LinuxAid/modules/enableit/profile/manifests/system/certs/letsencrypt.pp at 2da84da6211f4247161464e5896e24a203f2fc3b · Obmondo/LinuxAid · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
# LetsEncrupt CA Signing
class profile::system::certs::letsencrypt (
  Eit_types::Email $email          = $::common::system::certs::letsencrypt::email,
  Boolean          $epel           = false,
  Enum[
    'production',
    'staging'
  ]                $ca             = $::common::system::certs::letsencrypt::ca,
  Integer          $keep_log_files = 30,
) {

  # Use staging URL if set, otherwise use defaults (as the value is then undef)
  $letsencrypt_ca = if $ca == 'staging' {
    { 'server' => 'https://acme-staging-v02.api.letsencrypt.org/directory' }
  }

  file {
    [
      '/etc/ssl/private/letsencrypt.updates',
      '/etc/letsencrypt/live',
      '/var/www',
      '/var/www/letsencrypt',
    ]:
    ensure => directory,
      ;

    [
      '/etc/obmondo/certs',
      '/etc/obmondo/certs/domains',
    ]:
      # ensure that we purge unmanaged files
      ensure  => directory,
      purge   => true,
      recurse => true,
      ;
  }

  file {
    '/etc/letsencrypt/accounts/':
      ensure => directory,
      mode   => '0700',
      owner  => 'root',
      group  => 'root',
      ;
  }

  if $facts['os']['name'] == 'Ubuntu' and $facts['os']['release']['full'] < '20.04' {
    contain ::apt

    apt::ppa { 'ppa:certbot/certbot': }
  }

  package::install([
    'obmondo-scripts-common',
    'obmondo-letsencrypt-hooks',
  ], {
    ensure => latest,
  })

  class { '::letsencrypt' :
    configure_epel    => $epel,
    renew_cron_ensure => absent,
    email             => $email,
    config            => merge($letsencrypt_ca, {
      # Handle only last 30 log files of letsencrypt
      'max-log-backups' => $keep_log_files,
    }),
    require           => File['/var/www/letsencrypt'],
  }

  # NOTE: we are running certbot renew command as a service, rather then cronjob
  service { 'certbot.timer':
    ensure => 'running',
    enable => true,
  }

  # Remove the `certbot` logrotate rule, which does not work with `max-log-backup`, see below links
  # https://community.letsencrypt.org/t/certbot-max-log-backups-not-working-as-expected/53090/2
  # https://github.com/certbot/certbot/issues/5575
  # https://www.clearos.com/clearfoundation/social/community/letsencrypt-log-rotation

  # and have deleted the old files manually in the logdir, since max-backup-logdir can only manage the give no of days logfile
  # so we need to delete the obsolete log files
  logrotate::rule { 'certbot':
    ensure => 'absent',
  }

  # Remove certbot cron that came from package.
  # Cause it has bug
  file { '/etc/cron.d/certbot':
    ensure => absent,
  }
}