diff --git a/.fixtures.yml b/.fixtures.yml index d9d05bf..adba068 100644 --- a/.fixtures.yml +++ b/.fixtures.yml @@ -1,12 +1,12 @@ fixtures: repositories: - epel: 'https://github.com/stahnma/puppet-module-epel.git' + epel: 'https://github.com/voxpupuli/puppet-epel.git' inifile: 'https://github.com/puppetlabs/puppetlabs-inifile.git' stdlib: 'https://github.com/puppetlabs/puppetlabs-stdlib.git' vcsrepo: 'https://github.com/puppetlabs/puppetlabs-vcsrepo.git' yumrepo_core: repo: https://github.com/puppetlabs/puppetlabs-yumrepo_core.git puppet_version: ">= 6.0.0" cron_core: repo: https://github.com/puppetlabs/puppetlabs-cron_core.git puppet_version: ">= 6.0.0" diff --git a/README.md b/README.md index 1d9b4a7..cb077cc 100644 --- a/README.md +++ b/README.md @@ -1,365 +1,365 @@ # Let's Encrypt [![Build Status](https://travis-ci.org/voxpupuli/puppet-letsencrypt.png?branch=master)](https://travis-ci.org/voxpupuli/puppet-letsencrypt) [![Puppet Forge](https://img.shields.io/puppetforge/v/puppet/letsencrypt.svg)](https://forge.puppetlabs.com/puppet/letsencrypt) [![Puppet Forge - downloads](https://img.shields.io/puppetforge/dt/puppet/letsencrypt.svg)](https://forge.puppetlabs.com/puppet/letsencrypt) [![Puppet Forge - endorsement](https://img.shields.io/puppetforge/e/puppet/letsencrypt.svg)](https://forge.puppetlabs.com/puppet/letsencrypt) [![Puppet Forge - scores](https://img.shields.io/puppetforge/f/puppet/letsencrypt.svg)](https://forge.puppetlabs.com/puppet/letsencrypt) [![Documentation Status](http://img.shields.io/badge/docs-puppet--strings-ff69b4.svg?style=flat)](http://voxpupuli.github.io/puppet-letsencrypt) This module installs the Let's Encrypt client from source and allows you to request certificates. ## Support This module is currently only written to work on Debian and RedHat based operating systems, although it may work on others. The supported Puppet versions are defined in the [metadata.json](metadata.json) ## Dependencies On EL (Red Hat, CentOS etc.) systems, the EPEL repository needs to be enabled for the Let's Encrypt client package. -The module can integrate with [stahnma/epel](https://forge.puppetlabs.com/stahnma/epel) +The module can integrate with [puppet/epel](https://forge.puppetlabs.com/puppet/epel) to set up the repo by setting the `configure_epel` parameter to `true` (the default for RedHat) and installing the module. ## Usage ### Setting up the Let's Encrypt client To install the Let's Encrypt client with the default configuration settings you must provide your email address to register with the Let's Encrypt servers: ```puppet class { letsencrypt: email => 'foo@example.com', } ``` If using Ubuntu16.04 with `install_method` to default `package`, you can enforce upgrade of package from 0.4 to 0.7 with : ```puppet class { letsencrypt: email => 'foo@example.com', package_ensure => 'latest', } ``` If using EL7 without EPEL-preconfigured, add `configure_epel`: ```puppet class { letsencrypt: configure_epel => true, email => 'foo@example.com', } ``` (If you manage epel some other way, disable it with `configure_epel => false`.) This will install the Let's Encrypt client and its dependencies, agree to the Terms of Service, initialize the client, and install a configuration file for the client. Alternatively, you can specify your email address in the $config hash: ```puppet class { letsencrypt: config => { email => 'foo@example.com', server => 'https://acme-v01.api.letsencrypt.org/directory', } } ``` During testing, you probably want to direct to the staging server instead with `server => 'https://acme-staging.api.letsencrypt.org/directory'` If you don't wish to provide your email address, you can set the `unsafe_registration` parameter to `true` (this is not recommended): ```puppet class { letsencrypt: unsafe_registration => true, } ``` To request a wildcard certificate, you must use the ACME v2 endpoint and use a DNS-01 challenge. See