Get internal cert for hostname

Used for client cert auth to MQTT server
2024-11-04 09:14:42 +01:00 · 2024-11-04 09:14:42 +01:00 · d4f938770a
commit d4f938770a
parent 101f11fdad
1 changed files with 15 additions and 0 deletions
--- a/global/overlay/etc/puppet/modules/cdn/manifests/cache.pp
+++ b/global/overlay/etc/puppet/modules/cdn/manifests/cache.pp
@ -4,6 +4,9 @@ class cdn::cache(
    customer1 => 1000000000,
  },
  String $sunet_cdnp_version = '0.0.1',
+  Hash[String, String] $acme_url = {
+    test => 'https://internal-sto3-test-ca-1.cdn.sunet.se:9000/acme/acme/directory'
+  }
 )
 {
  include sunet::packages::certbot
@ -127,6 +130,18 @@ class cdn::cache(
    rule => 'add rule inet filter input meta iifname ip6tnl0 ip6 daddr 2001:6b0:2100::/48 tcp dport { 80, 443 } counter accept comment "sunet-cdn-service6"'
  }

+  # From https://wiki.sunet.se/display/sunetops/Platform+naming+standards
+  $my_fqdn = $facts['networking']['fqdn']
+  $dot_split = split($my_fqdn, '[.]')
+  $my_hostname = $dot_split[0]
+  $dash_split = split($my_hostname,'[-]')
+  $environment = $dash_split[2]
+
+  # Get client cert for connecting to MQTT bus
+  exec { "certbot certonly -n --email patlu@sunet.se --no-eff-email --agree-tos --standalone -d ${my_fqdn} --server ${acme_url[$environment]}":
+    creates => "/etc/letsencrypt/live/${my_fqdn}/fullchain.pem"
+  }
+
  $sunet_cdnp_dir = '/var/lib/sunet-cdnp'
  $sunet_cdnp_file = "sunet-cdnp_${sunet_cdnp_version}_linux_${facts[os][architecture]}.tar.gz"
  $sunet_cdnp_url = "https://github.com/SUNET/sunet-cdnp/releases/download/v${sunet_cdnp_version}/${sunet_cdnp_file}"