From 38baf28f02f98f84852faefaa2c0efed642e6f64 Mon Sep 17 00:00:00 2001 From: Bob Belnap Date: Tue, 27 Feb 2018 13:58:42 -0500 Subject: [PATCH] add docs, cleanup --- manifests/common.pp | 16 +++++++--------- manifests/deploy.pp | 11 ++++++++++- manifests/params.pp | 1 + manifests/requestor.pp | 11 ++++++++++- manifests/user.pp | 14 -------------- 5 files changed, 28 insertions(+), 25 deletions(-) delete mode 100644 manifests/user.pp diff --git a/manifests/common.pp b/manifests/common.pp index aa2597f..d3271fd 100644 --- a/manifests/common.pp +++ b/manifests/common.pp @@ -1,3 +1,9 @@ +# Common configuration for acme_vault +# +# This class needs to be included before acme_vault::requestor or +# acme_vault::deploy and contains configurations common to both. The user, +# vault, vault vars, and cron mailto are needed for both requestor and deploy + class acme_vault::common ( $user = $::acme_vault::params::user, $group = $::acme_vault::params::group, @@ -13,6 +19,7 @@ class acme_vault::common ( ) inherits acme_vault::params { $common_bashrc_template = @(END) +export PATH=$HOME:$PATH export VAULT_BIN=<%= @vault_bin %> export VAULT_TOKEN=<%= @vault_token %> export VAULT_ADDR=<%= @vault_addr %> @@ -69,14 +76,5 @@ END environment => "MAILTO=${contact_email}", } - # file { "$home_dir/.bashrc": - # ensure => present, - # owner => $user, - # group => $group, - # mode => "0600", - # content => template("acme_vault/bashrc"), - # } - - } diff --git a/manifests/deploy.pp b/manifests/deploy.pp index 9fac1a0..9ee5068 100644 --- a/manifests/deploy.pp +++ b/manifests/deploy.pp @@ -1,3 +1,12 @@ +# Configuration for deploying certs in vault to the filesystem +# +# This class handles taking a cert/key out of vault, and placing it in a +# configured path on the filesystem. It will also accept a restart command to +# restart any appropriate services to take advantage of the new cert. +# +# It employs a script, check_cert.sh, to validate the cert in vault is +# appropriate to replace the existing one + class acme_vault::deploy( $user = $::acme_vault::common::user, $group = $::acme_vault::common::group, @@ -32,7 +41,7 @@ class acme_vault::deploy( if $restart { $restart_suffix = "&& ${restart_command}" } else { - $restart_suffix = "" + $restart_suffix = '' } # go through each domain, setup cron, and ensure the destination dir exists diff --git a/manifests/params.pp b/manifests/params.pp index 9ad96ed..7b1aeeb 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -1,3 +1,4 @@ +# params for both common, requestor, and deploy class acme_vault::params { # settings for acme user $user = 'acme' diff --git a/manifests/requestor.pp b/manifests/requestor.pp index 6e20827..5c06dee 100644 --- a/manifests/requestor.pp +++ b/manifests/requestor.pp @@ -1,3 +1,13 @@ +# Configuration for requesting a cert from letsencrypt, and storing it in vault. +# +# This class uses acme.sh, and pulls down the git repo for it. It uses the +# lexicon provider in acme.sh to do the dns updating for the dns-01 challenge. +# It configures a cron job to periodically check if a cert needs renewal. +# +# Note: it does not automatically trigger requesting certs, but relies on cron +# coordination to eventually reach the desired end state. Since certificate +# renewal has a large time window, this is acceptable. + class acme_vault::requestor ( $user = $::acme_vault::common::user, $group = $::acme_vault::common::group, @@ -23,7 +33,6 @@ class acme_vault::requestor ( include acme_vault::common $requestor_bashrc_template = @(END) -export PATH=$HOME:$PATH export TLDEXTRACT_CACHE=$HOME/.tld_set export PROVIDER=<%= @lexicon_provider %> export LEXICON_<%= @lexicon_provider.upcase %>_USERNAME=<%= @lexicon_username %> diff --git a/manifests/user.pp b/manifests/user.pp deleted file mode 100644 index a7ca1f1..0000000 --- a/manifests/user.pp +++ /dev/null @@ -1,14 +0,0 @@ -class acme_vault::user { - - # create acme_vault user - user { $acme_vault::user: - ensure => present, - gid => $acme_vault::group, - system => true, - home => $acme_vault::home_dir, - managehome => false, - } - - - -}