diff --git a/REFERENCE.md b/REFERENCE.md
index d09bf6c..24dbd0d 100644
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -64,11 +64,24 @@ The following parameters are available in the `dehydrated` class:
* [`dependencies`](#-dehydrated--dependencies)
* [`apache_integration`](#-dehydrated--apache_integration)
* [`cron_integration`](#-dehydrated--cron_integration)
+* [`dehydrated_user`](#-dehydrated--dehydrated_user)
+* [`dehydrated_group`](#-dehydrated--dehydrated_group)
* [`ip_version`](#-dehydrated--ip_version)
* [`ca`](#-dehydrated--ca)
+* [`oldca`](#-dehydrated--oldca)
* [`challengetype`](#-dehydrated--challengetype)
+* [`config_d`](#-dehydrated--config_d)
+* [`domains_d`](#-dehydrated--domains_d)
+* [`basedir`](#-dehydrated--basedir)
+* [`domains_txt`](#-dehydrated--domains_txt)
+* [`certdir`](#-dehydrated--certdir)
+* [`alpncertdir`](#-dehydrated--alpncertdir)
+* [`accountdir`](#-dehydrated--accountdir)
+* [`wellknown`](#-dehydrated--wellknown)
* [`keysize`](#-dehydrated--keysize)
* [`openssl_cnf`](#-dehydrated--openssl_cnf)
+* [`openssl`](#-dehydrated--openssl)
+* [`curl_opts`](#-dehydrated--curl_opts)
* [`hook`](#-dehydrated--hook)
* [`hook_chain`](#-dehydrated--hook_chain)
* [`renew_days`](#-dehydrated--renew_days)
@@ -76,7 +89,18 @@ The following parameters are available in the `dehydrated` class:
* [`private_key_rollover`](#-dehydrated--private_key_rollover)
* [`key_algo`](#-dehydrated--key_algo)
* [`contact_email`](#-dehydrated--contact_email)
+* [`lockfile`](#-dehydrated--lockfile)
* [`ocsp_must_staple`](#-dehydrated--ocsp_must_staple)
+* [`ocsp_fetch`](#-dehydrated--ocsp_fetch)
+* [`ocsp_days`](#-dehydrated--ocsp_days)
+* [`chaincache`](#-dehydrated--chaincache)
+* [`auto_cleanup`](#-dehydrated--auto_cleanup)
+* [`auto_cleanup_delete`](#-dehydrated--auto_cleanup_delete)
+* [`api`](#-dehydrated--api)
+* [`preferred_chain`](#-dehydrated--preferred_chain)
+* [`acme_profile`](#-dehydrated--acme_profile)
+* [`order_timeout`](#-dehydrated--order_timeout)
+* [`keep_going`](#-dehydrated--keep_going)
* [`timeout`](#-dehydrated--timeout)
##### `apache_user`
@@ -133,7 +157,7 @@ Data type: `String`
Revision to fetch from the repository providing dehydrated.
-Default value: `'v0.7.0'`
+Default value: `'v0.7.2'`
##### `dependencies`
@@ -159,19 +183,43 @@ Setup cron to automatically renew certificates.
Default value: `false`
+##### `dehydrated_user`
+
+Data type: `Optional[String[1]]`
+
+Which user should dehydrated run as? This will be implicitly enforced when running as root.
+
+Default value: `undef`
+
+##### `dehydrated_group`
+
+Data type: `Optional[String[1]]`
+
+Which group should dehydrated run as? This will be implicitly enforced when running as root.
+
+Default value: `undef`
+
##### `ip_version`
Data type: `Optional[Variant[Integer[4,4],Integer[6,6]]]`
-Use only this IP version for name resolution.
+Resolve names to addresses of IP version only. (curl)
Default value: `undef`
##### `ca`
+Data type: `Optional[String[1]]`
+
+URL to certificate authority or internal preset.
+
+Default value: `undef`
+
+##### `oldca`
+
Data type: `Optional[Stdlib::Httpurl]`
-Path to certificate authority.
+Path to old certificate authority
Default value: `undef`
@@ -183,6 +231,70 @@ Challenge type to be used.
Default value: `undef`
+##### `config_d`
+
+Data type: `Optional[String[1]]`
+
+Path to a directory containing additional config files.
+
+Default value: `undef`
+
+##### `domains_d`
+
+Data type: `Optional[String[1]]`
+
+Directory for per-domain configuration files.
+
+Default value: `undef`
+
+##### `basedir`
+
+Data type: `Optional[String[1]]`
+
+Base directory for account key, generated certificates and list of domains.
+
+Default value: `undef`
+
+##### `domains_txt`
+
+Data type: `Optional[String[1]]`
+
+File containing the list of domains to request certificates for.
+
+Default value: `undef`
+
+##### `certdir`
+
+Data type: `Optional[String[1]]`
+
+Output directory for generated certificates.
+
+Default value: `undef`
+
+##### `alpncertdir`
+
+Data type: `Optional[String[1]]`
+
+Output directory for alpn verification certificates
+
+Default value: `undef`
+
+##### `accountdir`
+
+Data type: `Optional[String[1]]`
+
+Directory for account keys and registration information.
+
+Default value: `undef`
+
+##### `wellknown`
+
+Data type: `String[1]`
+
+Output directory for challenge-tokens to be served by webserver or deployed in HOOK.
