Puppet Class: profile::acme_chief

Defined in:
modules/profile/manifests/acme_chief.pp

Overview

Parameters:

  • accounts (Hash[String, Hash[String, String]]) (defaults to: lookup('profile::acme_chief::accounts'))
  • certificates (Hash[String, Acme_chief::Certificate]) (defaults to: lookup('profile::acme_chief::certificates'))
  • shared_acme_certificates (Hash[String, Acme_chief::Certificate]) (defaults to: lookup('certificates::acme_chief', {default_value => {}}))
  • challenges (Hash[String, Hash[String, Any]]) (defaults to: lookup('profile::acme_chief::challenges'))
  • http_proxy (Optional[Stdlib::HTTPUrl]) (defaults to: lookup('http_proxy', {default_value => undef}))
  • active_host (Stdlib::Fqdn) (defaults to: lookup('profile::acme_chief::active'))
  • passive_host (Variant[String, Array[Stdlib::Fqdn]]) (defaults to: lookup('profile::acme_chief::passive'))
  • authdns_servers (Hash[Stdlib::Fqdn, Stdlib::IP::Address::Nosubnet]) (defaults to: lookup('authdns_servers'))
  • watchdog_sec (Integer) (defaults to: lookup('profile::acme_chief::watchdog_sec', {default_value => 600}))
  • ssl_client_certificate (Stdlib::Unixpath) (defaults to: lookup('profile::acme_chief::ssl_client_certificate'))
  • ssl_client_certificate_source (Optional[Stdlib::Filesource]) (defaults to: lookup('profile::acme_chief::ssl_client_certificate_source'))


35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
# File 'modules/profile/manifests/acme_chief.pp', line 35

class profile::acme_chief (
    Hash[String, Hash[String, String]] $accounts = lookup('profile::acme_chief::accounts'),
    Hash[String, Acme_chief::Certificate] $certificates = lookup('profile::acme_chief::certificates'),
    Hash[String, Acme_chief::Certificate] $shared_acme_certificates = lookup('certificates::acme_chief', {default_value => {}}),
    Hash[String, Hash[String, Any]] $challenges = lookup('profile::acme_chief::challenges'),
    Optional[Stdlib::HTTPUrl] $http_proxy = lookup('http_proxy', {default_value => undef}),
    Stdlib::Fqdn $active_host = lookup('profile::acme_chief::active'),
    Variant[String, Array[Stdlib::Fqdn]] $passive_host = lookup('profile::acme_chief::passive'),
    Hash[Stdlib::Fqdn, Stdlib::IP::Address::Nosubnet] $authdns_servers = lookup('authdns_servers'),
    Integer $watchdog_sec = lookup('profile::acme_chief::watchdog_sec', {default_value => 600}),
    Stdlib::Unixpath $ssl_client_certificate = lookup('profile::acme_chief::ssl_client_certificate'),
    Optional[Stdlib::Filesource] $ssl_client_certificate_source = lookup('profile::acme_chief::ssl_client_certificate_source'),
) {
    $internal_domains = ['wmnet']
    $acme_chief_certificates = $certificates + $shared_acme_certificates
    $acme_chief_certificates.each |$cert, $config| {
        if $config['CN'].stdlib::end_with($internal_domains) {
            fail("${cert} CN (${config['CN']}) contains internal domain")
        }
        $config['SNI'].each |$sni| {
            if $sni.stdlib::end_with($internal_domains) {
                fail("${cert} SNI (${sni}) contains internal domain")
            }
        }
    }
    if $ssl_client_certificate_source {
        if $ssl_client_certificate == $facts['puppet_config']['localcacert'] {
            $msg = @(MSG/L)
            If you set \$ssl_client_certificate_source you must also change \$ssl_client_certificate \
            to avoid overwriting the puppet ca cert
            |- MSG
            fail($msg)
        }
        file { $ssl_client_certificate:
            ensure => file,
            mode   => '0444',
            source => $ssl_client_certificate_source,
        }
    }

    class { '::acme_chief::server':
        accounts               => $accounts,
        certificates           => $acme_chief_certificates,
        challenges             => $challenges,
        http_proxy             => $http_proxy,
        active_host            => $active_host,
        passive_host           => $passive_host,
        authdns_hosts          => $authdns_servers.keys(),
        watchdog_sec           => $watchdog_sec,
        ssl_client_certificate => $ssl_client_certificate,
    }
}