https://community.letsencrypt.org/t/acme-v2-production-environment-wildcards/55578 ```puppet class { 'letsencrypt': config => { email => 'foo@example.com', server => 'https://acme-v02.api.letsencrypt.org/directory', } } ``` ### Issuing certificates #### Standalone authenticator To request a certificate for `foo.example.com` using the `certonly` installer and the `standalone` authenticator: ```puppet letsencrypt::certonly { 'foo.example.com': } ``` #### Apache authenticator To request a certificate for `foo.example.com` and `bar.example.com` with the `certonly` installer and the `apache` authenticator: ```puppet letsencrypt::certonly { 'foo': domains => ['foo.example.com', 'bar.example.com'], plugin => 'apache', } ``` #### Webroot plugin To request a certificate using the `webroot` plugin, the paths to the webroots for all domains must be given through `webroot_paths`. If `domains` and `webroot_paths` are not the same length, the last `webroot_paths` element will be used for all subsequent domains. ```puppet letsencrypt::certonly { 'foo': domains => ['foo.example.com', 'bar.example.com'], plugin => 'webroot', webroot_paths => ['/var/www/foo', '/var/www/bar'], } ``` #### dns-rfc2136 plugin To request a certificate using the `dns-rfc2136` plugin, you will at a minimum need to pass `server`, `key_name` and `key_secret` to the class `letsencrypt::plugin::dns_rfc2136`. Ideally the key secret should be encrypted, eg. with eyaml if using Hiera. It's also recommended to only enable access to the specific DNS records needed by the Let's Encrypt client. Plugin documentation and it's parameters can be found here: https://certbot-dns-rfc2136.readthedocs.io Parameter defaults: - `key_algorithm` HMAC-SHA512 - `port` 53 - `propagation_seconds` 10 (the plugin defaults to 60) Example: ```puppet class { 'letsencrypt::plugin::dns_rfc2136': server => '192.0.2.1', key_name => 'certbot', key_secret => '[...]==', } letsencrypt::certonly { 'foo': domains => ['foo.example.com', 'bar.example.com'], plugin => 'dns-rfc2136', } ``` #### Additional arguments If you need to pass a command line flag to the `letsencrypt-auto` command that is not supported natively by this module, you can use the `additional_args` parameter to pass those arguments: ```puppet letsencrypt::certonly { 'foo': domains => ['foo.example.com', 'bar.example.com'], plugin => 'apache', additional_args => ['--foo bar', '--baz quuz'], } ``` ### Renewing certificates There are two ways to automatically renew certificates with cron using this module. #### cron using certbot renew All installed certificates will be renewed using `certbot renew` using their original settings, including any not managed by Puppet. * `renew_cron_ensure` manages the cron resource. Set to `present` to enable. Default: `absent` * `renew_cron_minute` sets minute(s) to run the cron job. Default: Seeded random minute * `renew_cron_hour` sets hour(s) to run the cron job. Default: Seeded random hour * `renew_cron_monthday` sets month day(s) to run the cron job. Default: Every day ```puppet class { 'letsencrypt': config => { email => 'foo@example.com', server => 'https://acme-v01.api.letsencrypt.org/directory', }, renew_cron_ensure: 'present', } ``` With Hiera, at 6 AM (roughly) every other day: ```yaml --- letsencrypt::renew_cron_ensure: 'present' letsencrypt::renew_cron_minute: 0 letsencrypt::renew_cron_hour: 6 letsencrypt::renew_cron_monthday: '1-31/2' ``` #### cron using certbot certonly Only specific certificates will be renewed using `certbot certonly`. * `manage_cron` can be used to automatically renew the certificate * `cron_success_command` can be used to run a shell command on a successful renewal * `cron_before_command` can be used to run a shell command before a renewal * `cron_monthday` can be used to specify one or multiple days of the month to run the cron job (defaults to every day) * `cron_hour` can be used to specify hour(s) to run the cron job (defaults