mirror of
https://github.com/krislamo/puppet-acme_vault
synced 2025-01-18 07:30:34 +00:00
add docs, cleanup
This commit is contained in:
parent
a516ecf698
commit
38baf28f02
@ -1,3 +1,9 @@
|
|||||||
|
# Common configuration for acme_vault
|
||||||
|
#
|
||||||
|
# This class needs to be included before acme_vault::requestor or
|
||||||
|
# acme_vault::deploy and contains configurations common to both. The user,
|
||||||
|
# vault, vault vars, and cron mailto are needed for both requestor and deploy
|
||||||
|
|
||||||
class acme_vault::common (
|
class acme_vault::common (
|
||||||
$user = $::acme_vault::params::user,
|
$user = $::acme_vault::params::user,
|
||||||
$group = $::acme_vault::params::group,
|
$group = $::acme_vault::params::group,
|
||||||
@ -13,6 +19,7 @@ class acme_vault::common (
|
|||||||
) inherits acme_vault::params {
|
) inherits acme_vault::params {
|
||||||
|
|
||||||
$common_bashrc_template = @(END)
|
$common_bashrc_template = @(END)
|
||||||
|
export PATH=$HOME:$PATH
|
||||||
export VAULT_BIN=<%= @vault_bin %>
|
export VAULT_BIN=<%= @vault_bin %>
|
||||||
export VAULT_TOKEN=<%= @vault_token %>
|
export VAULT_TOKEN=<%= @vault_token %>
|
||||||
export VAULT_ADDR=<%= @vault_addr %>
|
export VAULT_ADDR=<%= @vault_addr %>
|
||||||
@ -69,14 +76,5 @@ END
|
|||||||
environment => "MAILTO=${contact_email}",
|
environment => "MAILTO=${contact_email}",
|
||||||
}
|
}
|
||||||
|
|
||||||
# file { "$home_dir/.bashrc":
|
|
||||||
# ensure => present,
|
|
||||||
# owner => $user,
|
|
||||||
# group => $group,
|
|
||||||
# mode => "0600",
|
|
||||||
# content => template("acme_vault/bashrc"),
|
|
||||||
# }
|
|
||||||
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1,3 +1,12 @@
|
|||||||
|
# Configuration for deploying certs in vault to the filesystem
|
||||||
|
#
|
||||||
|
# This class handles taking a cert/key out of vault, and placing it in a
|
||||||
|
# configured path on the filesystem. It will also accept a restart command to
|
||||||
|
# restart any appropriate services to take advantage of the new cert.
|
||||||
|
#
|
||||||
|
# It employs a script, check_cert.sh, to validate the cert in vault is
|
||||||
|
# appropriate to replace the existing one
|
||||||
|
|
||||||
class acme_vault::deploy(
|
class acme_vault::deploy(
|
||||||
$user = $::acme_vault::common::user,
|
$user = $::acme_vault::common::user,
|
||||||
$group = $::acme_vault::common::group,
|
$group = $::acme_vault::common::group,
|
||||||
@ -32,7 +41,7 @@ class acme_vault::deploy(
|
|||||||
if $restart {
|
if $restart {
|
||||||
$restart_suffix = "&& ${restart_command}"
|
$restart_suffix = "&& ${restart_command}"
|
||||||
} else {
|
} else {
|
||||||
$restart_suffix = ""
|
$restart_suffix = ''
|
||||||
}
|
}
|
||||||
|
|
||||||
# go through each domain, setup cron, and ensure the destination dir exists
|
# go through each domain, setup cron, and ensure the destination dir exists
|
||||||
|
@ -1,3 +1,4 @@
|
|||||||
|
# params for both common, requestor, and deploy
|
||||||
class acme_vault::params {
|
class acme_vault::params {
|
||||||
# settings for acme user
|
# settings for acme user
|
||||||
$user = 'acme'
|
$user = 'acme'
|
||||||
|
@ -1,3 +1,13 @@
|
|||||||
|
# Configuration for requesting a cert from letsencrypt, and storing it in vault.
|
||||||
|
#
|
||||||
|
# This class uses acme.sh, and pulls down the git repo for it. It uses the
|
||||||
|
# lexicon provider in acme.sh to do the dns updating for the dns-01 challenge.
|
||||||
|
# It configures a cron job to periodically check if a cert needs renewal.
|
||||||
|
#
|
||||||
|
# Note: it does not automatically trigger requesting certs, but relies on cron
|
||||||
|
# coordination to eventually reach the desired end state. Since certificate
|
||||||
|
# renewal has a large time window, this is acceptable.
|
||||||
|
|
||||||
class acme_vault::requestor (
|
class acme_vault::requestor (
|
||||||
$user = $::acme_vault::common::user,
|
$user = $::acme_vault::common::user,
|
||||||
$group = $::acme_vault::common::group,
|
$group = $::acme_vault::common::group,
|
||||||
@ -23,7 +33,6 @@ class acme_vault::requestor (
|
|||||||
include acme_vault::common
|
include acme_vault::common
|
||||||
|
|
||||||
$requestor_bashrc_template = @(END)
|
$requestor_bashrc_template = @(END)
|
||||||
export PATH=$HOME:$PATH
|
|
||||||
export TLDEXTRACT_CACHE=$HOME/.tld_set
|
export TLDEXTRACT_CACHE=$HOME/.tld_set
|
||||||
export PROVIDER=<%= @lexicon_provider %>
|
export PROVIDER=<%= @lexicon_provider %>
|
||||||
export LEXICON_<%= @lexicon_provider.upcase %>_USERNAME=<%= @lexicon_username %>
|
export LEXICON_<%= @lexicon_provider.upcase %>_USERNAME=<%= @lexicon_username %>
|
||||||
|
@ -1,14 +0,0 @@
|
|||||||
class acme_vault::user {
|
|
||||||
|
|
||||||
# create acme_vault user
|
|
||||||
user { $acme_vault::user:
|
|
||||||
ensure => present,
|
|
||||||
gid => $acme_vault::group,
|
|
||||||
system => true,
|
|
||||||
home => $acme_vault::home_dir,
|
|
||||||
managehome => false,
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
}
|
|
Loading…
Reference in New Issue
Block a user