Merge pull request #195 from lsst-it/IT-1827/letsencrypt

add profile::core::letsencrypt
lsst-it · Aug 4, 2020 · 6a820c8 · 6a820c8
2 parents 794aebe + 10422a8
commit 6a820c8
Show file tree

Hide file tree

Showing 4 changed files with 71 additions and 0 deletions.
diff --git a/Puppetfile b/Puppetfile
@@ -85,6 +85,11 @@ mod 'simp/gnome', '8.1.1'
 mod 'simp/polkit', '6.2.0'
 mod 'simp/simplib', '3.15.3'
 
+# latest puppet/letsencrypt release does not include dns_route53 plugin support
+mod 'puppet/letsencrypt',
+  git: 'https://github.com/voxpupuli/puppet-letsencrypt',
+  ref: 'c16fe95a432564a3ac62eb7f56dfafb06d207218'
+
 mod 'lsst/ccs_database',
   git: 'https://github.com/lsst-it/puppet-ccs_database.git',
   ref: 'v0.1.0'

diff --git a/hieradata/org/lsst.yaml b/hieradata/org/lsst.yaml
@@ -191,3 +191,5 @@ rsyslog::config::actions:
 yum::plugin::versionlock:
   # trigger `yum clean all`
   clean: true
+
+letsencrypt::email: "rubinobs-it-las@lsst.org"
diff --git a/hieradata/site/dev.yaml b/hieradata/site/dev.yaml
@@ -103,3 +103,5 @@ accounts::user_list:
 # Stop iptables by default - the default rules are highly restrictive to the
 # point of harm and we don't have a meaningful permission set to make this useful.
 firewall::ensure: "stopped"
+
+letsencrypt::server: "https://acme-staging.api.letsencrypt.org/directory"  # testing url
diff --git a/site/profile/manifests/core/letsencrypt.pp b/site/profile/manifests/core/letsencrypt.pp
@@ -0,0 +1,62 @@
+# @summary Support for dns auth letsencrypt certs
+#
+# @example
+#   class profile::core::perfsonar {
+#     include profile::core::letsencrypt
+#     include augeas  # needed by perfsonar
+#
+#     $fqdn    = $facts['fqdn']
+#     $le_root = "/etc/letsencrypt/live/${fqdn}"
+#
+#     letsencrypt::certonly { $fqdn:
+#       plugin      => 'dns-route53',
+#       manage_cron => true,
+#     } ->
+#     class { '::perfsonar':
+#       manage_apache      => true,
+#       remove_root_prompt => true,
+#       ssl_cert           => "${le_root}/cert.pem",
+#       ssl_chain_file     => "${le_root}/fullchain.pem",
+#       ssl_key            => "${le_root}/privkey.pem",
+#     }
+#  }
+#
+# @param certonly
+#   Hash of `letsencrypt::certonly` defined types to create.
+#   See: https://github.com/voxpupuli/puppet-letsencrypt/blob/master/manifests/certonly.pp
+#
+# @param aws_credentials
+#   `.aws/credentials` format string for aws route53 credentials
+class profile::core::letsencrypt(
+  Optional[Hash[String, Hash]] $certonly = undef,
+  Optional[String] $aws_credentials      = undef,
+) {
+  include ::letsencrypt
+  include ::letsencrypt::plugin::dns_route53
+
+  # XXX https://github.com/voxpupuli/puppet-letsencrypt/issues/230
+  ensure_packages(['python2-futures.noarch'])
+
+  if ($certonly) {
+    ensure_resources('letsencrypt::certonly', $certonly)
+  }
+
+  if ($aws_credentials) {
+    file {
+      '/root/.aws':
+        ensure => directory,
+        mode   => '0700',
+        backup => false,
+      ;
+      '/root/.aws/credentials':
+        ensure  => file,
+        mode    => '0600',
+        backup  => false,
+        content => $aws_credentials,
+      ;
+    }
+
+    # aws credentials required by dns_route53 plugin.
+    File['/root/.aws/credentials'] -> Letsencrypt::Certonly<| |>
+  }
+}