Puppet Class: certspotter

Defined in:
modules/certspotter/manifests/init.pp

Overview

Parameters:

  • alert_email (String)
  • monitor_domains (Array[Stdlib::Fqdn])


22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
# File 'modules/certspotter/manifests/init.pp', line 22

class certspotter(
  String              $alert_email,
  Array[Stdlib::Fqdn] $monitor_domains,
) {

    ensure_packages(['certspotter'])

    $homedir = '/var/lib/certspotter'
    $statedir = "${homedir}/state"
    $configdir = '/etc/certspotter'
    $watchlist = "${configdir}/watchlist"
    $ctlogslist = "${configdir}/ctlogslist.json"

    systemd::sysuser { 'certspotter':
        home_dir    => $homedir,
        shell       => '/bin/sh',
        description => 'certspotter user',
    }

    file { $configdir:
        ensure => directory,
        owner  => 'root',
        group  => 'root',
        mode   => '0755',
    }

    file { $watchlist:
        ensure  => present,
        owner   => 'root',
        group   => 'root',
        mode    => '0444',
        content => template('certspotter/watchlist.erb'),
    }

    file { $ctlogslist:
        ensure  => present,
        owner   => 'root',
        group   => 'root',
        mode    => '0444',
        content => file('certspotter/ctlogslist.json'),
    }

    $cmd = "/usr/bin/certspotter -watchlist ${watchlist} -start_at_end -logs ${ctlogslist} -state_dir ${statedir}"
    systemd::timer::job { 'certspotter':
        ensure                  => present,
        description             => 'Run certspotter periodically to monitor for issuance of certificates',
        command                 => $cmd,
        send_mail               => true,
        send_mail_only_on_error => false,
        environment             => { 'MAILTO' => $alert_email },
        user                    => 'certspotter',
        interval                => {'start' => 'OnUnitInactiveSec', 'interval' => '30min'},
        splay                   => fqdn_rand(300, 'certspotter'),
        require                 => [
            User['certspotter'],
            Package['certspotter'],
            File[$watchlist],
        ],
    }

}