+
+Default value: `"${dehydrated::etcdir}/.acme-challenges"`
+
##### `keysize`
Data type: `Optional[Integer[0]]`
@@ -199,6 +311,22 @@ Path to openssl config file.
Default value: `undef`
+##### `openssl`
+
+Data type: `Optional[String[1]]`
+
+Path to OpenSSL binary.
+
+Default value: `undef`
+
+##### `curl_opts`
+
+Data type: `Optional[String[1]]`
+
+Extra options passed to the curl binary.
+
+Default value: `undef`
+
##### `hook`
Data type: `Optional[String]`
@@ -253,6 +381,14 @@ Data type: `String`
E-mail address Let's Encrypt can use to reach you regarding your certificates.
+##### `lockfile`
+
+Data type: `Optional[String[1]]`
+
+Lockfile location, to prevent concurrent access.
+
+Default value: `undef`
+
##### `ocsp_must_staple`
Data type: `Optional[Boolean]`
@@ -261,6 +397,86 @@ Option to add CSR-flag indicating OCSP stapling to be mandatory.
Default value: `undef`
+##### `ocsp_fetch`
+
+Data type: `Optional[Boolean]`
+
+Fetch OCSP responses.
+
+Default value: `undef`
+
+##### `ocsp_days`
+
+Data type: `Optional[Integer[0]]`
+
+OCSP refresh interval.
+
+Default value: `undef`
+
+##### `chaincache`
+
+Data type: `Optional[String[1]]`
+
+Issuer chain cache directory.
+
+Default value: `undef`
+
+##### `auto_cleanup`
+
+Data type: `Optional[Boolean]`
+
+Automatic cleanup.
+
+Default value: `undef`
+
+##### `auto_cleanup_delete`
+
+Data type: `Optional[Boolean]`
+
+Delete files during automatic cleanup instead of moving to archive.
+
+Default value: `undef`
+
+##### `api`
+
+Data type: `Optional[String[1]]`
+
+ACME API version.
+
+Default value: `undef`
+
+##### `preferred_chain`
+
+Data type: `Optional[String[1]]`
+
+Preferred issuer chain.
+
+Default value: `undef`
+
+##### `acme_profile`
+
+Data type: `Optional[String[1]]`
+
+Request certificate with specific profile.
+
+Default value: `undef`
+
+##### `order_timeout`
+
+Data type: `Optional[Integer[0]]`
+
+Amount of seconds to wait for processing of order until erroring out.
+
+Default value: `undef`
+
+##### `keep_going`
+
+Data type: `Optional[Boolean]`
+
+Skip over errors during certificate orders and updating of OCSP stapling information.
+
+Default value: `undef`
+
##### `timeout`
Data type: `Optional[Integer[0]]`
diff --git a/data/Debian.yaml b/data/Debian.yaml
index ace27e7..f151675 100644
--- a/data/Debian.yaml
+++ b/data/Debian.yaml
@@ -1,5 +1,5 @@
---
dehydrated::apache_user: 'www-data'
-dehydrated::dependencies: ['curl']
+dehydrated::dependencies: ['bsdextrautils', 'curl']
dehydrated::etcdir: '/home/dehydrated'
dehydrated::package: ~
diff --git a/manifests/init.pp b/manifests/init.pp
index 56aac1c..b53bf4f 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -11,11 +11,24 @@
# @param dependencies Extra dependencies needed to run dehydrated.
# @param apache_integration Setup apache to serve the generated challenges.
# @param cron_integration Setup cron to automatically renew certificates.
-# @param ip_version Use only this IP version for name resolution.
-# @param ca Path to certificate authority.
+# @param dehydrated_user Which user should dehydrated run as? This will be implicitly enforced when running as root.
+# @param dehydrated_group Which group should dehydrated run as? This will be implicitly enforced when running as root.
+# @param ip_version Resolve names to addresses of IP version only. (curl)
+# @param ca URL to certificate authority or internal preset.
+# @param oldca Path to old certificate authority
# @param challengetype Challenge type to be used.
+# @param config_d Path to a directory containing additional config files.
+# @param domains_d Directory for per-domain configuration files.
+# @param basedir Base directory for account key, generated certificates and list of domains.
+# @param domains_txt File containing the list of domains to request certificates for.
+# @param certdir Output directory for generated certificates.
+# @param alpncertdir Output directory for alpn verification certificates
+# @param accountdir Directory for account keys and registration information.
+# @param wellknown Output directory for challenge-tokens to be served by webserver or deployed in HOOK.
# @param keysize Default keysize for private keys.
# @param openssl_cnf Path to openssl config file.
+# @param openssl Path to OpenSSL binary.
+# @param curl_opts Extra options passed to the curl binary.
# @param hook Program or function called in certain situations.
# @param hook_chain Chain clean_challenge|deploy_challenge arguments together into one hook call per certificate.
# @param renew_days Minimum days before expiration to automatically renew certificate.
@@ -23,7 +36,18 @@
# @param private_key_rollover Create an extra private key for rollover.
# @param key_algo Which public key algorithm should be used?
# @param contact_email E-mail address Let's Encrypt can use to reach you regarding your certificates.
+# @param lockfile Lockfile location, to prevent concurrent access.
# @param ocsp_must_staple Option to add CSR-flag indicating OCSP stapling to be mandatory.
+# @param ocsp_fetch Fetch OCSP responses.
+# @param ocsp_days OCSP refresh interval.
+# @param chaincache Issuer chain cache directory.