to a seeded random hour) * `cron_minute` can be used to specify minute(s) to run the cron job (defaults to a seeded random minute) * `suppress_cron_output` can be used to disable output (and resulting emails) generated by the cron command ```puppet letsencrypt::certonly { 'foo': domains => ['foo.example.com', 'bar.example.com'], manage_cron => true, cron_hour => [0,12], cron_minute => '30', cron_before_command => 'service nginx stop', cron_success_command => '/bin/systemctl reload nginx.service', suppress_cron_output => true, } ``` #### Deprovisioning If a domain needs to be removed for any reason this can be done by setting `ensure` to 'absent', this will remove the certificates for this domain from the server. If `manage_cron` is set to true, the certificate renewal cronjob and shell scripts for the domain will also be removed. ```puppet letsencrypt::certonly { 'foo': ensure => 'absent', domains => ['foo.example.com', 'bar.example.com'], manage_cron => true, } ``` ## Hooks Certbot supports hooks since certbot v0.5.0, however this module uses the newer `--deploy-hook` replacing the deprecated `--renew-hook`. Because of this the minimum version you will need to manage hooks with this module is v0.17.0. All hook command parameters support both string and array. **Note on certbot hook behavior:** Hooks created by `letsencrypt::certonly` will be configured in the renewal config file of the certificate by certbot (stored in CONFIG_DIR/renewal/), which means all hooks created this way are used when running `certbot renew` without hook arguments. This allows you to easily create individual hooks for each certificate with just one cron job for renewal. HOWEVER, when running `certbot renew` with any of the hook arguments (setting any of the `letsencrypt::renew_*_hook_commands` parameters), hooks of the corresponding types in all renewal configs will be ignored by certbot. It's recommended to keep these two ways of using hooks mutually exclusive to avoid confusion. Cron jobs created by `letsencrypt::certonly` are unaffected as they renew certificates directly using `certbot certonly`. ### certbot certonly Hooks created with `letsencrypt::certonly` will behave the following way: * `pre` hooks will be run before each certificate is attempted issued or renewed, even if the action fails. * `post` hooks will be run after each certificate is attempted issued or renewed, even if the action fails. * `deploy` hooks will be run after successfully issuing or renewing each certificate. It will not be run if no action is taken or if the action fails. ```puppet letsencrypt::certonly { 'foo': domains => ['foo.example.com', 'bar.example.com'], pre_hook_commands => ['...'], post_hook_commands => ['...'], deploy_hook_commands => ['...'], } ``` ### certbot renew Hooks passed to `certbot renew` will behave the following way: * `pre` hook will be run once total before any certificates are attempted issued or renewed. It will not be run if no actions are taken. Overrides all pre hooks created by `letsencrypt::certonly`. * `post` hook will be run once total after all certificates are issued or renewed. It will not be run if no actions are taken. Overrides all post hooks created by `letsencrypt::certonly`. * `deploy` hook will be run once for each successfully issued or renewed certificate. It will not be run otherwise. Overrides all deploy hooks created by `letsencrypt::certonly`. ```puppet class { 'letsencrypt': config => { email => 'foo@example.com', server => 'https://acme-v01.api.letsencrypt.org/directory', }, renew_pre_hook_commands: [...], renew_post_hook_commands: [...], renew_deploy_hook_commands: [...], } ``` With Hiera: ```yaml --- letsencrypt::renew_pre_hook_commands: - '...' letsencrypt::renew_post_hook_commands: - '...' letsencrypt::renew_deploy_hook_commands: - '...' ``` ## Facts Facts about your live certificates are available through facter. You can query the list of