From 71e051477f6118c05bec74a3a652cef09b304809 Mon Sep 17 00:00:00 2001
From: Bob Belnap <robert.belnap@uga.edu>
Date: Mon, 16 Nov 2020 14:03:04 -0500
Subject: [PATCH] add flexible group membership

---
 README.md           | 6 +++++-
 manifests/common.pp | 7 +++++++
 manifests/params.pp | 3 ++-
 metadata.json       | 4 ++++
 4 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index f648b65..c373b75 100644
--- a/README.md
+++ b/README.md
@@ -82,7 +82,11 @@ Default value: `acme_vault`
 
 ##### `group`
 
-group that the user belongs to.  For deploy, this should probably be the webserver group
+group that owns the created certificates
+
+##### `group_members`
+
+members of the above group that will have access to created certificates.  In most cases this will be the webserver group, or any other services that require reading the certs.
 
 Default value: `acme_vault`
 
diff --git a/manifests/common.pp b/manifests/common.pp
index 82217c8..5003abd 100644
--- a/manifests/common.pp
+++ b/manifests/common.pp
@@ -4,6 +4,7 @@
 class acme_vault::common (
     $user               = $::acme_vault::params::user,
     $group              = $::acme_vault::params::group,
+    $group_members      = $::acme_vault::params::group_members,
     $home_dir           = $::acme_vault::params::home_dir,
     $contact_email      = $::acme_vault::params::contact_email,
     $domains            = $::acme_vault::params::domains,
@@ -40,6 +41,12 @@ class acme_vault::common (
       mode   => '0750',
     }
 
+    group { $group:
+      ensure          => present,
+      members         => $group_members,
+      system          => true,
+    }
+
     # vault module isn't too flexible for install only, just copy in binary
     # would be nice if this worked!
     #class { '::vault::install':
diff --git a/manifests/params.pp b/manifests/params.pp
index c82955d..8d2dee2 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -2,7 +2,8 @@
 class acme_vault::params {
     # settings for acme user
     $user       = 'acme'
-    $group      = 'apache'
+    $group      = 'acme'
+    $group_members      = ['apache']
     $home_dir   = '/home/acme_vault'
     $contact_email = ''
     $domains     = undef
diff --git a/metadata.json b/metadata.json
index d9cefb5..d0c45cd 100644
--- a/metadata.json
+++ b/metadata.json
@@ -13,6 +13,10 @@
     {
       "name": "puppetlabs-concat",
       "version_requirement": ">= 1.2.4"
+    },
+    {
+      "name": "onyxpoint-gpasswd",
+      "version_requirement": ">= 1.1.1"
     }
   ],
   "operatingsystem_support": [