+# @param auto_cleanup Automatic cleanup.
+# @param auto_cleanup_delete Delete files during automatic cleanup instead of moving to archive.
+# @param api ACME API version.
+# @param preferred_chain Preferred issuer chain.
+# @param acme_profile Request certificate with specific profile.
+# @param order_timeout Amount of seconds to wait for processing of order until erroring out.
+# @param keep_going Skip over errors during certificate orders and updating of OCSP stapling information.
# @param timeout Execution timeout for dehydrated tool.
class dehydrated (
String $apache_user,
@@ -34,18 +58,31 @@
String $group = 'dehydrated',
String $user = 'dehydrated',
String $repo_source = 'https://github.com/dehydrated-io/dehydrated.git',
- String $repo_revision = 'v0.7.0',
+ String $repo_revision = 'v0.7.2',
Array[String] $dependencies = [],
Boolean $apache_integration = false,
Boolean $cron_integration = false,
+ Optional[String[1]] $dehydrated_user = undef,
+ Optional[String[1]] $dehydrated_group = undef,
Optional[Variant[Integer[4,4],Integer[6,6]]] $ip_version = undef,
- Optional[Stdlib::Httpurl] $ca = undef,
+ Optional[String[1]] $ca = undef,
+ Optional[Stdlib::Httpurl] $oldca = undef,
Optional[Enum['http-01', 'dns-01']] $challengetype = undef,
+ Optional[String[1]] $config_d = undef,
+ Optional[String[1]] $domains_d = undef,
+ Optional[String[1]] $basedir = undef,
+ Optional[String[1]] $domains_txt = undef,
+ Optional[String[1]] $certdir = undef,
+ Optional[String[1]] $alpncertdir = undef,
+ Optional[String[1]] $accountdir = undef,
+ String[1] $wellknown = "${dehydrated::etcdir}/.acme-challenges",
Optional[Integer[0]] $keysize = undef,
Optional[String] $openssl_cnf = undef,
+ Optional[String[1]] $openssl = undef,
+ Optional[String[1]] $curl_opts = undef,
Optional[String] $hook = undef,
Optional[Boolean] $hook_chain = undef,
Optional[Integer[0]] $renew_days = undef,
@@ -53,7 +90,19 @@
Optional[Boolean] $private_key_rollover = undef,
Optional[Enum['rsa', 'prime256v1', 'secp384r1']] $key_algo = undef,
String $contact_email, # lint:ignore:parameter_order
+ Optional[String[1]] $lockfile = undef,
Optional[Boolean] $ocsp_must_staple = undef,
+ Optional[Boolean] $ocsp_fetch = undef,
+ Optional[Integer[0]] $ocsp_days = undef,
+ Optional[String[1]] $chaincache = undef,
+ Optional[Boolean] $auto_cleanup = undef,
+ Optional[Boolean] $auto_cleanup_delete = undef,
+ Optional[String[1]] $api = undef,
+ Optional[String[1]] $preferred_chain = undef,
+ Optional[String[1]] $acme_profile = undef,
+ Optional[Integer[0]] $order_timeout = undef,
+ Optional[Boolean] $keep_going = undef,
+
Optional[Integer[0]] $timeout = undef,
) {
include dehydrated::user
diff --git a/spec/classes/dehydrated_spec.rb b/spec/classes/dehydrated_spec.rb
index 62053d3..3109a35 100644
--- a/spec/classes/dehydrated_spec.rb
+++ b/spec/classes/dehydrated_spec.rb
@@ -7,42 +7,389 @@
context "on #{os}" do
let(:facts) { facts }
- let(:params) do
- {
- 'contact_email' => 'bob@example.com',
- 'private_key_renew' => private_key_renew,
- }
+ let(:acme_challenge_dir) do
+ if facts[:os]['family'] == 'FreeBSD'
+ '/usr/local/etc/dehydrated/.acme-challenges'
+ else
+ '/home/dehydrated/.acme-challenges'
+ end
end
- let(:private_key_renew) { :undef }
-
- it { is_expected.to compile.with_all_deps }
+ let(:config_path) do
+ if facts[:os]['family'] == 'FreeBSD'
+ '/usr/local/etc/dehydrated/config'
+ else
+ '/home/dehydrated/config'
+ end
+ end
- case facts[:osfamily]
- when 'Debian'
- it { is_expected.to contain_package('curl').with(ensure: 'installed') }
- when 'FreeBSD'
- it do
- is_expected.to contain_file('/usr/local/etc/dehydrated/config').without_content(%r{^PRIVATE_KEY_RENEW=})
+ context 'with default parameters' do
+ let(:params) do
+ {
+ 'contact_email' => 'bob@example.com'
+ }
end
- context('private_key_renew') do
- context('true') do
- let(:private_key_renew) { true }
+ it { is_expected.to compile.with_all_deps }
+
+ it { is_expected.to contain_package('curl').with(ensure: 'installed') } if facts[:os]['family'] == 'Debian'
+
+ it { is_expected.to contain_file(config_path).with_content(<<~CONTENT) }
+ # Managed by Puppet
+
+ # Which user should dehydrated run as? This will be implicitly enforced when running as root
+ #DEHYDRATED_USER=
+
+ # Which group should dehydrated run as? This will be implicitly enforced when running as root
+ #DEHYDRATED_GROUP=
+
+ # Resolve names to addresses of IP version only. (curl)
+ # supported values: 4, 6
+ # default:
+ #IP_VERSION=
+
+ # URL to certificate authority or internal preset
+ # Presets: letsencrypt, letsencrypt-test, zerossl, buypass, buypass-test, google, google-test
+ # default: letsencrypt
+ #CA="letsencrypt"
+
+ # Path to old certificate authority
+ # Set this value to your old CA value when upgrading from ACMEv1 to ACMEv2 under a different endpoint.
