# Configure a SUNET CDN mqtt server class cdn::mqtt( String $dc = '', Array[String] $clients = [], Array[String] $mqtt_client_ips = [], Hash[String, Hash] $bridges = {}, Hash[String, String] $acme_url = { test => 'https://internal-sto3-test-ca-1.cdn.sunet.se:9000/acme/acme/directory' } ) { include sunet::packages::certbot include cdn::ca_trust package {'mosquitto': ensure => installed } file { '/etc/mosquitto/aclfile': ensure => file, owner => 'root', group => 'root', mode => '0644', content => template('cdn/mqtt/aclfile.erb'), } file { '/etc/mosquitto/conf.d/cdn.conf': ensure => file, owner => 'root', group => 'root', mode => '0644', content => template('cdn/mqtt/cdn.conf.erb'), } sunet::nftables::allow { 'allow-step-ca-acme': from => 'any', port => 80, proto => 'tcp', } $mqtt_client_ips.each | String $mqtt_client_ip | { sunet::nftables::allow { "allow-acme-client-${mqtt_client_ip}": from => $mqtt_client_ip, port => 8883, proto => 'tcp', } } # From https://wiki.sunet.se/display/sunetops/Platform+naming+standards $my_fqdn = $facts['networking']['fqdn'] $dot_split = split($my_fqdn, '[.]') $my_hostname = $dot_split[0] $dash_split = split($my_hostname,'[-]') $environment = $dash_split[2] file { '/etc/letsencrypt/renewal-hooks/deploy/sunet-cdn-mqtt': ensure => file, owner => 'root', group => 'root', mode => '0755', content => file('cdn/mqtt/sunet-cdn-mqtt'), } exec { "certbot certonly -n --email patlu@sunet.se --no-eff-email --agree-tos --standalone -d ${my_fqdn} --server ${acme_url[$environment]}": creates => "/etc/letsencrypt/live/${my_fqdn}/fullchain.pem" } }