add docs, cleanup

manifests/common.pp

@@ -1,3 +1,9 @@
+# Common configuration for acme_vault
+# 
+# This class needs to be included before acme_vault::requestor or
+# acme_vault::deploy and contains configurations common to both.  The user,
+# vault, vault vars, and cron mailto are needed for both requestor and deploy
+
 class acme_vault::common (
     $user               = $::acme_vault::params::user,
     $group              = $::acme_vault::params::group,
@@ -13,6 +19,7 @@ class acme_vault::common (
 ) inherits acme_vault::params {
 
     $common_bashrc_template = @(END)
+export PATH=$HOME:$PATH
 export VAULT_BIN=<%= @vault_bin %>
 export VAULT_TOKEN=<%= @vault_token %>
 export VAULT_ADDR=<%= @vault_addr %>
@@ -69,14 +76,5 @@ END
       environment => "MAILTO=${contact_email}",
     }
 
-    #		file { "$home_dir/.bashrc":
-    #			ensure  => present,
-    #			owner   => $user,
-    #      group   => $group,
-    #      mode    => "0600",
-    #      content => template("acme_vault/bashrc"),
-    #    }
-
-
 }
 

manifests/deploy.pp

@@ -1,3 +1,12 @@
+# Configuration for deploying certs in vault to the filesystem
+#
+# This class handles taking a cert/key out of vault, and placing it in a
+# configured path on the filesystem.  It will also accept a restart command to
+# restart any appropriate services to take advantage of the new cert.
+#
+# It employs a script, check_cert.sh, to validate the cert in vault is
+# appropriate to replace the existing one
+
 class acme_vault::deploy(
     $user                  = $::acme_vault::common::user,
     $group                 = $::acme_vault::common::group,
@@ -32,7 +41,7 @@ class acme_vault::deploy(
   if $restart {
     $restart_suffix = "&& ${restart_command}"
   } else {
-    $restart_suffix = ""
+    $restart_suffix = ''
   }
 
   # go through each domain, setup cron, and ensure the destination dir exists

manifests/params.pp

@@ -1,3 +1,4 @@
+# params for both common, requestor, and deploy
 class acme_vault::params {
     # settings for acme user
     $user       = 'acme'

manifests/requestor.pp

@@ -1,3 +1,13 @@
+# Configuration for requesting a cert from letsencrypt, and storing it in vault.
+#
+# This class uses acme.sh, and pulls down the git repo for it.  It uses the
+# lexicon provider in acme.sh to do the dns updating for the dns-01 challenge.
+# It configures a cron job to periodically check if a cert needs renewal.
+# 
+# Note: it does not automatically trigger requesting certs, but relies on cron
+# coordination to eventually reach the desired end state.  Since certificate
+# renewal has a large time window, this is acceptable.
+
 class acme_vault::requestor (
     $user               = $::acme_vault::common::user,
     $group              = $::acme_vault::common::group,
@@ -23,7 +33,6 @@ class acme_vault::requestor (
     include acme_vault::common
 
     $requestor_bashrc_template = @(END)
-export PATH=$HOME:$PATH
 export TLDEXTRACT_CACHE=$HOME/.tld_set
 export PROVIDER=<%= @lexicon_provider %>
 export LEXICON_<%= @lexicon_provider.upcase %>_USERNAME=<%= @lexicon_username %>

manifests/user.pp

@@ -1,14 +0,0 @@
-class acme_vault::user  {
-
-    # create acme_vault user
-    user { $acme_vault::user:
-        ensure     => present,
-        gid        => $acme_vault::group,
-        system     => true,
-        home       => $acme_vault::home_dir,
-        managehome => false,
-    }
-
-
-
-}