+ # If dehydrated detects an account-key for the old CA it will automatically reuse that key
+ # instead of registering a new one.
+ # default: https://acme-v01.api.letsencrypt.org/directory
+ #OLDCA="https://acme-v01.api.letsencrypt.org/directory"
+
+ # Which challenge should be used? Currently http-01, dns-01 and tls-alpn-01 are supported
+ #CHALLENGETYPE="http-01"
+
+ # Path to a directory containing additional config files, allowing to override
+ # the defaults found in the main configuration file. Additional config files
+ # in this directory needs to be named with a '.sh' ending.
+ # default:
+ #CONFIG_D=
+
+ # Directory for per-domain configuration files.
+ # If not set, per-domain configurations are sourced from each certificates output directory.
+ # default:
+ #DOMAINS_D=
+
+ # Base directory for account key, generated certificates and list of domains (default: $SCRIPTDIR -- uses config directory if undefined)
+ #BASEDIR=$SCRIPTDIR
+
+ # File containing the list of domains to request certificates for (default: $BASEDIR/domains.txt)
+ #DOMAINS_TXT="${BASEDIR}/domains.txt"
+
+ # Output directory for generated certificates
+ #CERTDIR="${BASEDIR}/certs"
+
+ # Output directory for alpn verification certificates
+ #ALPNCERTDIR="${BASEDIR}/alpn-certs"
+
+ # Directory for account keys and registration information
+ #ACCOUNTDIR="${BASEDIR}/accounts"
+
+ # Output directory for challenge-tokens to be served by webserver or deployed in HOOK (default: /var/www/dehydrated)
+ #WELLKNOWN="/var/www/dehydrated"
+ WELLKNOWN='#{acme_challenge_dir}'
+
+ # Default keysize for private keys (default: 4096)
+ #KEYSIZE="4096"
+
+ # Path to openssl config file (default: - tries to figure out system default)
+ #OPENSSL_CNF=
+
+ # Path to OpenSSL binary (default: "openssl")
+ #OPENSSL="openssl"
+
+ # Extra options passed to the curl binary (default: )
+ #CURL_OPTS=
+
+ # Program or function called in certain situations
+ #
+ # After generating the challenge-response, or after failed challenge (in this case altname is empty)
+ # Given arguments: clean_challenge|deploy_challenge altname token-filename token-content
+ #
+ # After successfully signing certificate
+ # Given arguments: deploy_cert domain path/to/privkey.pem path/to/cert.pem path/to/fullchain.pem
+ #
+ # BASEDIR and WELLKNOWN variables are exported and can be used in an external program
+ # default:
+ #HOOK=
+
+ # Chain clean_challenge|deploy_challenge arguments together into one hook call per certificate (default: no)
+ #HOOK_CHAIN="no"
+
+ # Minimum days before expiration to automatically renew certificate (default: 32)
+ #RENEW_DAYS="32"
+
+ # Regenerate private keys instead of just signing new certificates on renewal (default: yes)
+ #PRIVATE_KEY_RENEW="yes"
+
+ # Create an extra private key for rollover (default: no)
+ #PRIVATE_KEY_ROLLOVER="no"
+
+ # Which public key algorithm should be used? Supported: rsa, prime256v1 and secp384r1
+ #KEY_ALGO=secp384r1
+
+ # E-mail to use during the registration (default: )
+ #CONTACT_EMAIL=
+ CONTACT_EMAIL='bob@example.com'
+
+ # Lockfile location, to prevent concurrent access (default: $BASEDIR/lock)
+ #LOCKFILE="${BASEDIR}/lock"
+
+ # Option to add CSR-flag indicating OCSP stapling to be mandatory (default: no)
+ #OCSP_MUST_STAPLE="no"
+
+ # Fetch OCSP responses (default: no)
+ #OCSP_FETCH="no"
+
+ # OCSP refresh interval (default: 5 days)
+ #OCSP_DAYS=5
+
+ # Issuer chain cache directory (default: $BASEDIR/chains)
+ #CHAINCACHE="${BASEDIR}/chains"
+
+ # Automatic cleanup (default: no)
+ #AUTO_CLEANUP="no"
+
+ # Delete files during automatic cleanup instead of moving to archive (default: no)
+ #AUTO_CLEANUP_DELETE="no"
+
+ # ACME API version (default: auto)
+ #API=auto
+
+ # Preferred issuer chain (default: -> uses default chain)
