All patches and comments are welcome. Please squash your changes to logical
commits before using git-format-patch and git-send-email to
patches@git.madduck.net.
If you'd read over the Git project's submission guidelines and adhered to them,
I'd be especially grateful.
2 String[1] $username = 'acmecert',
3 String[1] $homedir = '/var/lib/acmecert',
4 String[1] $nsupdate_key,
7 Optional[String[1]] $emailaddress = undef,
9 $certsdir = "$homedir/certs"
11 include acmessl::tools
12 include acmessl::rehash
14 class { "acmessl::user":
18 class { "acmessl::pullconfig":
21 dnsserver => $dnsserver,
23 nsupdate_key => $nsupdate_key,
24 certsdir => $certsdir,
25 emailaddress => $emailaddress,
27 class { "acmessl::sslfiles":
28 certsdir => $certsdir,
32 class acmessl::sslfiles (
33 Stdlib::Absolutepath $certsdir,
36 $netfacts = $facts[networking] ? { undef => $facts, default => $facts[networking] }
37 $fqdn = $netfacts[fqdn]
38 file { "/etc/ssl/certs/${fqdn}.pem":
43 source => "${certsdir}/cert.pem",
44 notify => Exec["update-ca-certificates"],
46 file { "/etc/ssl/certs/Lets_Encrypt_Authority_X3.pem":
51 source => "${certsdir}/chain.pem",
52 notify => Exec["update-ca-certificates"],
54 file { "/etc/ssl/private/${fqdn}.pem":
59 source => "${certsdir}/privkey.pem",
64 class acmessl::pullconfig (
66 Stdlib::Absolutepath $homedir,
67 Stdlib::Absolutepath $certsdir,
70 String[1] $nsupdate_key,
71 Optional[Array[String[1]]] $dns_alt_names = undef,
72 Optional[String[1]] $emailaddress = undef,
74 $confdir = "$homedir/dehydrated"
75 $basedir = "$confdir/spool"
76 $logsdir = "$homedir/logs"
77 $_keyparts = $nsupdate_key.split(' ')
78 $key = "${_keyparts[0]}:$dnszone:${_keyparts[1]}"
79 $netfacts = $facts[networking] ? { undef => $facts, default => $facts[networking] }
80 $fqdn = $netfacts[fqdn]
81 $_dns_alt_names = $dns_alt_names ? {
83 default => $dns_alt_names.join(' '),
85 $_emailaddress = $emailaddress ? {
87 /.+@.+/ => $emailaddress,
88 default => "${emailaddress}@${netfacts[fqdn]}",
104 "$confdir/dehydrated.conf":
106 content => epp("acmessl/dehydrated.conf.epp", {
108 emailaddress => $_emailaddress,
111 "$confdir/domains.txt":
113 content => "$fqdn $_dns_alt_names\n",
115 "$confdir/dehydrated-wrapper":
117 content => epp("acmessl/dehydrated-wrapper.epp", {
121 "$confdir/dehydrated-hook":
123 content => epp("acmessl/dehydrated-hook.epp", {
124 dnsserver => $dnsserver,
126 deploydir => $certsdir,
129 "$confdir/nsupdate-wrapper":
131 content => epp("acmessl/nsupdate-wrapper.epp", {
132 nsupdate_key => $key,
141 class { "acmessl::register":
147 class { "acmessl::schedule":
153 class acmessl::schedule (
155 Stdlib::Absolutepath $confdir,
157 schedule { "Try to renew ACME certificates once a day":
160 exec { "$confdir/dehydrated-wrapper --cron":
161 require => [ Class["acmessl::tools"]
162 , Class["acmessl::pullconfig"]
163 , Class["acmessl::register"]
168 schedule => "Try to renew ACME certificates once a day",
172 class acmessl::tools {
173 ensure_packages( [ 'dehydrated', 'dnsutils', 'ssl-cert', 'gnutls-bin' ], {
177 file { [ "/etc/ssl/certs/ssl-cert-snakeoil.pem"
178 , "/etc/ssl/private/ssl-cert-snakeoil.key" ]:
183 class acmessl::register (
185 Stdlib::Absolutepath $confdir,
186 Stdlib::Absolutepath $basedir,
188 exec { "Register with Letsencrypt":
189 require => [ Class["acmessl::tools"]
190 , Class["acmessl::pullconfig"]
192 creates => "$basedir/accounts",
193 command => "$confdir/dehydrated-wrapper --register --accept-terms",
200 class acmessl::user (
202 Stdlib::Absolutepath $homedir,
211 comment => "ACME certificate manager,,,",
215 shell => "/usr/sbin/nologin",
216 purge_ssh_keys => true,
229 class acmessl::rehash {
230 ensure_resource("exec", "update-ca-certificates", {
231 command => "update-ca-certificates --fresh",
232 path => "/usr/sbin:/usr/bin:/sbin:/bin",
233 cwd => "/etc/ssl/certs",