diff --git a/site-modules/profile/manifests/letsencrypt/certificate.pp b/site-modules/profile/manifests/letsencrypt/certificate.pp index 5c15f1c4..5e10bdc4 100644 --- a/site-modules/profile/manifests/letsencrypt/certificate.pp +++ b/site-modules/profile/manifests/letsencrypt/certificate.pp @@ -1,41 +1,41 @@ # Retrieve the given certificate from the puppet master define profile::letsencrypt::certificate ( String $basename = $title, String $privkey_owner = 'root', String $privkey_group = 'root', Stdlib::Filemode $privkey_mode = '0600', ) { include ::profile::letsencrypt::certificate_base $certs_directory = lookup('letsencrypt::certificates::directory') $basedir = "${certs_directory}/${basename}" file {$basedir: ensure => 'directory', owner => 'root', group => 'root', mode => '0755', } ['cert.pem', 'chain.pem', 'fullchain.pem'].each |$filename| { file {"${basedir}/${filename}": - ensure => present, - owner => 'root', - group => 'root', - mode => '0644', - content => template("profile/letsencrypt/fetch_certificate_file.erb") + ensure => present, + owner => 'root', + group => 'root', + mode => '0644', + source => "puppet:///le_certs/${basename}/${filename}", } } ['privkey.pem'].each |$filename| { file {"${basedir}/${filename}": - ensure => present, - owner => $privkey_owner, - group => $privkey_group, - mode => $privkey_mode, - content => template("profile/letsencrypt/fetch_certificate_file.erb") + ensure => present, + owner => $privkey_owner, + group => $privkey_group, + mode => $privkey_mode, + source => "puppet:///le_certs/${basename}/${filename}", } } } diff --git a/site-modules/profile/manifests/puppet/master.pp b/site-modules/profile/manifests/puppet/master.pp index 5ab11f85..a611565f 100644 --- a/site-modules/profile/manifests/puppet/master.pp +++ b/site-modules/profile/manifests/puppet/master.pp @@ -1,37 +1,47 @@ # Puppet master profile class profile::puppet::master { $puppetdb = lookup('puppet::master::puppetdb') include ::profile::puppet::base class { '::puppet': server => true, server_common_modules_path => '', server_environments => [], server_external_nodes => '', server_foreman => false, server_passenger => true, server_puppetdb_host => $puppetdb, server_reports => 'store,puppetdb', server_storeconfigs_backend => 'puppetdb', * => $::profile::puppet::base::agent_config, } + # Extra configuration for fileserver + $letsencrypt_export_dir = lookup('letsencrypt::certificates::exported_directory') + file { '/etc/puppet/fileserver.conf': + ensure => present, + owner => 'root', + group => 'root', + mode => '0644', + content => template('profile/puppet/fileserver.conf.erb') + } + file { '/usr/local/sbin/swh-puppet-master-deploy': ensure => 'file', owner => 'root', group => 'root', mode => '0755', content => template('profile/puppet/swh-puppet-master-deploy.sh.erb'), } file { '/usr/local/sbin/swh-puppet-master-clean-certificate': ensure => 'file', owner => 'root', group => 'root', mode => '0755', content => template('profile/puppet/swh-puppet-master-clean-certificate.sh.erb'), } } diff --git a/site-modules/profile/templates/letsencrypt/fetch_certificate_file.erb b/site-modules/profile/templates/letsencrypt/fetch_certificate_file.erb deleted file mode 100644 index 39cc6b42..00000000 --- a/site-modules/profile/templates/letsencrypt/fetch_certificate_file.erb +++ /dev/null @@ -1,13 +0,0 @@ -<%= - dir = scope().call_function('lookup', ['letsencrypt::certificates::exported_directory']) - filename = "#{dir}/#{@basename}/#{@filename}" - begin - out = File.read(filename) - rescue Errno::ENOENT => e - out = "File not found: #{filename}\n" - rescue Errno::EACCES => e - out = "Permission denied : #{filename}\n" - end - - out --%> diff --git a/site-modules/profile/templates/puppet/fileserver.conf.erb b/site-modules/profile/templates/puppet/fileserver.conf.erb new file mode 100644 index 00000000..628e127b --- /dev/null +++ b/site-modules/profile/templates/puppet/fileserver.conf.erb @@ -0,0 +1,5 @@ +# File managed by puppet (class profile::puppet::master). Changes will be overwritten. + +[le_certs] + path <%= @letsencrypt_export_dir %> + allow *