+ #PREFERRED_CHAIN=
- it do
- is_expected.to contain_file('/usr/local/etc/dehydrated/config').with_content(%r{^PRIVATE_KEY_RENEW='yes'$})
- end
- end
+ # Request certificate with specific profile (default: )
+ #ACME_PROFILE=
- context('false') do
- let(:private_key_renew) { false }
+ # Amount of seconds to wait for processing of order until erroring out (default: 0 => no timeout)
+ #ORDER_TIMEOUT=0
- it do
- is_expected.to contain_file('/usr/local/etc/dehydrated/config').with_content(%r{^PRIVATE_KEY_RENEW='no'$})
- end
- end
+ # Skip over errors during certificate orders and updating of OCSP stapling information (default: no)
+ #KEEP_GOING=no
+ CONTENT
+ end
+
+ context 'with all parameters set' do
+ let(:params) do
+ {
+ 'dehydrated_user' => 'acme',
+ 'dehydrated_group' => 'acme',
+ 'ip_version' => 6,
+ 'ca' => 'letsencrypt',
+ 'oldca' => 'https://acme-v01.api.letsencrypt.org/directory',
+ 'challengetype' => 'http-01',
+ 'config_d' => '/etc/dehydrated/config.d',
+ 'domains_d' => '/etc/dehydrated/domains.d',
+ 'basedir' => '/etc/dehydrated',
+ 'domains_txt' => '/etc/dehydrated/domains.txt',
+ 'certdir' => '/etc/dehydrated/certs',
+ 'alpncertdir' => '/etc/dehydrated/alpn-certs',
+ 'accountdir' => '/etc/dehydrated/accounts',
+ 'wellknown' => '/var/www/dehydrated',
+ 'keysize' => 4096,
+ 'openssl_cnf' => '/etc/ssl/openssl.cnf',
+ 'openssl' => 'openssl',
+ 'curl_opts' => '--verbose',
+ 'hook' => '/usr/local/bin/dehydrated-hook',
+ 'hook_chain' => false,
+ 'renew_days' => 32,
+ 'private_key_renew' => true,
+ 'private_key_rollover' => false,
+ 'key_algo' => 'secp384r1',
+ 'contact_email' => 'bob@example.com',
+ 'lockfile' => '/etc/dehydrated/lock',
+ 'ocsp_must_staple' => false,
+ 'ocsp_fetch' => false,
+ 'ocsp_days' => 5,
+ 'chaincache' => '/etc/dehydrated/chains',
+ 'auto_cleanup' => false,
+ 'auto_cleanup_delete' => false,
+ 'api' => 'auto',
+ 'preferred_chain' => 'default',
+ 'acme_profile' => 'shortlived',
+ 'order_timeout' => 0,
+ 'keep_going' => false
+ }
end
+
+ it { is_expected.to contain_file(config_path).with_content(<<~CONTENT) }
+ # Managed by Puppet
+
+ # Which user should dehydrated run as? This will be implicitly enforced when running as root
+ #DEHYDRATED_USER=
+ DEHYDRATED_USER='acme'
+
+ # Which group should dehydrated run as? This will be implicitly enforced when running as root
+ #DEHYDRATED_GROUP=
+ DEHYDRATED_GROUP='acme'
+
+ # Resolve names to addresses of IP version only. (curl)
+ # supported values: 4, 6
+ # default:
+ #IP_VERSION=
+ IP_VERSION=6
+
+ # URL to certificate authority or internal preset
+ # Presets: letsencrypt, letsencrypt-test, zerossl, buypass, buypass-test, google, google-test
+ # default: letsencrypt
+ #CA="letsencrypt"
+ CA='letsencrypt'
+
+ # Path to old certificate authority
+ # Set this value to your old CA value when upgrading from ACMEv1 to ACMEv2 under a different endpoint.
+ # If dehydrated detects an account-key for the old CA it will automatically reuse that key
+ # instead of registering a new one.
+ # default: https://acme-v01.api.letsencrypt.org/directory
+ #OLDCA="https://acme-v01.api.letsencrypt.org/directory"
+ OLDCA='https://acme-v01.api.letsencrypt.org/directory'
+
+ # Which challenge should be used? Currently http-01, dns-01 and tls-alpn-01 are supported
+ #CHALLENGETYPE="http-01"
+ CHALLENGETYPE='http-01'
+
+ # Path to a directory containing additional config files, allowing to override
+ # the defaults found in the main configuration file. Additional config files
+ # in this directory needs to be named with a '.sh' ending.
+ # default:
+ #CONFIG_D=
+ CONFIG_D='/etc/dehydrated/config.d'
+
+ # Directory for per-domain configuration files.
+ # If not set, per-domain configurations are sourced from each certificates output directory.
