add flexible group membership

README.md

@@ -82,7 +82,11 @@ Default value: `acme_vault`
 
 ##### `group`
 
-group that the user belongs to.  For deploy, this should probably be the webserver group
+group that owns the created certificates
+
+##### `group_members`
+
+members of the above group that will have access to created certificates.  In most cases this will be the webserver group, or any other services that require reading the certs.
 
 Default value: `acme_vault`
 

manifests/common.pp

@@ -4,6 +4,7 @@
 class acme_vault::common (
     $user               = $::acme_vault::params::user,
     $group              = $::acme_vault::params::group,
+    $group_members      = $::acme_vault::params::group_members,
     $home_dir           = $::acme_vault::params::home_dir,
     $contact_email      = $::acme_vault::params::contact_email,
     $domains            = $::acme_vault::params::domains,
@@ -40,6 +41,12 @@ class acme_vault::common (
       mode   => '0750',
     }
 
+    group { $group:
+      ensure          => present,
+      members         => $group_members,
+      system          => true,
+    }
+
     # vault module isn't too flexible for install only, just copy in binary
     # would be nice if this worked!
     #class { '::vault::install':

manifests/params.pp

@@ -2,7 +2,8 @@
 class acme_vault::params {
     # settings for acme user
     $user       = 'acme'
-    $group      = 'apache'
+    $group      = 'acme'
+    $group_members      = ['apache']
     $home_dir   = '/home/acme_vault'
     $contact_email = ''
     $domains     = undef

metadata.json

@@ -13,6 +13,10 @@
     {
       "name": "puppetlabs-concat",
       "version_requirement": ">= 1.2.4"
+    },
+    {
+      "name": "onyxpoint-gpasswd",
+      "version_requirement": ">= 1.1.1"
     }
   ],
   "operatingsystem_support": [