diff --git a/site-modules/profile/manifests/letsencrypt.pp b/site-modules/profile/manifests/letsencrypt.pp index 5aa427e4..53e4fb01 100644 --- a/site-modules/profile/manifests/letsencrypt.pp +++ b/site-modules/profile/manifests/letsencrypt.pp @@ -1,38 +1,41 @@ # Base configuration for Let's Encrypt class profile::letsencrypt { include ::profile::letsencrypt::apt_config include ::profile::letsencrypt::gandi_livedns_hook class {'letsencrypt': config => { email => lookup('letsencrypt::account_email'), server => lookup('letsencrypt::server'), } } $certificates = lookup('letsencrypt::certificates', Hash) $certificates.each |$key, $settings| { $domains = $settings['domains'] $deploy_hook = pick($settings['deploy_hook'], 'puppet_export') include "::profile::letsencrypt::${deploy_hook}_hook" $deploy_hook_path = getvar("profile::letsencrypt::${deploy_hook}_hook::hook_path") + $deploy_hook_extra_opts = getvar("profile::letsencrypt::${deploy_hook}_hook::hook_extra_opts") File[$deploy_hook_path] -> ::letsencrypt::certonly {$key: - domains => $domains, - custom_plugin => true, - additional_args => [ - '--authenticator manual', - '--preferred-challenges dns', - '--manual-public-ip-logging-ok', - "--manual-auth-hook '${::profile::letsencrypt::gandi_livedns_hook::hook_path} auth'", - "--manual-cleanup-hook '${::profile::letsencrypt::gandi_livedns_hook::hook_path} cleanup'", - "--deploy-hook '${deploy_hook_path}'", - ], + * => deep_merge({ + domains => $domains, + custom_plugin => true, + additional_args => [ + '--authenticator manual', + '--preferred-challenges dns', + '--manual-public-ip-logging-ok', + "--manual-auth-hook '${::profile::letsencrypt::gandi_livedns_hook::hook_path} auth'", + "--manual-cleanup-hook '${::profile::letsencrypt::gandi_livedns_hook::hook_path} cleanup'", + "--deploy-hook '${deploy_hook_path}'", + ], + }, $deploy_hook_extra_opts) } -> Profile::Letsencrypt::Certificate <| title == $key |> } } diff --git a/site-modules/profile/manifests/letsencrypt/gandi_paas_hook.pp b/site-modules/profile/manifests/letsencrypt/gandi_paas_hook.pp index e2b30d4b..3e60386f 100644 --- a/site-modules/profile/manifests/letsencrypt/gandi_paas_hook.pp +++ b/site-modules/profile/manifests/letsencrypt/gandi_paas_hook.pp @@ -1,21 +1,26 @@ # Push certificates to Gandi PaaS class profile::letsencrypt::gandi_paas_hook { + # Gandi PaaS only supports keys up to 2048 bits + $hook_extra_opts = { + key_size => 2048, + } + $hook_path = '/usr/local/bin/letsencrypt_gandi_paas' $hook_configfile = '/etc/letsencrypt/gandi_paas.yml' $hook_config = lookup('letsencrypt::gandi_paas_hook::config', Hash) file {$hook_path: owner => 'root', group => 'root', mode => '0755', content => template('profile/letsencrypt/letsencrypt_gandi_paas.erb'), } file {$hook_configfile: owner => 'root', group => 'root', mode => '0600', content => inline_yaml($hook_config), } } diff --git a/site-modules/profile/manifests/letsencrypt/puppet_export_hook.pp b/site-modules/profile/manifests/letsencrypt/puppet_export_hook.pp index 9cc6daa1..8a3b5dfa 100644 --- a/site-modules/profile/manifests/letsencrypt/puppet_export_hook.pp +++ b/site-modules/profile/manifests/letsencrypt/puppet_export_hook.pp @@ -1,19 +1,20 @@ # Certbot deploy hook to copy certificates to a puppet-accessible path class profile::letsencrypt::puppet_export_hook { + $hook_extra_opts = {} $hook_path = '/usr/local/bin/letsencrypt_puppet_export' file {$hook_path: owner => 'root', group => 'root', mode => '0755', content => template('profile/letsencrypt/letsencrypt_puppet_export.erb'), } $export_directory = lookup('letsencrypt::certificates::exported_directory') file {$export_directory: ensure => 'directory', owner => 'puppet', group => 'puppet', mode => '0700', } }