+ # default:
+ #DOMAINS_D=
+ DOMAINS_D='/etc/dehydrated/domains.d'
+
+ # Base directory for account key, generated certificates and list of domains (default: $SCRIPTDIR -- uses config directory if undefined)
+ #BASEDIR=$SCRIPTDIR
+ BASEDIR='/etc/dehydrated'
+
+ # File containing the list of domains to request certificates for (default: $BASEDIR/domains.txt)
+ #DOMAINS_TXT="${BASEDIR}/domains.txt"
+ DOMAINS_TXT='/etc/dehydrated/domains.txt'
+
+ # Output directory for generated certificates
+ #CERTDIR="${BASEDIR}/certs"
+ CERTDIR='/etc/dehydrated/certs'
+
+ # Output directory for alpn verification certificates
+ #ALPNCERTDIR="${BASEDIR}/alpn-certs"
+ ALPNCERTDIR='/etc/dehydrated/alpn-certs'
+
+ # Directory for account keys and registration information
+ #ACCOUNTDIR="${BASEDIR}/accounts"
+ ACCOUNTDIR='/etc/dehydrated/accounts'
+
+ # Output directory for challenge-tokens to be served by webserver or deployed in HOOK (default: /var/www/dehydrated)
+ #WELLKNOWN="/var/www/dehydrated"
+ WELLKNOWN='/var/www/dehydrated'
+
+ # Default keysize for private keys (default: 4096)
+ #KEYSIZE="4096"
+ KEYSIZE=4096
+
+ # Path to openssl config file (default: - tries to figure out system default)
+ #OPENSSL_CNF=
+ OPENSSL_CNF='/etc/ssl/openssl.cnf'
+
+ # Path to OpenSSL binary (default: "openssl")
+ #OPENSSL="openssl"
+ OPENSSL='openssl'
+
+ # Extra options passed to the curl binary (default: )
+ #CURL_OPTS=
+ CURL_OPTS='--verbose'
+
+ # Program or function called in certain situations
+ #
+ # After generating the challenge-response, or after failed challenge (in this case altname is empty)
+ # Given arguments: clean_challenge|deploy_challenge altname token-filename token-content
+ #
+ # After successfully signing certificate
+ # Given arguments: deploy_cert domain path/to/privkey.pem path/to/cert.pem path/to/fullchain.pem
+ #
+ # BASEDIR and WELLKNOWN variables are exported and can be used in an external program
+ # default:
+ #HOOK=
+ HOOK='/usr/local/bin/dehydrated-hook'
+
+ # Chain clean_challenge|deploy_challenge arguments together into one hook call per certificate (default: no)
+ #HOOK_CHAIN="no"
+ HOOK_CHAIN='no'
+
+ # Minimum days before expiration to automatically renew certificate (default: 32)
+ #RENEW_DAYS="32"
+ RENEW_DAYS=32
+
+ # Regenerate private keys instead of just signing new certificates on renewal (default: yes)
+ #PRIVATE_KEY_RENEW="yes"
+ PRIVATE_KEY_RENEW='yes'
+
+ # Create an extra private key for rollover (default: no)
+ #PRIVATE_KEY_ROLLOVER="no"
+ PRIVATE_KEY_ROLLOVER='no'
+
+ # Which public key algorithm should be used? Supported: rsa, prime256v1 and secp384r1
+ #KEY_ALGO=secp384r1
+ KEY_ALGO='secp384r1'
+
+ # E-mail to use during the registration (default: )
+ #CONTACT_EMAIL=
+ CONTACT_EMAIL='bob@example.com'
+
+ # Lockfile location, to prevent concurrent access (default: $BASEDIR/lock)
+ #LOCKFILE="${BASEDIR}/lock"
+ LOCKFILE='/etc/dehydrated/lock'
+
+ # Option to add CSR-flag indicating OCSP stapling to be mandatory (default: no)
+ #OCSP_MUST_STAPLE="no"
+ OCSP_MUST_STAPLE='no'
+
+ # Fetch OCSP responses (default: no)
+ #OCSP_FETCH="no"
+ OCSP_FETCH='no'
+
+ # OCSP refresh interval (default: 5 days)
+ #OCSP_DAYS=5
+ OCSP_DAYS=5
+
+ # Issuer chain cache directory (default: $BASEDIR/chains)
+ #CHAINCACHE="${BASEDIR}/chains"
+ CHAINCACHE='/etc/dehydrated/chains'
+
+ # Automatic cleanup (default: no)
+ #AUTO_CLEANUP="no"
+ AUTO_CLEANUP='no'
+
+ # Delete files during automatic cleanup instead of moving to archive (default: no)
+ #AUTO_CLEANUP_DELETE="no"
+ AUTO_CLEANUP_DELETE='no'
+
+ # ACME API version (default: auto)
+ #API=auto
+ API='auto'
+
+ # Preferred issuer chain (default: -> uses default chain)
+ #PREFERRED_CHAIN=
+ PREFERRED_CHAIN='default'
+
+ # Request certificate with specific profile (default: )
+ #ACME_PROFILE=
+ ACME_PROFILE='shortlived'
+
+ # Amount of seconds to wait for processing of order until erroring out (default: 0 => no timeout)
+ #ORDER_TIMEOUT=0
+ ORDER_TIMEOUT=0
+
+ # Skip over errors during certificate orders and updating of OCSP stapling information (default: no)
+ #KEEP_GOING=no
+ KEEP_GOING='no'
+ CONTENT
end
end
end
diff --git a/templates/config.epp b/templates/config.epp
index 3749615..1fe8b18 100644
--- a/templates/config.epp
+++ b/templates/config.epp
@@ -1,42 +1,243 @@
# Managed by Puppet
+# Which user should dehydrated run as? This will be implicitly enforced when running as root
+#DEHYDRATED_USER=
+<% unless $dehydrated::dehydrated_user =~ Undef { -%>
+DEHYDRATED_USER=<%= String($dehydrated::dehydrated_user, '%p') %>
+<% } -%>
+
+# Which group should dehydrated run as? This will be implicitly enforced when running as root
+#DEHYDRATED_GROUP=
+<% unless $dehydrated::dehydrated_group =~ Undef { -%>
+DEHYDRATED_GROUP=<%= String($dehydrated::dehydrated_group, '%p') %>
+<% } -%>
+
+# Resolve names to addresses of IP version only. (curl)
+# supported values: 4, 6
+# default:
+#IP_VERSION=
<% unless $dehydrated::ip_version =~ Undef { -%>
IP_VERSION=<%= String($dehydrated::ip_version, '%p') %>
<% } -%>
+
+# URL to certificate authority or internal preset
+# Presets: letsencrypt, letsencrypt-test, zerossl, buypass, buypass-test, google, google-test
+# default: letsencrypt
+#CA="letsencrypt"
<% unless $dehydrated::ca =~ Undef { -%>
CA=<%= String($dehydrated::ca, '%p') %>
<% } -%>
+
+# Path to old certificate authority
+# Set this value to your old CA value when upgrading from ACMEv1 to ACMEv2 under a different endpoint.
