_challanges} ${exec_manual} ${exec_auth_hook} ${exec_clean_hook}" # lint:ignore:140chars + + exec { + "certbot::cert::${title}": + command => $exec_cmd, + timeout => $create_timeout, + creates => "${certbot::params::etc_dir}/letsencrypt/renewal/${domain}.conf"; + } + + if $cert_path { + file { + $cert_path: + source => "${certbot::params::etc_dir}/letsencrypt/live/${domain}/cert.pem", + owner => $file_owner, + group => $file_group, + mode => $public_files_perm, + require => Exec[ "certbot::cert::${title}" ]; + } + } + if $fullchain_path { + file { + $fullchain_path: + source => "${certbot::params::etc_dir}/letsencrypt/live/${domain}/fullchain.pem", + owner => $file_owner, + group => $file_group, + mode => $public_files_perm, + require => Exec[ "certbot::cert::${title}" ]; + } + } + if $chain_path { + file { + $chain_path: + source => "${certbot::params::etc_dir}/letsencrypt/live/${domain}/chain.pem", + owner => $file_owner, + group => $file_group, + mode => $public_files_perm, + require => Exec[ "certbot::cert::${title}" ]; + } + } + if $key_path { + file { + $key_path: + source => "${certbot::params::etc_dir}/letsencrypt/live/${domain}/privkey.pem", + owner => $file_owner, + group => $file_group, + mode => $private_files_perm, + require => Exec[ "certbot::cert::${title}" ]; + } + } +}