65 lines
1.7 KiB
Puppet
65 lines
1.7 KiB
Puppet
# Configure a SUNET CDN mqtt server
|
|
class cdn::mqtt(
|
|
String $dc = '',
|
|
Array[String] $mqtt_client_ips = [],
|
|
Hash[String, Hash] $bridges = {},
|
|
Hash[String, String] $acme_url = {
|
|
test => 'https://internal-sto3-test-ca-1.cdn.sunet.se:9000/acme/acme/directory'
|
|
}
|
|
)
|
|
{
|
|
include sunet::packages::certbot
|
|
include cdn::ca_trust
|
|
|
|
package {'mosquitto': ensure => installed }
|
|
|
|
file { '/etc/mosquitto/aclfile':
|
|
ensure => file,
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0644',
|
|
content => template('cdn/mqtt/aclfile.erb'),
|
|
}
|
|
|
|
file { '/etc/mosquitto/conf.d/cdn.conf':
|
|
ensure => file,
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0644',
|
|
content => template('cdn/mqtt/cdn.conf.erb'),
|
|
}
|
|
|
|
sunet::nftables::allow { 'allow-step-ca-acme':
|
|
from => 'any',
|
|
port => 80,
|
|
proto => 'tcp',
|
|
}
|
|
|
|
$mqtt_client_ips.each | String $mqtt_client_ip | {
|
|
sunet::nftables::allow { "allow-acme-client-${mqtt_client_ip}":
|
|
from => $mqtt_client_ip,
|
|
port => 8883,
|
|
proto => 'tcp',
|
|
}
|
|
}
|
|
|
|
# From https://wiki.sunet.se/display/sunetops/Platform+naming+standards
|
|
$my_fqdn = $facts['networking']['fqdn']
|
|
$dot_split = split($my_fqdn, '[.]')
|
|
$my_hostname = $dot_split[0]
|
|
$dash_split = split($my_hostname,'[-]')
|
|
$environment = $dash_split[2]
|
|
|
|
file { '/etc/letsencrypt/renewal-hooks/deploy/sunet-cdn-mqtt':
|
|
ensure => file,
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0755',
|
|
content => file('cdn/mqtt/sunet-cdn-mqtt'),
|
|
}
|
|
|
|
exec { "certbot certonly -n --email patlu@sunet.se --no-eff-email --agree-tos --standalone -d ${my_fqdn} --server ${acme_url[$environment]}":
|
|
creates => "/etc/letsencrypt/live/${my_fqdn}/fullchain.pem"
|
|
}
|
|
}
|