+# If dehydrated detects an account-key for the old CA it will automatically reuse that key
+# instead of registering a new one.
+# default: https://acme-v01.api.letsencrypt.org/directory
+#OLDCA="https://acme-v01.api.letsencrypt.org/directory"
+<% unless $dehydrated::oldca =~ Undef { -%>
+OLDCA=<%= String($dehydrated::oldca, '%p') %>
+<% } -%>
+
+# Which challenge should be used? Currently http-01, dns-01 and tls-alpn-01 are supported
+#CHALLENGETYPE="http-01"
<% unless $dehydrated::challengetype =~ Undef { -%>
CHALLENGETYPE=<%= String($dehydrated::challengetype, '%p') %>
<% } -%>
-WELLKNOWN='<%= $dehydrated::etcdir %>/.acme-challenges'
+
+# Path to a directory containing additional config files, allowing to override
+# the defaults found in the main configuration file. Additional config files
+# in this directory needs to be named with a '.sh' ending.
+# default:
+#CONFIG_D=
+<% unless $dehydrated::config_d =~ Undef { -%>
+CONFIG_D=<%= String($dehydrated::config_d, '%p') %>
+<% } -%>
+
+# Directory for per-domain configuration files.
+# If not set, per-domain configurations are sourced from each certificates output directory.
+# default:
+#DOMAINS_D=
+<% unless $dehydrated::domains_d =~ Undef { -%>
+DOMAINS_D=<%= String($dehydrated::domains_d, '%p') %>
+<% } -%>
+
+# Base directory for account key, generated certificates and list of domains (default: $SCRIPTDIR -- uses config directory if undefined)
+#BASEDIR=$SCRIPTDIR
+<% unless $dehydrated::basedir =~ Undef { -%>
+BASEDIR=<%= String($dehydrated::basedir, '%p') %>
+<% } -%>
+
+# File containing the list of domains to request certificates for (default: $BASEDIR/domains.txt)
+#DOMAINS_TXT="${BASEDIR}/domains.txt"
+<% unless $dehydrated::domains_txt =~ Undef { -%>
+DOMAINS_TXT=<%= String($dehydrated::domains_txt, '%p') %>
+<% } -%>
+
+# Output directory for generated certificates
+#CERTDIR="${BASEDIR}/certs"
+<% unless $dehydrated::certdir =~ Undef { -%>
+CERTDIR=<%= String($dehydrated::certdir, '%p') %>
+<% } -%>
+
+# Output directory for alpn verification certificates
+#ALPNCERTDIR="${BASEDIR}/alpn-certs"
+<% unless $dehydrated::alpncertdir =~ Undef { -%>
+ALPNCERTDIR=<%= String($dehydrated::alpncertdir, '%p') %>
+<% } -%>
+
+# Directory for account keys and registration information
+#ACCOUNTDIR="${BASEDIR}/accounts"
+<% unless $dehydrated::accountdir =~ Undef { -%>
+ACCOUNTDIR=<%= String($dehydrated::accountdir, '%p') %>
+<% } -%>
+
+# Output directory for challenge-tokens to be served by webserver or deployed in HOOK (default: /var/www/dehydrated)
+#WELLKNOWN="/var/www/dehydrated"
+WELLKNOWN=<%= String($dehydrated::wellknown, '%p') %>
+
+# Default keysize for private keys (default: 4096)
+#KEYSIZE="4096"
<% unless $dehydrated::keysize =~ Undef { -%>
KEYSIZE=<%= String($dehydrated::keysize, '%p') %>
<% } -%>
+
+# Path to openssl config file (default: - tries to figure out system default)
+#OPENSSL_CNF=
<% unless $dehydrated::openssl_cnf =~ Undef { -%>
OPENSSL_CNF=<%= String($dehydrated::openssl_cnf, '%p') %>
<% } -%>
+
+# Path to OpenSSL binary (default: "openssl")
+#OPENSSL="openssl"
+<% unless $dehydrated::openssl =~ Undef { -%>
+OPENSSL=<%= String($dehydrated::openssl, '%p') %>
+<% } -%>
+
+# Extra options passed to the curl binary (default: )
+#CURL_OPTS=
+<% unless $dehydrated::curl_opts =~ Undef { -%>
+CURL_OPTS=<%= String($dehydrated::curl_opts, '%p') %>
+<% } -%>
+
+# Program or function called in certain situations
+#
+# After generating the challenge-response, or after failed challenge (in this case altname is empty)
+# Given arguments: clean_challenge|deploy_challenge altname token-filename token-content
+#
+# After successfully signing certificate
+# Given arguments: deploy_cert domain path/to/privkey.pem path/to/cert.pem path/to/fullchain.pem
+#
+# BASEDIR and WELLKNOWN variables are exported and can be used in an external program
+# default:
+#HOOK=
<% unless $dehydrated::hook =~ Undef { -%>
HOOK=<%= String($dehydrated::hook, '%p') %>