live certificates from puppet using `$::letsencrypt_directory` in your puppet code, hiera data or from the command line. ``` facter -p letsencrypt_directory { legacyfiles.ijc.org => "/etc/letsencrypt/live/legacyfiles.ijc.org", static.ijc.org => "/etc/letsencrypt/live/static.ijc.org", ijc.org => "/etc/letsencrypt/live/ijc.org", new.ijc.org => "/etc/letsencrypt/live/new.ijc.org", www.ijc.org => "/etc/letsencrypt/live/ijc.org", training.ijc.org => "/etc/letsencrypt/live/training.ijc.org" } ``` ## Puppet Functions This module profiles a custom puppet function `letsencrypt::letsencrypt_lookup` which allows you to load information about your certificates into puppet. This returns the same information as in the facts but for a particular domain. It accepts a single argument for your domain or wildcard domain. ## Development 1. Fork it 2. Create a feature branch 3. Write a failing test 4. Write the code to make that test pass 5. Refactor the code 6. Submit a pull request We politely request (demand) tests for all new features. Pull requests that contain new features without a test will not be considered. If you need help, just ask! diff --git a/REFERENCE.md b/REFERENCE.md index 9c6e144..c3459d5 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -1,813 +1,811 @@ # Reference ## Table of Contents **Classes** _Public Classes_ * [`letsencrypt`](#letsencrypt): Install and configure Certbot, the LetsEncrypt client * [`letsencrypt::install`](#letsencryptinstall): Installs the Let's Encrypt client. * [`letsencrypt::plugin::dns_rfc2136`](#letsencryptplugindns_rfc2136): Installs and configures the dns-rfc2136 plugin * [`letsencrypt::renew`](#letsencryptrenew): Configures renewal of Let's Encrypt certificates using Certbot _Private Classes_ * `letsencrypt::config`: Configures the Let's Encrypt client. **Defined types** * [`letsencrypt::certonly`](#letsencryptcertonly): Request a certificate using the `certonly` installer * [`letsencrypt::hook`](#letsencrypthook): Creates hook scripts. **Functions** -* [`letsencrypt::letsencrypt_lookup`](#letsencryptletsencrypt_lookup): +* [`letsencrypt::letsencrypt_lookup`](#letsencryptletsencrypt_lookup): **Data types** * [`Letsencrypt::Cron::Hour`](#letsencryptcronhour): mimic hour setting in cron as defined in man 5 crontab * [`Letsencrypt::Cron::Minute`](#letsencryptcronminute): mimic minute setting in cron as defined in man 5 crontab * [`Letsencrypt::Cron::Monthday`](#letsencryptcronmonthday): mimic monthday setting in cron as defined in man 5 crontab * [`Letsencrypt::Plugin`](#letsencryptplugin): List of accepted plugins ## Classes ### letsencrypt Install and configure Certbot, the LetsEncrypt client #### Examples -##### - ```puppet class { 'letsencrypt' : email => 'letsregister@example.com', config => { 'server' => 'https://acme-staging-v02.api.letsencrypt.org/directory', }, } ``` #### Parameters The following parameters are available in the `letsencrypt` class. ##### `email` Data type: `Optional[String]` The email address to use to register with Let's Encrypt. This takes precedence over an 'email' setting defined in $config. Default value: `undef` ##### `path` Data type: `String` The path to the letsencrypt installation. Default value: '/opt/letsencrypt' ##### `venv_path` Data type: `Any` virtualenv path for vcs-installed Certbot Default value: '/opt/letsencrypt/.venv' ##### `environment` Data type: `Array` An optional array of environment variables (in addition to VENV_PATH) Default value: [] ##### `repo` Data type: `String` A Git URL to install the Let's encrypt client from. Default value: 'https://github.com/certbot/certbot.git' ##### `version` Data type: `String` The Git ref (tag, sha, branch) to check out when installing the client with the `vcs` method. Default value: 'v0.39.0' ##### `package_name` Data type: `String` Name of package and command to use when installing the client with the `package` method. Default value: 