diff --git a/files/vault b/files/vault
new file mode 100755
index 0000000..4940284
Binary files /dev/null and b/files/vault differ
diff --git a/manifests/deploy.pp b/manifests/deploy.pp
new file mode 100644
index 0000000..750c2a3
--- /dev/null
+++ b/manifests/deploy.pp
@@ -0,0 +1,14 @@
+class acme_vault::deploy(
+    $user                  = $::acme_vault::params::user,
+    $group                 = $::acme_vault::params::group,
+    $home_dir              = $::acme_vault::params::home_dir,
+
+    $vault_token           = $::acme_vault::params::vault_token,
+    $cert_destination_path = $::acme_vault::params::cert_destination_path,
+    $domains               = $::acme_vault::params::domains,
+
+) inherits acme_vault::params {
+
+}
+
+
diff --git a/manifests/params.pp b/manifests/params.pp
new file mode 100644
index 0000000..66021b0
--- /dev/null
+++ b/manifests/params.pp
@@ -0,0 +1,33 @@
+class acme_vault::params {
+    # settings for requestor
+    $user       = 'acme'
+    $group      = 'apache'
+    $home_dir   = '/home/acme_vault'
+    $contact_email = ''
+
+    # whether to use the letsencrypt staging url, set those urls
+    $staging     = true
+    $staging_url = 'https://acme-staging-v02.api.letsencrypt.org/directory'
+    $prod_url    = 'https://acme-v02.api.letsencrypt.org/directory'
+
+    $acme_revision = 'HEAD'
+    $acme_repo_path = "$home_dir/acme.sh"
+    $acme_script    = "$acme_repo_path/acme.sh"
+    # domains list TODO should be a mapping name -> domains
+
+    $domains     = ''
+
+    # authentication
+    $vault_token = ''
+    $vault_addr  = ''
+    $vault_bin   = "$home_dir/vault"
+
+    $dns_api_username = ''
+    # settings for deploy
+
+    $cert_destination_path = '/etc/acme/'
+
+    
+    # control if we want to actually run acme_vault - usefull for rollout
+    $skip_run = true
+}
diff --git a/manifests/requestor.pp b/manifests/requestor.pp
new file mode 100644
index 0000000..8ef4f3c
--- /dev/null
+++ b/manifests/requestor.pp
@@ -0,0 +1,101 @@
+class acme_vault::requestor (
+    $user               = $::acme_vault::params::user,
+    $group              = $::acme_vault::params::group,
+    $home_dir           = $::acme_vault::params::home_dir,
+
+    $contact_email      = $::acme_vault::params::contact_email,
+    $staging            = $::acme_vault::params::staging,
+    $staging_url        = $::acme_vault::params::staging_url,
+    $prod_url           = $::acme_vault::params::prod_url,
+
+    $acme_revision      = $::acme_vault::params::acme_revision,
+    $acme_repo_path     = $::acme_vault::params::acme_repo_path,
+    $acme_script        = $::acme_vault::params::acme_script,
+    $dns_api_username   = $::acme_vault::params::dns_api_username,
+
+    $domains            = $::acme_vault::params::domains,
+    $vault_token        = $::acme_vault::params::vault_token,
+    $vault_addr         = $::acme_vault::params::vault_addr,
+    $vault_bin          = $::acme_vault::params::vault_bin,
+
+) inherits acme_vault::params {
+
+  #  include acme_vault::user
+    # create acme_vault user
+    user { $user:
+      ensure     => present,
+      gid        => $group,
+      system     => true,
+      home       => $home_dir,
+      managehome => true,
+    }
+
+    file { $home_dir:
+      ensure => directory,
+      owner  => $user,
+      group  => $group,
+      mode   => "0750",
+    }
+
+    # copy vault binary? install via module?
+    #TODO put in init
+    # vault module isn't too flexible for install only, just copy in binary
+
+    #include ::vault::install
+    #class { '::vault::install':
+    #  manage_user => false,
+    #}
+  
+    file { $vault_bin:
+        ensure => present,
+        owner  => "root",
+        group  => "root",
+        mode   => "0555",
+        source => "puppet:///modules/acme_vault/vault",
+    }
+
+    # variables in bashrc
+
+		file { "$home_dir/.bashrc":
+			ensure  => present,
+			owner   => $user,
+      group   => $group,
+      mode    => "0600",
+      content => template("acme_vault/bashrc"),
+    }
+
+
+    # checkout acme repo
+    vcsrepo { $acme_repo_path:
+      ensure   => present,
+      provider => git,
+      source   => "https://github.com/Neilpang/acme.sh.git",
+      revision => $acme_revision,
+    }
+
+    notice("$domains")
+    # copy down issue scripts
+
+    $domains.each |$domain, $d_list| {
+      file {"/${home_dir}/${domain}.sh":
+        ensure => present,
+        mode   => "0700",
+        owner  => $user,
+        group  => $group,
+
+        content       => epp("acme_vault/domain.epp", {
+          acme_script => "$acme_script",
+          domain      => $domain,
+          domains     => $d_list,
+          staging     => $staging,
+          staging_url => $staging_url,
+          prod_url    => $prod_url,
+          } )
+      }
+    }
+
+
+}
+
+
+
diff --git a/manifests/user.pp b/manifests/user.pp
new file mode 100644
index 0000000..a7ca1f1
--- /dev/null
+++ b/manifests/user.pp
@@ -0,0 +1,14 @@
+class acme_vault::user  {
+
+    # create acme_vault user
+    user { $acme_vault::user:
+        ensure     => present,
+        gid        => $acme_vault::group,
+        system     => true,
+        home       => $acme_vault::home_dir,
+        managehome => false,
+    }
+
+
+
+}
diff --git a/templates/bashrc b/templates/bashrc
new file mode 100644
index 0000000..3dce2d4
--- /dev/null
+++ b/templates/bashrc
@@ -0,0 +1,5 @@
+export VAULT_TOKEN=<%= @vault_token %>
+export VAULT_ADDR=<%= @vault_addr %>
+export LEXICON_PROVIDER=namecheap
+export LEXICON_NAMECHEAP_USERNAME=<%= @dns_api_username %>
+export LEXICON_NAMECHEAP_TOKEN=$(<%= @vault_bin %> read -field=value /secret/dns_api/token)
diff --git a/templates/domain.epp b/templates/domain.epp
new file mode 100644
index 0000000..bd7691a
--- /dev/null
+++ b/templates/domain.epp
@@ -0,0 +1,14 @@
+<%= $acme_script %> \
+--issue \
+<% if $staging { -%>
+--staging \
+--server <%= $staging_url %> \
+<% } else { -%>
+--server <%= $prod_url %>
+<% } -%>
+--dns dns_lexicon \
+--dnssleep 600 \
+<% $domains.each |$d| { -%>
+--domain "<%= $d %>" \
+<% } -%>
+