mirror of
https://github.com/krislamo/puppet-acme_vault
synced 2025-10-31 15:18:33 +00:00
requester first pass
This commit is contained in:
Bob Belnap
BIN
files/vault
Executable file
BIN
files/vault
Executable file
Binary file not shown.
14
manifests/deploy.pp
Normal file
14
manifests/deploy.pp
Normal file
@@ -0,0 +1,14 @@
|
||||
class acme_vault::deploy(
|
||||
$user = $::acme_vault::params::user,
|
||||
$group = $::acme_vault::params::group,
|
||||
$home_dir = $::acme_vault::params::home_dir,
|
||||
|
||||
$vault_token = $::acme_vault::params::vault_token,
|
||||
$cert_destination_path = $::acme_vault::params::cert_destination_path,
|
||||
$domains = $::acme_vault::params::domains,
|
||||
|
||||
) inherits acme_vault::params {
|
||||
|
||||
}
|
||||
|
||||
|
||||
33
manifests/params.pp
Normal file
33
manifests/params.pp
Normal file
@@ -0,0 +1,33 @@
|
||||
class acme_vault::params {
|
||||
# settings for requestor
|
||||
$user = 'acme'
|
||||
$group = 'apache'
|
||||
$home_dir = '/home/acme_vault'
|
||||
$contact_email = ''
|
||||
|
||||
# whether to use the letsencrypt staging url, set those urls
|
||||
$staging = true
|
||||
$staging_url = 'https://acme-staging-v02.api.letsencrypt.org/directory'
|
||||
$prod_url = 'https://acme-v02.api.letsencrypt.org/directory'
|
||||
|
||||
$acme_revision = 'HEAD'
|
||||
$acme_repo_path = "$home_dir/acme.sh"
|
||||
$acme_script = "$acme_repo_path/acme.sh"
|
||||
# domains list TODO should be a mapping name -> domains
|
||||
|
||||
$domains = ''
|
||||
|
||||
# authentication
|
||||
$vault_token = ''
|
||||
$vault_addr = ''
|
||||
$vault_bin = "$home_dir/vault"
|
||||
|
||||
$dns_api_username = ''
|
||||
# settings for deploy
|
||||
|
||||
$cert_destination_path = '/etc/acme/'
|
||||
|
||||
|
||||
# control if we want to actually run acme_vault - usefull for rollout
|
||||
$skip_run = true
|
||||
}
|
||||
101
manifests/requestor.pp
Normal file
101
manifests/requestor.pp
Normal file
@@ -0,0 +1,101 @@
|
||||
class acme_vault::requestor (
|
||||
$user = $::acme_vault::params::user,
|
||||
$group = $::acme_vault::params::group,
|
||||
$home_dir = $::acme_vault::params::home_dir,
|
||||
|
||||
$contact_email = $::acme_vault::params::contact_email,
|
||||
$staging = $::acme_vault::params::staging,
|
||||
$staging_url = $::acme_vault::params::staging_url,
|
||||
$prod_url = $::acme_vault::params::prod_url,
|
||||
|
||||
$acme_revision = $::acme_vault::params::acme_revision,
|
||||
$acme_repo_path = $::acme_vault::params::acme_repo_path,
|
||||
$acme_script = $::acme_vault::params::acme_script,
|
||||
$dns_api_username = $::acme_vault::params::dns_api_username,
|
||||
|
||||
$domains = $::acme_vault::params::domains,
|
||||
$vault_token = $::acme_vault::params::vault_token,
|
||||
$vault_addr = $::acme_vault::params::vault_addr,
|
||||
$vault_bin = $::acme_vault::params::vault_bin,
|
||||
|
||||
) inherits acme_vault::params {
|
||||
|
||||
# include acme_vault::user
|
||||
# create acme_vault user
|
||||
user { $user:
|
||||
ensure => present,
|
||||
gid => $group,
|
||||
system => true,
|
||||
home => $home_dir,
|
||||
managehome => true,
|
||||
}
|
||||
|
||||
file { $home_dir:
|
||||
ensure => directory,
|
||||
owner => $user,
|
||||
group => $group,
|
||||
mode => "0750",
|
||||
}
|
||||
|
||||
# copy vault binary? install via module?
|
||||
#TODO put in init
|
||||
# vault module isn't too flexible for install only, just copy in binary
|
||||
|
||||
#include ::vault::install
|
||||
#class { '::vault::install':
|
||||
# manage_user => false,
|
||||
#}
|
||||
|
||||
file { $vault_bin:
|
||||
ensure => present,
|
||||
owner => "root",
|
||||
group => "root",
|
||||
mode => "0555",
|
||||
source => "puppet:///modules/acme_vault/vault",
|
||||
}
|
||||
|
||||
# variables in bashrc
|
||||
|
||||
file { "$home_dir/.bashrc":
|
||||
ensure => present,
|
||||
owner => $user,
|
||||
group => $group,
|
||||
mode => "0600",
|
||||
content => template("acme_vault/bashrc"),
|
||||
}
|
||||
|
||||
|
||||
# checkout acme repo
|
||||
vcsrepo { $acme_repo_path:
|
||||
ensure => present,
|
||||
provider => git,
|
||||
source => "https://github.com/Neilpang/acme.sh.git",
|
||||
revision => $acme_revision,
|
||||
}
|
||||
|
||||
notice("$domains")
|
||||
# copy down issue scripts
|
||||
|
||||
$domains.each |$domain, $d_list| {
|
||||
file {"/${home_dir}/${domain}.sh":
|
||||
ensure => present,
|
||||
mode => "0700",
|
||||
owner => $user,
|
||||
group => $group,
|
||||
|
||||
content => epp("acme_vault/domain.epp", {
|
||||
acme_script => "$acme_script",
|
||||
domain => $domain,
|
||||
domains => $d_list,
|
||||
staging => $staging,
|
||||
staging_url => $staging_url,
|
||||
prod_url => $prod_url,
|
||||
} )
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
||||
14
manifests/user.pp
Normal file
14
manifests/user.pp
Normal file
@@ -0,0 +1,14 @@
|
||||
class acme_vault::user {
|
||||
|
||||
# create acme_vault user
|
||||
user { $acme_vault::user:
|
||||
ensure => present,
|
||||
gid => $acme_vault::group,
|
||||
system => true,
|
||||
home => $acme_vault::home_dir,
|
||||
managehome => false,
|
||||
}
|
||||
|
||||
|
||||
|
||||
}
|
||||
5
templates/bashrc
Normal file
5
templates/bashrc
Normal file
@@ -0,0 +1,5 @@
|
||||
export VAULT_TOKEN=<%= @vault_token %>
|
||||
export VAULT_ADDR=<%= @vault_addr %>
|
||||
export LEXICON_PROVIDER=namecheap
|
||||
export LEXICON_NAMECHEAP_USERNAME=<%= @dns_api_username %>
|
||||
export LEXICON_NAMECHEAP_TOKEN=$(<%= @vault_bin %> read -field=value /secret/dns_api/token)
|
||||
14
templates/domain.epp
Normal file
14
templates/domain.epp
Normal file
@@ -0,0 +1,14 @@
|
||||
<%= $acme_script %> \
|
||||
--issue \
|
||||
<% if $staging { -%>
|
||||
--staging \
|
||||
--server <%= $staging_url %> \
|
||||
<% } else { -%>
|
||||
--server <%= $prod_url %>
|
||||
<% } -%>
|
||||
--dns dns_lexicon \
|
||||
--dnssleep 600 \
|
||||
<% $domains.each |$d| { -%>
|
||||
--domain "<%= $d %>" \
|
||||
<% } -%>
|
||||
|
||||
Reference in New Issue
Block a user