'certbot' ##### `package_ensure` Data type: `Any` The value passed to `ensure` when installing the client with the `package` method. Default value: 'installed' ##### `package_command` Data type: `String` Path or name for letsencrypt executable when installing the client with the `package` method. Default value: 'certbot' ##### `config_file` Data type: `String` The path to the configuration file for the letsencrypt cli. Default value: "${config_dir}/cli.ini" ##### `config` Data type: `Hash` A hash representation of the letsencrypt configuration file. Default value: {'server' => 'https://acme-v02.api.letsencrypt.org/directory'} ##### `cron_scripts_path` Data type: `String` The path for renewal scripts called by cron Default value: "${facts['puppet_vardir']}/letsencrypt" ##### `cron_owner_group` Data type: `String` Group owner of cron renew scripts. Default value: 'root' ##### `manage_config` Data type: `Boolean` A feature flag to toggle the management of the letsencrypt configuration file. Default value: `true` ##### `manage_install` Data type: `Boolean` A feature flag to toggle the management of the letsencrypt client installation. Default value: `true` ##### `manage_dependencies` Data type: `Boolean` A feature flag to toggle the management of the letsencrypt dependencies. Default value: `true` ##### `configure_epel` Data type: `Boolean` A feature flag to include the 'epel' class and depend on it for package installation. ##### `install_method` Data type: `Enum['package', 'vcs']` Method to install the letsencrypt client, either package or vcs. Default value: 'package' ##### `agree_tos` Data type: `Boolean` A flag to agree to the Let's Encrypt Terms of Service. Default value: `true` ##### `unsafe_registration` Data type: `Boolean` A flag to allow using the 'register-unsafely-without-email' flag. Default value: `false` ##### `config_dir` Data type: `Stdlib::Unixpath` The path to the configuration directory. Default value: '/etc/letsencrypt' ##### `key_size` Data type: `Integer[2048]` Size for the RSA public key Default value: 4096 ##### `renew_pre_hook_commands` Data type: `Any` Array of commands to run in a shell before obtaining/renewing any certificates. Default value: [] ##### `renew_post_hook_commands` Data type: `Any` Array of commands to run in a shell after attempting to obtain/renew certificates. Default value: [] ##### `renew_deploy_hook_commands` Data type: `Any` Array of commands to run in a shell once for each successfully issued/renewed certificate. Two environmental variables are supplied by certbot: - $RENEWED_LINEAGE: Points to the live directory with the cert files and key. Example: /etc/letsencrypt/live/example.com - $RENEWED_DOMAINS: A space-delimited list of renewed certificate domains. Example: "example.com www.example.com" Default value: [] ##### `renew_additional_args` Data type: `Any` Array of additional command line arguments to pass to 'certbot renew'. Default value: [] ##### `renew_cron_ensure` Data type: `Any` Intended state of the cron resource running certbot renew. Default value: 'absent' ##### `renew_cron_hour` Data type: `Any` Optional string, integer or array of hour(s) the renewal command should run. E.g. '[0,12]' to execute at midnight and midday. hour. Default value: fqdn_rand(24) ##### `renew_cron_minute` Data type: `Any` Optional string, integer or array of minute(s) the renewal command should run. E.g. 0 or '00' or [0,30]. Default value: fqdn_rand(60, fqdn_rand_string(10)) ##### `renew_cron_monthday` Data type: `Any` Optional string, integer or array of monthday(s) the renewal command should run. E.g. '2-30/2' to run on even days. Default value: '*' ### letsencrypt::install Installs the Let's Encrypt client. #### Parameters The following parameters are available in the `letsencrypt::install` class. ##### `manage_install` Data type: `Boolean` A feature flag to toggle the management of the letsencrypt client installation. Default