Start requesting ACME certs from internal CA

2024-10-09 12:13:30 +02:00 · 2024-10-09 12:13:30 +02:00 · b9266ec0e7
commit b9266ec0e7
parent 8f8c360c69
1 changed files with 17 additions and 1 deletions
--- a/global/overlay/etc/puppet/modules/cdn/manifests/mqtt.pp
+++ b/global/overlay/etc/puppet/modules/cdn/manifests/mqtt.pp
@ -3,8 +3,13 @@ class cdn::mqtt(
  String $dc = '',
  Array[String] $clients = [],
  Hash[String, Hash] $bridges = {},
+  Hash[String, String] $acme_url = {
+    test => 'https://internal-sto3-test-ca-1.cdn.sunet.se:9000/acme/acme/directory'
+  }
 )
 {
+  include sunet::packages::certbot
+
  package {'mosquitto': ensure => installed }

  file { '/etc/mosquitto/aclfile':
@ -23,9 +28,20 @@ class cdn::mqtt(
    content => template('cdn/mqtt/cdn.conf.erb'),
  }

-  sunet::nftables::allow { "allow-step-ca-acme":
+  sunet::nftables::allow { 'allow-step-ca-acme':
    from  => 'any',
    port  => 80,
    proto => 'tcp',
  }
+
+  # From https://wiki.sunet.se/display/sunetops/Platform+naming+standards
+  $my_fqdn = $facts['networking']['fqdn']
+  $dot_split = split($my_fqdn, '[.]')
+  $my_hostname = $dot_split[0]
+  $dash_split = split($my_hostname,'[-]')
+  $environment = $dash_split[2]
+
+  exec { "certbot certonly -n --email patlu@sunet.se --no-eff-email --agree-tos --standalone -d ${my_fqdn} --server ${acme_url[$environment]}":
+      creates => "/etc/letsencrypt/live/${my_fqdn}/fullchain.pem"
+  }
 }