Puppet Class: certbot
- Defined in:
- manifests/init.pp
Overview
Class: certbot
Install the EFF’s ACME (Let’s Encrypt) client, certbot. This will install the certbot client from PyPI using pip in its own virtualenv and give it its own user to run as.
Parameters:
-
The email address to register with the ACME authority.
- pip_ensure
-
The ensure value for the Python::Pip resource. The version can be set here.
- install_build_deps
-
Whether or not to install the build tools/libraries necessary to build certbot’s dependencies.
- install_dir
-
The directory to install to. A virtualenv will be created inside this directory.
- working_dir
-
The working directory for certbot.
- config_dir
-
The config directory for certbot. A file called ‘cli.ini’ will be created here to store config.
- log_dir
-
The directory to store certbot log files.
- config
-
Any extra configuration to set in certbot’s configuration file. Will override default_config.
- default_config
-
The base config settings.
39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 |
# File 'manifests/init.pp', line 39
class certbot (
String $email,
String $pip_ensure = 'present',
Boolean $install_build_deps = true,
# These paths are still a hangover from when certbot was called 'letsencrypt'
String $install_dir = '/opt/letsencrypt',
String $working_dir = '/var/lib/letsencrypt',
String $config_dir = '/etc/letsencrypt',
String $log_dir = '/var/log/letsencrypt',
Hash[String, String]
$config = {},
Hash[String, String]
$default_config = {
'server' => 'https://acme-v01.api.letsencrypt.org/directory',
'no-eff-email' => 'False',
'expand' => 'True',
'keep-until-expiring' => 'True',
},
) {
group { 'certbot':
ensure => present,
system => true,
}
user { 'certbot':
ensure => present,
gid => 'certbot',
system => true,
managehome => true,
home => $working_dir,
shell => '/usr/sbin/nologin',
}
# Path to a directory that can be used for webroot-based challenge responses.
# To be used by other classes via $certbot::webroot_dir.
$webroot_dir = "${working_dir}/webroot"
file {
default:
owner => 'certbot',
group => 'certbot';
$install_dir:
ensure => directory,
mode => '0755';
$working_dir:
ensure => directory,
mode => '0755';
$webroot_dir:
ensure => directory,
mode => '0755';
$log_dir:
ensure => directory,
mode => '0755';
$config_dir:
ensure => directory,
mode => '0755';
"${config_dir}/cli.ini":
ensure => file,
mode => '0644';
}
if $install_build_deps {
# Do a *gentle* install of packages... these might be defined elsewhere
# These are just the dependencies for cryptography. Thankfully, the Python
# module installs the latest pip in the virtualenv so we get manylinux
# builds of other things like cffi.
['libssl-dev'].each |$package| {
unless defined($package) {
package { $package: ensure => installed }
}
Package[$package] -> Python::Pip['certbot']
}
}
include python
$virtualenv = "${install_dir}/.venv"
python::virtualenv { $virtualenv:
ensure => present,
owner => 'certbot',
group => 'certbot',
}
python::pip { 'certbot':
ensure => $pip_ensure,
virtualenv => $virtualenv,
owner => 'certbot',
group => 'certbot',
}
# Path to the certbot binary in the virtualenv. To be used by other classes
# via $certbot::certbot_bin.
$certbot_bin = "${virtualenv}/bin/certbot"
$_config = merge($default_config, $config, { 'email' => $email })
$_config.each |$setting, $value| {
ini_setting { "${config_dir}/cli.ini ${setting} ${value}":
ensure => present,
path => "${config_dir}/cli.ini",
section => '',
setting => $setting,
value => $value,
}
}
}
|