value: $letsencrypt::manage_install ##### `manage_dependencies` Data type: `Boolean` A feature flag to toggle the management of the letsencrypt dependencies. Default value: $letsencrypt::manage_dependencies ##### `configure_epel` Data type: `Boolean` A feature flag to include the 'epel' class and depend on it for package installation. Default value: $letsencrypt::configure_epel ##### `install_method` Data type: `Enum['package', 'vcs']` Method to install the letsencrypt client Default value: $letsencrypt::install_method ##### `path` Data type: `String` The path to the letsencrypt installation. Default value: $letsencrypt::path ##### `repo` Data type: `String` A Git URL to install the Let's encrypt client from. Default value: $letsencrypt::repo ##### `version` Data type: `String` The Git ref (tag, sha, branch) to check out when installing the client with the `vcs` method. Default value: $letsencrypt::version ##### `package_ensure` Data type: `String` The value passed to `ensure` when installing the client with the `package` method. Default value: $letsencrypt::package_ensure ##### `package_name` Data type: `String` Name of package to use when installing the client with the `package` method. Default value: $letsencrypt::package_name ### letsencrypt::plugin::dns_rfc2136 This class installs and configures the Let's Encrypt dns-rfc2136 plugin. https://certbot-dns-rfc2136.readthedocs.io #### Parameters The following parameters are available in the `letsencrypt::plugin::dns_rfc2136` class. ##### `server` Data type: `Stdlib::Host` Target DNS server. ##### `key_name` Data type: `String[1]` TSIG key name. ##### `key_secret` Data type: `String[1]` TSIG key secret. ##### `key_algorithm` Data type: `String[1]` TSIG key algorithm. Default value: 'HMAC-SHA512' ##### `port` Data type: `Stdlib::Port` Target DNS port. Default value: 53 ##### `propagation_seconds` Data type: `Integer` Number of seconds to wait for the DNS server to propagate the DNS-01 challenge. Default value: 10 ##### `manage_package` Data type: `Boolean` Manage the plugin package. Default value: `true` ##### `package_name` Data type: `String[1]` The name of the package to install when $manage_package is true. ##### `config_dir` Data type: `Stdlib::Absolutepath` The path to the configuration directory. Default value: $letsencrypt::config_dir ### letsencrypt::renew Configures renewal of Let's Encrypt certificates using the certbot renew command. Note: Hooks set here will run before/after/for ALL certificates, including any not managed by Puppet. If you want to create hooks for specific certificates only, create them using letsencrypt::certonly. #### Parameters The following parameters are available in the `letsencrypt::renew` class. ##### `pre_hook_commands` Data type: `Variant[String[1], Array[String[1]]]` Array of commands to run in a shell before obtaining/renewing any certificates. Default value: $letsencrypt::renew_pre_hook_commands ##### `post_hook_commands` Data type: `Variant[String[1], Array[String[1]]]` Array of commands to run in a shell after attempting to obtain/renew certificates. Default value: $letsencrypt::renew_post_hook_commands ##### `deploy_hook_commands` Data type: `Variant[String[1], Array[String[1]]]` Array of commands to run in a shell once for each successfully issued/renewed certificate. Two environmental variables are supplied by certbot: - $RENEWED_LINEAGE: Points to the live directory with the cert files and key. Example: /etc/letsencrypt/live/example.com - $RENEWED_DOMAINS: A space-delimited list of renewed certificate domains. Example: "example.com www.example.com" Default value: $letsencrypt::renew_deploy_hook_commands ##### `additional_args` Data type: `Array[String[1]]` Array of additional command line arguments to pass to 'certbot renew'. Default value: $letsencrypt::renew_additional_args ##### `cron_ensure` Data type: `Enum['present', 'absent']` Intended state of the cron