From 0d2f0ae3e8ebe6314e64cc05cd63a7771aebbe98 Mon Sep 17 00:00:00 2001 From: Arne Teuke Date: Fri, 21 Jul 2017 16:15:59 +0100 Subject: [PATCH] re-chained certbot --- manifests/certbot/config.pp | 30 +++++ manifests/main/config.pp | 5 - manifests/params.pp | 4 +- manifests/server/files.pp | 164 +++++++++++++++++++------- templates/certbot/create_tempfile.erb | 11 ++ 5 files changed, 164 insertions(+), 50 deletions(-) create mode 100644 templates/certbot/create_tempfile.erb diff --git a/manifests/certbot/config.pp b/manifests/certbot/config.pp index 9da5900..af635ae 100644 --- a/manifests/certbot/config.pp +++ b/manifests/certbot/config.pp @@ -29,6 +29,24 @@ class cd_nagios::certbot::config ( require cd_certbot + # ensure there is no forward vhost file + + exec { 'remove forward vhost': + command => "rm -Rf $ng_forward_conf", + creates => '/etc/httpd/conf.d/.cert_created', + } + + # create temp vhost file + + exec { 'create_temp_vhost': + command => template('cd_nagios/certbot/create_tempfile.erb'), + cwd => '/tmp', + path => ['/bin','/usr/bin'], + provider => 'shell', + creates => '/etc/httpd/conf.d/.created', + notify => Service['httpd'], + } + # create cert exec { 'create_cert': @@ -41,6 +59,18 @@ class cd_nagios::certbot::config ( creates => '/etc/httpd/conf.d/.cert_created', } + # remove temp_vhost + + exec { 'remove_temp_vhost': + command => "rm -Rf ${ng_certbot_temp_file}", + cwd => '/tmp', + path => ['/bin','/usr/bin'], + provider => 'shell', + notify => Service['httpd'], + require => Exec['create_cert'], + creates => "/etc/letsencrypt/live/${ng_nagios_server}/cert.pem", + } + # renew certs exec { 'renew_cert': diff --git a/manifests/main/config.pp b/manifests/main/config.pp index 63f5c2b..25adb6d 100644 --- a/manifests/main/config.pp +++ b/manifests/main/config.pp @@ -37,11 +37,6 @@ class cd_nagios::main::config ( if $ng_use_selinux_tools == true { include cd_nagios::selinux::config } - - if $ng_enable_certbot == true { - include cd_nagios::certbot::config - } - } if $::fqdn != $ng_nagios_server { diff --git a/manifests/params.pp b/manifests/params.pp index 98fcd38..20c01f2 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -374,7 +374,9 @@ $ng_forward_conf = '/etc/httpd/conf.d/nagios_forward.conf' $ng_forward_conf_erb = 'cd_nagios/httpd/forward_conf.erb' $ng_get_cert_erb = 'cd_nagios/certbot/get_cert.erb' $ng_unless_get_cert = 'cd_nagios/certbot/unless_get_cert.erb' -$ng_unless_renew_erb = 'cd_nagios/certbot/unless_renew_cert.erb' +$ng_unless_renew_erb = 'cd_nagios/certbot/unless_renew_cert.erb' +$ng_create_tempvhost = 'cd_nagios/certbot/create_tempfile.erb' +$ng_certbot_temp_file = '/etc/httpd/conf.d/certbot_temp.conf' # includes must be last diff --git a/manifests/server/files.pp b/manifests/server/files.pp index 9a8c0ce..42de5e0 100644 --- a/manifests/server/files.pp +++ b/manifests/server/files.pp @@ -25,49 +25,34 @@ class cd_nagios::server::files ( ) inherits cd_nagios::params { if $::fqdn == $ng_nagios_server { + if $ng_enable_certbot == true { + require cd_nagios::certbot::config + require cd_nagios::main::dirs - require cd_nagios::main::dirs - - # manage nagios.cfg + # manage nagios.cfg - # manage cgi.cfg + # manage cgi.cfg - file { $ng_cgi_cfg_file: - ensure => file, - path => $ng_cgi_cfg_file, - owner => 'root', - group => 'root', - mode => '0644', - selrange => s0, - selrole => object_r, - seltype => nagios_etc_t, - seluser => system_u, - content => template($ng_cgi_cfg_erb), - notify => Service[$ng_service], - } - - # manage nagios.conf for httpd - - file { $ng_nagios_conf: - ensure => file, - path => $ng_nagios_conf, - owner => 'root', - group => 'root', - mode => '0644', - selrange => s0, - selrole => object_r, - seltype => httpd_config_t, - seluser => system_u, - content => template($ng_nagios_conf_erb), - notify => Service[$ae_service], - } - - if $ng_http_https_fw == true { - - file { $ng_forward_conf: + file { $ng_cgi_cfg_file: ensure => file, - path => $ng_forward_conf, + path => $ng_cgi_cfg_file, + owner => 'root', + group => 'root', + mode => '0644', + selrange => s0, + selrole => object_r, + seltype => nagios_etc_t, + seluser => system_u, + content => template($ng_cgi_cfg_erb), + notify => Service[$ng_service], + } + + # manage nagios.conf for httpd + + file { $ng_nagios_conf: + ensure => file, + path => $ng_nagios_conf, owner => 'root', group => 'root', mode => '0644', @@ -75,18 +60,73 @@ class cd_nagios::server::files ( selrole => object_r, seltype => httpd_config_t, seluser => system_u, - content => template($ng_forward_conf_erb), + content => template($ng_nagios_conf_erb), notify => Service[$ae_service], } + + if $ng_http_https_fw == true { + file { $ng_forward_conf: + ensure => file, + path => $ng_forward_conf, + owner => 'root', + group => 'root', + mode => '0644', + selrange => s0, + selrole => object_r, + seltype => httpd_config_t, + seluser => system_u, + content => template($ng_forward_conf_erb), + notify => Service[$ae_service], + } + } + + # manage welcome.conf for nagios web server + + if $ng_disable_welcome == true { + file { $ng_welcome_conf: + ensure => file, + path => $ng_welcome_conf, + owner => 'root', + group => 'root', + mode => '0644', + selrange => s0, + selrole => object_r, + seltype => httpd_config_t, + seluser => system_u, + content => template($ng_welcome_conf_erb), + notify => Service[$ae_service], + } + } } - # manage welcome.conf for nagios web server + else { - if $ng_disable_welcome == true { + require cd_nagios::main::dirs - file { $ng_welcome_conf: + # manage nagios.cfg + + + # manage cgi.cfg + + file { $ng_cgi_cfg_file: ensure => file, - path => $ng_welcome_conf, + path => $ng_cgi_cfg_file, + owner => 'root', + group => 'root', + mode => '0644', + selrange => s0, + selrole => object_r, + seltype => nagios_etc_t, + seluser => system_u, + content => template($ng_cgi_cfg_erb), + notify => Service[$ng_service], + } + + # manage nagios.conf for httpd + + file { $ng_nagios_conf: + ensure => file, + path => $ng_nagios_conf, owner => 'root', group => 'root', mode => '0644', @@ -94,9 +134,45 @@ class cd_nagios::server::files ( selrole => object_r, seltype => httpd_config_t, seluser => system_u, - content => template($ng_welcome_conf_erb), + content => template($ng_nagios_conf_erb), notify => Service[$ae_service], } + + if $ng_http_https_fw == true { + + file { $ng_forward_conf: + ensure => file, + path => $ng_forward_conf, + owner => 'root', + group => 'root', + mode => '0644', + selrange => s0, + selrole => object_r, + seltype => httpd_config_t, + seluser => system_u, + content => template($ng_forward_conf_erb), + notify => Service[$ae_service], + } + } + + # manage welcome.conf for nagios web server + + if $ng_disable_welcome == true { + + file { $ng_welcome_conf: + ensure => file, + path => $ng_welcome_conf, + owner => 'root', + group => 'root', + mode => '0644', + selrange => s0, + selrole => object_r, + seltype => httpd_config_t, + seluser => system_u, + content => template($ng_welcome_conf_erb), + notify => Service[$ae_service], + } + } } } } diff --git a/templates/certbot/create_tempfile.erb b/templates/certbot/create_tempfile.erb new file mode 100644 index 0000000..e7f4de6 --- /dev/null +++ b/templates/certbot/create_tempfile.erb @@ -0,0 +1,11 @@ +echo "# temporary vhost file + + ServerAdmin root@localhost + DocumentRoot /var/www/html + ServerName <%= @ng_nagios_server %> + + AllowOverride All + + + " > <%= @ng_certbot_temp_file %> +touch /etc/httpd/conf.d/.created