<% } -%>
+
+# Chain clean_challenge|deploy_challenge arguments together into one hook call per certificate (default: no)
+#HOOK_CHAIN="no"
<% unless $dehydrated::hook_chain =~ Undef { -%>
HOOK_CHAIN='<%= bool2str($dehydrated::hook_chain, 'yes', 'no') %>'
<% } -%>
+
+# Minimum days before expiration to automatically renew certificate (default: 32)
+#RENEW_DAYS="32"
<% unless $dehydrated::renew_days =~ Undef { -%>
RENEW_DAYS=<%= String($dehydrated::renew_days, '%p') %>
<% } -%>
+
+# Regenerate private keys instead of just signing new certificates on renewal (default: yes)
+#PRIVATE_KEY_RENEW="yes"
<% unless $dehydrated::private_key_renew =~ Undef { -%>
PRIVATE_KEY_RENEW='<%= bool2str($dehydrated::private_key_renew, 'yes', 'no') %>'
<% } -%>
+
+# Create an extra private key for rollover (default: no)
+#PRIVATE_KEY_ROLLOVER="no"
<% unless $dehydrated::private_key_rollover =~ Undef { -%>
PRIVATE_KEY_ROLLOVER='<%= bool2str($dehydrated::private_key_rollover, 'yes', 'no') %>'
<% } -%>
+
+# Which public key algorithm should be used? Supported: rsa, prime256v1 and secp384r1
+#KEY_ALGO=secp384r1
<% unless $dehydrated::key_algo =~ Undef { -%>
KEY_ALGO=<%= String($dehydrated::key_algo, '%p') %>
<% } -%>
+
+# E-mail to use during the registration (default: )
+#CONTACT_EMAIL=
<% unless $dehydrated::contact_email =~ Undef { -%>
CONTACT_EMAIL=<%= String($dehydrated::contact_email, '%p') %>
<% } -%>
+
+# Lockfile location, to prevent concurrent access (default: $BASEDIR/lock)
+#LOCKFILE="${BASEDIR}/lock"
+<% unless $dehydrated::lockfile =~ Undef { -%>
+LOCKFILE=<%= String($dehydrated::lockfile, '%p') %>
+<% } -%>
+
+# Option to add CSR-flag indicating OCSP stapling to be mandatory (default: no)
+#OCSP_MUST_STAPLE="no"
<% unless $dehydrated::ocsp_must_staple =~ Undef { -%>
OCSP_MUST_STAPLE='<%= bool2str($dehydrated::ocsp_must_staple, 'yes', 'no') %>'
<% } -%>
+
+# Fetch OCSP responses (default: no)
+#OCSP_FETCH="no"
+<% unless $dehydrated::ocsp_fetch =~ Undef { -%>
+OCSP_FETCH='<%= bool2str($dehydrated::ocsp_fetch, 'yes', 'no') %>'
+<% } -%>
+
+# OCSP refresh interval (default: 5 days)
+#OCSP_DAYS=5
+<% unless $dehydrated::ocsp_days =~ Undef { -%>
+OCSP_DAYS=<%= String($dehydrated::ocsp_days, '%p') %>
+<% } -%>
+
+# Issuer chain cache directory (default: $BASEDIR/chains)
+#CHAINCACHE="${BASEDIR}/chains"
+<% unless $dehydrated::chaincache =~ Undef { -%>
+CHAINCACHE=<%= String($dehydrated::chaincache, '%p') %>
+<% } -%>
+
+# Automatic cleanup (default: no)
+#AUTO_CLEANUP="no"
+<% unless $dehydrated::auto_cleanup =~ Undef { -%>
+AUTO_CLEANUP='<%= bool2str($dehydrated::auto_cleanup, 'yes', no) %>'
+<% } -%>
+
+# Delete files during automatic cleanup instead of moving to archive (default: no)
+#AUTO_CLEANUP_DELETE="no"
+<% unless $dehydrated::auto_cleanup_delete =~ Undef { -%>
+AUTO_CLEANUP_DELETE='<%= bool2str($dehydrated::auto_cleanup_delete, 'yes', 'no') %>'
+<% } -%>
+
+# ACME API version (default: auto)
+#API=auto
+<% unless $dehydrated::api =~ Undef { -%>
+API=<%= String($dehydrated::api, '%p') %>
+<% } -%>
+
+# Preferred issuer chain (default: -> uses default chain)
+#PREFERRED_CHAIN=
+<% unless $dehydrated::preferred_chain =~ Undef { -%>
+PREFERRED_CHAIN=<%= String($dehydrated::preferred_chain, '%p') %>
+<% } -%>
+
+# Request certificate with specific profile (default: )
+#ACME_PROFILE=
+<% unless $dehydrated::acme_profile =~ Undef { -%>
+ACME_PROFILE=<%= String($dehydrated::acme_profile, '%p') %>
+<% } -%>
+
+# Amount of seconds to wait for processing of order until erroring out (default: 0 => no timeout)
+#ORDER_TIMEOUT=0
+<% unless $dehydrated::order_timeout =~ Undef { -%>
+ORDER_TIMEOUT=<%= String($dehydrated::order_timeout, '%p') %>
+<% } -%>
+
+# Skip over errors during certificate orders and updating of OCSP stapling information (default: no)
+#KEEP_GOING=no
+<% unless $dehydrated::keep_going =~ Undef { -%>
+KEEP_GOING='<%= bool2str($dehydrated::keep_going, 'yes', 'no') %>'
+<% } -%>