resource running certbot renew Default value: $letsencrypt::renew_cron_ensure ##### `cron_hour` Data type: `Letsencrypt::Cron::Hour` Optional string, integer or array of hour(s) the renewal command should run. E.g. '[0,12]' to execute at midnight and midday. Default: fqdn-seeded random hour. Default value: $letsencrypt::renew_cron_hour ##### `cron_minute` Data type: `Letsencrypt::Cron::Minute` Optional string, integer or array of minute(s) the renewal command should run. E.g. 0 or '00' or [0,30]. Default: fqdn-seeded random minute. Default value: $letsencrypt::renew_cron_minute ##### `cron_monthday` Data type: `Letsencrypt::Cron::Monthday` Optional string, integer or array of monthday(s) the renewal command should run. E.g. '2-30/2' to run on even days. Default: Every day. Default value: $letsencrypt::renew_cron_monthday ## Defined types ### letsencrypt::certonly This type can be used to request a certificate using the `certonly` installer. #### Parameters The following parameters are available in the `letsencrypt::certonly` defined type. ##### `ensure` Data type: `Enum['present','absent']` Intended state of the resource Will remove certificates for specified domains if set to 'absent'. Will also remove cronjobs and renewal scripts if `manage_cron` is set to 'true'. Default value: 'present' ##### `domains` Data type: `Array[String[1]]` An array of domains to include in the CSR. Default value: [$title] ##### `custom_plugin` Data type: `Boolean` Whether to use a custom plugin in additional_args and disable -a flag. Default value: `false` ##### `plugin` Data type: `Letsencrypt::Plugin` The authenticator plugin to use when requesting the certificate. Default value: 'standalone' ##### `webroot_paths` Data type: `Array[Stdlib::Unixpath]` An array of webroot paths for the domains in `domains`. Required if using `plugin => 'webroot'`. If `domains` and `webroot_paths` are not the same length, the last `webroot_paths` element will be used for all subsequent domains. Default value: [] ##### `letsencrypt_command` Data type: `String[1]` Command to run letsencrypt Default value: $letsencrypt::command ##### `additional_args` Data type: `Array[String[1]]` An array of additional command line arguments to pass to the `letsencrypt-auto` command. Default value: [] ##### `environment` Data type: `Array[String[1]]` An optional array of environment variables (in addition to VENV_PATH). Default value: [] ##### `key_size` Data type: `Integer[2048]` Size for the RSA public key Default value: $letsencrypt::key_size ##### `manage_cron` Data type: `Boolean` Indicating whether or not to schedule cron job for renewal. Runs daily but only renews if near expiration, e.g. within 10 days. Default value: `false` ##### `suppress_cron_output` Data type: `Boolean` Redirect cron output to devnull Default value: `false` ##### `cron_before_command` Data type: `Optional[String[1]]` Representation of a command that should be run before renewal command Default value: `undef` ##### `cron_success_command` Data type: `Optional[String[1]]` Representation of a command that should be run if the renewal command succeeds. Default value: `undef` ##### `cron_hour` Data type: `Variant[Integer[0,23], String, Array]` Optional hour(s) that the renewal command should execute. e.g. '[0,12]' execute at midnight and midday. Default - seeded random hour. Default value: fqdn_rand(24, $title) ##### `cron_minute` Data type: `Variant[Integer[0,59], String, Array]` Optional minute(s) that the renewal command should execute. e.g. 0 or '00' or [0,30]. Default - seeded random minute. Default value: fqdn_rand(60, fqdn_rand_string(10, $title)) ##### `cron_monthday` Data type: `Array[Variant[Integer[0, 59], String[1]]]` Optional string, integer or array of monthday(s) the renewal command should run. E.g. '2-30/2' to run on even days. Default: Every day. Default value: ['*'] ##### `config_dir` Data type: `Stdlib::Unixpath` The path to