Improve proxmox proxy handling

* Just set proxmox certs instead of notifying and using a cron
* Add hosts to copy certs to inside hosts

diff --git a/personal_infra/puppet/modules/proxmox/manifests/proxy.pp b/personal_infra/puppet/modules/proxmox/manifests/proxy.pp
index b8c1b9ded9ba407f4a2406aa7fe9d3a67b09a152..cb3c0bd4fdae6ee7530bfabf1733faedc26f6864 100644 (file)
--- a/personal_infra/puppet/modules/proxmox/manifests/proxy.pp
+++ b/personal_infra/puppet/modules/proxmox/manifests/proxy.pp
@@ -39,17 +39,14 @@ class proxmox::proxy ($mail, $base_hostname) {
     content => @("EOT"/$)
     #!/bin/sh
 
-    mail $mail -s "Restart apache2 on $base_hostname for certificate \$1" </dev/null
+    systemctl restart apache2
+    pvenode cert set /etc/apache2/md/domains/$base_hostname/pubcert.pem /etc/apache2/md/domains/$base_hostname/privkey.pem  --force 1 --restart 1
+
+    for hook in /usr/local/bin/notify_md_renewal_hook_* ; do
+      \$hook
+    done
     | EOT
     ,
     mode => '0755',
   }
-
-  package {'cronic':}
-
-  cron {'pve-certs':
-    command => "/usr/bin/cronic /usr/bin/pvenode cert set /etc/apache2/md/domains/$base_hostname/pubcert.pem /etc/apache2/md/domains/$base_hostname/privkey.pem  --force 1 --restart 1",
-    user => 'root',
-    special => 'daily',
-  }
 }

diff --git a/personal_infra/puppet/modules/proxmox/manifests/proxy_host.pp b/personal_infra/puppet/modules/proxmox/manifests/proxy_host.pp
index d1c6faf60c0c2ac7632ee306740447c62c402249..9592572c34a81683a2bad50d18f1eeaa9f964dc9 100644 (file)
--- a/personal_infra/puppet/modules/proxmox/manifests/proxy_host.pp
+++ b/personal_infra/puppet/modules/proxmox/manifests/proxy_host.pp
@@ -1,4 +1,4 @@
-define proxmox::proxy_host (String[1] $target) {
+define proxmox::proxy_host (String[1] $target, Optional[String[1]] $overwrite_rh_certs) {
   file {"/etc/apache2/sites-enabled/$title.conf":
     content => @("EOT")
       MDomain $title
@@ -11,11 +11,28 @@ define proxmox::proxy_host (String[1] $target) {
         ProxyPassReverse "/" "$target"
         ProxyPreservehost On
         SSLProxyEngine on
-
       </VirtualHost>
     | EOT
     ,
   }
   ~>
   Service['apache2']
+
+  if $overwrite_rh_certs {
+    $pveid = lookup("hostvars.'$overwrite_rh_certs'.proxmox.id");
+
+    file {"/usr/local/bin/notify_md_renewal_hook_$overwrite_rh_certs":
+      content => @("EOT"/$)
+      #!/bin/sh
+
+      cp /etc/apache2/md/domains/$title/pubcert.pem  /rpool/data/subvol-$pveid-disk-0/etc/pki/tls/certs/localhost.crt
+      cp /etc/apache2/md/domains/$title/privkey.pem  /rpool/data/subvol-$pveid-disk-0/etc/pki/tls/private/localhost.key
+      pct exec $pveid systemctl restart httpd
+      | EOT
+      ,
+      mode => '0755',
+    }
+  }
+
+
 }

diff --git a/personal_infra/puppet/site/h1.pdp7.net.pp b/personal_infra/puppet/site/h1.pdp7.net.pp
index 875b213dd2b392e56d75cb0c265a40e605a48535..3be76531898de495fc872a018d9ee7f319f3fc2b 100644 (file)
--- a/personal_infra/puppet/site/h1.pdp7.net.pp
+++ b/personal_infra/puppet/site/h1.pdp7.net.pp
@@ -12,5 +12,6 @@ node 'h1.pdp7.net' {
 
   proxmox::proxy_host {'ipsilon-test.pdp7.net':
     target => 'https://ipsilon-test.h1.int.pdp7.net/',
+    overwrite_rh_certs => 'ipsilon-test.h1.int.pdp7.net',
   }
 }