From c506023feccdb99d5d7a4d83e58cea5c87fb9908 Mon Sep 17 00:00:00 2001
From: Nod0n <me@nodon.io>
Date: Wed, 5 Jan 2022 06:55:13 +0100
Subject: [PATCH] create certificates from class parameter (hiera)

---
 REFERENCE.md      |  9 ++++++++
 manifests/init.pp | 52 ++++++++++++++++++++++++++---------------------
 2 files changed, 38 insertions(+), 23 deletions(-)

diff --git a/REFERENCE.md b/REFERENCE.md
index 3da1d460..01f77180 100644
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -73,6 +73,7 @@ The following parameters are available in the `letsencrypt` class:
 * [`unsafe_registration`](#unsafe_registration)
 * [`config_dir`](#config_dir)
 * [`key_size`](#key_size)
+* [`certificates`](#certificates)
 * [`renew_pre_hook_commands`](#renew_pre_hook_commands)
 * [`renew_post_hook_commands`](#renew_post_hook_commands)
 * [`renew_deploy_hook_commands`](#renew_deploy_hook_commands)
@@ -209,6 +210,14 @@ Size for the RSA public key
 
 Default value: `4096`
 
+##### <a name="certificates"></a>`certificates`
+
+Data type: `Hash[String[1],Hash]`
+
+A hash containing certificates. Each key is the title and each value is a hash, both passed to letsencrypt::certonly.
+
+Default value: `{}`
+
 ##### <a name="renew_pre_hook_commands"></a>`renew_pre_hook_commands`
 
 Data type: `Any`
diff --git a/manifests/init.pp b/manifests/init.pp
index 0a82cb69..a5fdfcb9 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -28,6 +28,7 @@
 # @param unsafe_registration A flag to allow using the 'register-unsafely-without-email' flag.
 # @param config_dir The path to the configuration directory.
 # @param key_size Size for the RSA public key
+# @param certificates A hash containing certificates. Each key is the title and each value is a hash, both passed to letsencrypt::certonly.
 # @param renew_pre_hook_commands Array of commands to run in a shell before obtaining/renewing any certificates.
 # @param renew_post_hook_commands Array of commands to run in a shell after attempting to obtain/renew certificates.
 # @param renew_deploy_hook_commands
@@ -52,30 +53,31 @@
 #
 class letsencrypt (
   Boolean $configure_epel,
-  Optional[String] $email                = undef,
-  Array $environment                     = [],
-  String $package_name                   = 'certbot',
-  $package_ensure                        = 'installed',
-  String $package_command                = 'certbot',
-  Stdlib::Unixpath $config_dir           = '/etc/letsencrypt',
-  String $config_file                    = "${config_dir}/cli.ini",
-  Hash $config                           = { 'server' => 'https://acme-v02.api.letsencrypt.org/directory' },
-  String $cron_scripts_path              = "${facts['puppet_vardir']}/letsencrypt",
-  String $cron_owner_group               = 'root',
-  Boolean $manage_config                 = true,
-  Boolean $manage_install                = true,
-  Boolean $agree_tos                     = true,
-  Boolean $unsafe_registration           = false,
-  Integer[2048] $key_size                = 4096,
+  Optional[String] $email            = undef,
+  Array $environment                 = [],
+  String $package_name               = 'certbot',
+  $package_ensure                    = 'installed',
+  String $package_command            = 'certbot',
+  Stdlib::Unixpath $config_dir       = '/etc/letsencrypt',
+  String $config_file                = "${config_dir}/cli.ini",
+  Hash $config                       = { 'server' => 'https://acme-v02.api.letsencrypt.org/directory' },
+  String $cron_scripts_path          = "${facts['puppet_vardir']}/letsencrypt",
+  String $cron_owner_group           = 'root',
+  Boolean $manage_config             = true,
+  Boolean $manage_install            = true,
+  Boolean $agree_tos                 = true,
+  Boolean $unsafe_registration       = false,
+  Integer[2048] $key_size            = 4096,
+  Hash[String[1],Hash] $certificates = {},
   # $renew_* should only be used in letsencrypt::renew (blame rspec)
-  $renew_pre_hook_commands               = [],
-  $renew_post_hook_commands              = [],
-  $renew_deploy_hook_commands            = [],
-  $renew_additional_args                 = [],
-  $renew_cron_ensure                     = 'absent',
-  $renew_cron_hour                       = fqdn_rand(24),
-  $renew_cron_minute                     = fqdn_rand(60, fqdn_rand_string(10)),
-  $renew_cron_monthday                   = '*',
+  $renew_pre_hook_commands           = [],
+  $renew_post_hook_commands          = [],
+  $renew_deploy_hook_commands        = [],
+  $renew_additional_args             = [],
+  $renew_cron_ensure                 = 'absent',
+  $renew_cron_hour                   = fqdn_rand(24),
+  $renew_cron_minute                 = fqdn_rand(60, fqdn_rand_string(10)),
+  $renew_cron_monthday               = '*',
 ) {
   if $manage_install {
     contain letsencrypt::install # lint:ignore:relative_classname_inclusion
@@ -108,4 +110,8 @@
     mode   => '0500',
     source => "puppet:///modules/${module_name}/domain-validation.sh",
   }
+
+  $certificates.each |$title, $properties| {
+    letsencrypt::certonly { $title: * => $properties }
+  }
 }