the configuration directory. Default value: $letsencrypt::config_dir ##### `pre_hook_commands` Data type: `Variant[String[1], Array[String[1]]]` Array of commands to run in a shell before attempting to obtain/renew the certificate. Default value: [] ##### `post_hook_commands` Data type: `Variant[String[1], Array[String[1]]]` Array of command(s) to run in a shell after attempting to obtain/renew the certificate. Default value: [] ##### `deploy_hook_commands` Data type: `Variant[String[1], Array[String[1]]]` Array of command(s) to run in a shell once if the certificate is successfully issued. Two environmental variables are supplied by certbot: - $RENEWED_LINEAGE: Points to the live directory with the cert files and key. Example: /etc/letsencrypt/live/example.com - $RENEWED_DOMAINS: A space-delimited list of renewed certificate domains. Example: "example.com www.example.com" Default value: [] ### letsencrypt::hook This type is used by letsencrypt::renew and letsencrypt::certonly to create hook scripts. #### Parameters The following parameters are available in the `letsencrypt::hook` defined type. ##### `type` Data type: `Enum['pre', 'post', 'deploy']` Hook type. ##### `hook_file` Data type: `String[1]` Path to deploy hook script. ##### `commands` Data type: `Variant[String[1],Array[String[1]]]` Bash commands to execute when the hook is run by certbot. ## Functions ### letsencrypt::letsencrypt_lookup Type: Ruby 4.x API The letsencrypt::letsencrypt_lookup function. #### `letsencrypt::letsencrypt_lookup(Any $cn)` The letsencrypt::letsencrypt_lookup function. Returns: `Any` ##### `cn` Data type: `Any` ## Data types ### Letsencrypt::Cron::Hour mimic hour setting in cron as defined in man 5 crontab Alias of `Variant[Integer[0,23], String[1], Array[ Variant[ Integer[0,23], String[1], ] ]]` ### Letsencrypt::Cron::Minute mimic minute setting in cron as defined in man 5 crontab Alias of `Variant[Integer[0,59], String[1], Array[ Variant[ Integer[0,59], String[1], ] ]]` ### Letsencrypt::Cron::Monthday mimic monthday setting in cron as defined in man 5 crontab Alias of `Variant[Integer[0,31], String[1], Array[ Variant[ Integer[0,31], String[1], ] ]]` ### Letsencrypt::Plugin List of accepted plugins Alias of `Enum['apache', 'standalone', 'webroot', 'nginx', 'dns-route53', 'dns-google', 'dns-cloudflare', 'dns-rfc2136']` diff --git a/metadata.json b/metadata.json index 1c1cadf..612e908 100644 --- a/metadata.json +++ b/metadata.json @@ -1,88 +1,88 @@ { "name": "puppet-letsencrypt", "version": "5.0.1-rc0", "author": "Vox Pupuli", "summary": "Manages lets-encrypt and certbot + related certs", "license": "Apache-2.0", "source": "https://github.com/voxpupuli/puppet-letsencrypt", "project_page": "https://github.com/voxpupuli/puppet-letsencrypt", "issues_url": "https://github.com/voxpupuli/puppet-letsencrypt/issues", "tags": [ "letsencrypt", "let's encrypt", "certbot", "acme" ], "operatingsystem_support": [ { "operatingsystem": "CentOS", "operatingsystemrelease": [ "7" ] }, { "operatingsystem": "RedHat", "operatingsystemrelease": [ "7" ] }, { "operatingsystem": "Fedora", "operatingsystemrelease": [ "29", "30" ] }, { "operatingsystem": "Ubuntu", "operatingsystemrelease": [ "16.04", "18.04" ] }, { "operatingsystem": "Debian", "operatingsystemrelease": [ "9", "10" ] }, { "operatingsystem": "OpenBSD", "operatingsystemrelease": [ "6.2" ] }, { "operatingsystem": "FreeBSD", "operatingsystemrelease": [ "11", "12" ] } ], "requirements": [ { "name": "puppet", "version_requirement": ">= 5.5.8 < 7.0.0" } ], "dependencies": [ { "name": "puppetlabs/stdlib", "version_requirement": ">= 4.13.1 < 7.0.0" }, { "name": "puppetlabs/inifile", "version_requirement": ">= 2.0.0 < 5.0.0" }, { "name": "puppetlabs/vcsrepo", "version_requirement": ">= 2.0.0 < 4.0.0" }, { - "name": "stahnma/epel", - "version_requirement": ">= 1.0.0 < 2.0.0" + "name": "puppet/epel", + "version_requirement": ">= 3.0.1 < 4.0.0" } ] }