From 7c396c023bd18f2dd1b52b089a15c882395f4ab0 Mon Sep 17 00:00:00 2001 From: Bob Belnap Date: Thu, 22 Feb 2018 15:50:27 -0500 Subject: [PATCH] add common class, lexicon vars, general cleanup --- manifests/common.pp | 70 ++++++++++++++++++++++++++++++++++++++++++ manifests/params.pp | 13 ++++---- manifests/requestor.pp | 68 ++++++++++------------------------------ templates/bashrc | 5 --- 4 files changed, 94 insertions(+), 62 deletions(-) create mode 100644 manifests/common.pp delete mode 100644 templates/bashrc diff --git a/manifests/common.pp b/manifests/common.pp new file mode 100644 index 0000000..8caec4c --- /dev/null +++ b/manifests/common.pp @@ -0,0 +1,70 @@ +class acme_vault::common ( + $user = $::acme_vault::params::user, + $group = $::acme_vault::params::group, + $home_dir = $::acme_vault::params::home_dir, + + $vault_token = $::acme_vault::params::vault_token, + $vault_addr = $::acme_vault::params::vault_addr, + $vault_bin = $::acme_vault::params::vault_bin, + +) inherits acme_vault::params { + + $common_bashrc_template = @(END) +export VAULT_BIN=<%= @vault_bin %> +export VAULT_TOKEN=<%= @vault_token %> +export VAULT_ADDR=<%= @vault_addr %> +END + # create acme_vault user + user { $user: + ensure => present, + gid => $group, + system => true, + home => $home_dir, + managehome => true, + } + + file { $home_dir: + ensure => directory, + owner => $user, + group => $group, + mode => "0750", + } + + # vault module isn't too flexible for install only, just copy in binary + # would be nice if this worked! + #class { '::vault::install': + # manage_user => false, + #} + + file { $vault_bin: + ensure => present, + owner => "root", + group => "root", + mode => "0555", + source => "puppet:///modules/acme_vault/vault", + } + + # variables in bashrc + concat { "${home_dir}/.bashrc": + owner => $user, + group => $group, + mode => "0600", + } + + concat::fragment{ "vault_bashrc": + target => "${home_dir}/.bashrc", + content => inline_template($common_bashrc_template), + order => "01", + } + + # file { "$home_dir/.bashrc": + # ensure => present, + # owner => $user, + # group => $group, + # mode => "0600", + # content => template("acme_vault/bashrc"), + # } + + +} + diff --git a/manifests/params.pp b/manifests/params.pp index 66021b0..7bdba84 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -1,14 +1,14 @@ class acme_vault::params { - # settings for requestor + # settings for acme user $user = 'acme' $group = 'apache' $home_dir = '/home/acme_vault' - $contact_email = '' # whether to use the letsencrypt staging url, set those urls $staging = true $staging_url = 'https://acme-staging-v02.api.letsencrypt.org/directory' $prod_url = 'https://acme-v02.api.letsencrypt.org/directory' + $contact_email = '' $acme_revision = 'HEAD' $acme_repo_path = "$home_dir/acme.sh" @@ -22,12 +22,13 @@ class acme_vault::params { $vault_addr = '' $vault_bin = "$home_dir/vault" - $dns_api_username = '' + # lexicon + $lexicon_provider = '' + $lexicon_username = '' + $lexicon_token = '' + # settings for deploy $cert_destination_path = '/etc/acme/' - - # control if we want to actually run acme_vault - usefull for rollout - $skip_run = true } diff --git a/manifests/requestor.pp b/manifests/requestor.pp index 8ef4f3c..3e21169 100644 --- a/manifests/requestor.pp +++ b/manifests/requestor.pp @@ -11,57 +11,28 @@ class acme_vault::requestor ( $acme_revision = $::acme_vault::params::acme_revision, $acme_repo_path = $::acme_vault::params::acme_repo_path, $acme_script = $::acme_vault::params::acme_script, - $dns_api_username = $::acme_vault::params::dns_api_username, + + $lexicon_provider = $::acme_vault::params::lexicon_provider, + $lexicon_username = $::acme_vault::params::lexicon_username, + $lexicon_token = $::acme_vault::params::lexicon_token, $domains = $::acme_vault::params::domains, - $vault_token = $::acme_vault::params::vault_token, - $vault_addr = $::acme_vault::params::vault_addr, - $vault_bin = $::acme_vault::params::vault_bin, ) inherits acme_vault::params { - # include acme_vault::user - # create acme_vault user - user { $user: - ensure => present, - gid => $group, - system => true, - home => $home_dir, - managehome => true, - } - - file { $home_dir: - ensure => directory, - owner => $user, - group => $group, - mode => "0750", - } - - # copy vault binary? install via module? - #TODO put in init - # vault module isn't too flexible for install only, just copy in binary - - #include ::vault::install - #class { '::vault::install': - # manage_user => false, - #} - - file { $vault_bin: - ensure => present, - owner => "root", - group => "root", - mode => "0555", - source => "puppet:///modules/acme_vault/vault", - } + include acme_vault::common + $requestor_bashrc_template = @(END) +export LEXICON_PROVIDER=<%= @lexicon_provider %> +export LEXICON_<%= @lexicon_provider.upcase %>_USERNAME=<%= @lexicon_username %> +export LEXICON_<%= @lexicon_provider.upcase %>_TOKEN=<%= @lexicon_token %> +END # variables in bashrc - file { "$home_dir/.bashrc": - ensure => present, - owner => $user, - group => $group, - mode => "0600", - content => template("acme_vault/bashrc"), + concat::fragment { "requestor_bashrc": + target => "${home_dir}/.bashrc", + content => inline_template($requestor_bashrc_template), + order => "02", } @@ -73,9 +44,7 @@ class acme_vault::requestor ( revision => $acme_revision, } - notice("$domains") - # copy down issue scripts - + # create issue scripts $domains.each |$domain, $d_list| { file {"/${home_dir}/${domain}.sh": ensure => present, @@ -90,12 +59,9 @@ class acme_vault::requestor ( staging => $staging, staging_url => $staging_url, prod_url => $prod_url, - } ) + } + ) } } - } - - - diff --git a/templates/bashrc b/templates/bashrc deleted file mode 100644 index 3dce2d4..0000000 --- a/templates/bashrc +++ /dev/null @@ -1,5 +0,0 @@ -export VAULT_TOKEN=<%= @vault_token %> -export VAULT_ADDR=<%= @vault_addr %> -export LEXICON_PROVIDER=namecheap -export LEXICON_NAMECHEAP_USERNAME=<%= @dns_api_username %> -export LEXICON_NAMECHEAP_TOKEN=$(<%= @vault_bin %> read -field=value /secret/dns_api/token)