35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
|
# File 'modules/profile/manifests/acme_chief.pp', line 35
class profile::acme_chief (
Hash[String, Hash[String, String]] $accounts = lookup('profile::acme_chief::accounts'),
Hash[String, Acme_chief::Certificate] $certificates = lookup('profile::acme_chief::certificates'),
Hash[String, Acme_chief::Certificate] $shared_acme_certificates = lookup('certificates::acme_chief', {default_value => {}}),
Hash[String, Hash[String, Any]] $challenges = lookup('profile::acme_chief::challenges'),
Optional[Stdlib::HTTPUrl] $http_proxy = lookup('http_proxy', {default_value => undef}),
Stdlib::Fqdn $active_host = lookup('profile::acme_chief::active'),
Variant[String, Array[Stdlib::Fqdn]] $passive_host = lookup('profile::acme_chief::passive'),
Hash[Stdlib::Fqdn, Stdlib::IP::Address::Nosubnet] $authdns_servers = lookup('authdns_servers'),
Integer $watchdog_sec = lookup('profile::acme_chief::watchdog_sec', {default_value => 600}),
Stdlib::Unixpath $ssl_client_certificate = lookup('profile::acme_chief::ssl_client_certificate'),
Optional[Stdlib::Filesource] $ssl_client_certificate_source = lookup('profile::acme_chief::ssl_client_certificate_source'),
) {
$internal_domains = ['wmnet']
$acme_chief_certificates = $certificates + $shared_acme_certificates
$acme_chief_certificates.each |$cert, $config| {
if $config['CN'].stdlib::end_with($internal_domains) {
fail("${cert} CN (${config['CN']}) contains internal domain")
}
$config['SNI'].each |$sni| {
if $sni.stdlib::end_with($internal_domains) {
fail("${cert} SNI (${sni}) contains internal domain")
}
}
}
if $ssl_client_certificate_source {
if $ssl_client_certificate == $facts['puppet_config']['localcacert'] {
$msg = @(MSG/L)
If you set \$ssl_client_certificate_source you must also change \$ssl_client_certificate \
to avoid overwriting the puppet ca cert
|- MSG
fail($msg)
}
file { $ssl_client_certificate:
ensure => file,
mode => '0444',
source => $ssl_client_certificate_source,
}
}
class { '::acme_chief::server':
accounts => $accounts,
certificates => $acme_chief_certificates,
challenges => $challenges,
http_proxy => $http_proxy,
active_host => $active_host,
passive_host => $passive_host,
authdns_hosts => $authdns_servers.keys(),
watchdog_sec => $watchdog_sec,
ssl_client_certificate => $ssl_client_certificate,
}
}
|