add complementary states for letsencrypt and vault

3 years ago · 6793f357a5
3 changed files with 29 additions and 1 deletions
--- a/app/letsencrypt.sls
+++ b/app/letsencrypt.sls
@ -0,0 +1,17 @@
+---
+
+certbot certificates group:
+  group.present:
+    - name: certificates
+    - system: true
+
+certbot certificates readable by certificates group:
+  file.directory:
+    - name: /etc/letsencrypt/live/
+    - group: certificates
+    - recurse:
+      - group
+      - mode
+    - dir_mode: 0600
+    - file_mode: 0644
+    - follow_symlinks: true
--- a/app/vault.sls
+++ b/app/vault.sls
@ -0,0 +1,9 @@
+---
+
+vault user has access to certbot certificates:
+  user.present:
+    - name: vault
+    - optional_groups:
+      - certificates
+    - watch_in:
+      - service: vault
--- a/top.sls
+++ b/top.sls
@ -15,6 +15,7 @@ base:
  'roles:letsencrypt':
    - match: grain
    - letsencrypt
+    - app.letsencrypt

  'roles:salt_master':
    - match: grain
@ -60,4 +61,5 @@ base:
  'roles:vault_server':
    - match: grain
    - app.consul.tls
-    - vault
+    - vault
+    - app.vault