]> git.donarmstrong.com Git - dsa-puppet.git/blob - modules/ssl/manifests/init.pp
projects / dsa-puppet.git / blob
? search:


2d4a140cfc004a1387057629f64951b4be5ab019
[dsa-puppet.git] / modules / ssl / manifests / init.pp
1 class ssl {
2         $caconf = '/etc/ca-certificates.conf'
3
4         package { 'openssl':
5                 ensure   => installed,
6         }
7         package { 'ssl-cert':
8                 ensure   => installed,
9         }
10         package { 'ca-certificates':
11                 ensure   => installed,
12         }
13
14         file { '/etc/ssl/servicecerts':
15                 ensure   => link,
16                 purge    => true,
17                 force    => true,
18                 target   => '/usr/local/share/ca-certificates/debian.org',
19                 notify   => Exec['retire_debian_links'],
20         }
21
22         file { '/usr/local/share/ca-certificates/debian.org':
23                 ensure   => directory,
24                 source   => 'puppet:///modules/ssl/servicecerts/',
25                 mode     => '0644', # this works; otherwise all files are +x
26                 purge    => true,
27                 recurse  => true,
28                 force    => true,
29                 notify   => Exec['refresh_normal_hashes'],
30         }
31         file { '/etc/ssl/debian':
32                 ensure   => directory,
33                 source   => 'puppet:///files/empty/',
34                 mode     => '0644', # this works; otherwise all files are +x
35                 purge    => true,
36                 recurse  => true,
37                 force    => true,
38         }
39         file { '/etc/ssl/debian/certs':
40                 ensure  => directory,
41                 mode    => '0755',
42         }
43         file { '/etc/ssl/debian/crls':
44                 ensure  => directory,
45                 mode    => '0755',
46         }
47         file { '/etc/ssl/debian/keys':
48                 ensure  => directory,
49                 mode    => '0750',
50                 group   => ssl-cert,
51                 require => Package['ssl-cert'],
52         }
53         file { '/etc/ssl/debian/certs/thishost.crt':
54                 source  => "puppet:///modules/ssl/clientcerts/${::fqdn}.client.crt",
55                 notify  => Exec['refresh_debian_hashes'],
56         }
57         file { '/etc/ssl/debian/keys/thishost.key':
58                 source  => "puppet:///modules/ssl/clientcerts/${::fqdn}.key",
59                 mode    => '0440',
60                 group   => ssl-cert,
61                 require => Package['ssl-cert'],
62         }
63         file { '/etc/ssl/debian/certs/ca.crt':
64                 source  => 'puppet:///modules/ssl/clientcerts/ca.crt',
65                 notify  => Exec['refresh_debian_hashes'],
66         }
67         file { '/etc/ssl/debian/crls/ca.crl':
68                 source  => 'puppet:///modules/ssl/clientcerts/ca.crl',
69         }
70         file { '/etc/ssl/debian/certs/thishost-server.crt':
71                 source  => "puppet:///modules/exim/certs/${::fqdn}.crt",
72                 notify  => Exec['refresh_debian_hashes'],
73         }
74         file { '/etc/ssl/debian/keys/thishost-server.key':
75                 source  => "puppet:///modules/exim/certs/${::fqdn}.key",
76                 mode    => '0440',
77                 group   => ssl-cert,
78                 require => Package['ssl-cert'],
79         }
80
81         exec { 'retire_debian_links':
82                 command     => 'find -lname "../servicecerts/*" -exec rm {} +',
83                 cwd         => '/etc/ssl/certs',
84                 refreshonly => true,
85                 notify      => Exec['refresh_normal_hashes'],
86         }
87         exec { 'refresh_debian_hashes':
88                 command     => 'c_rehash /etc/ssl/debian/certs',
89                 refreshonly => true,
90                 require     => Package['openssl'],
91         }
92         exec { 'refresh_normal_hashes':
93                 # NOTE 1: always use update-ca-certificates to manage hashes in
94                 #         /etc/ssl/certs otherwise /etc/ssl/ca-certificates.crt will
95                 #         get a hash overriding the hash that would have been generated
96                 #         for another certificate ... which is problem, comrade
97                 # NOTE 2: always ask update-ca-certificates to freshen (-f) the links
98                 command     => '/usr/sbin/update-ca-certificates -f',
99                 refreshonly => true,
100                 require     => Package['ca-certificates'],
101         }
102
103 }
Unnamed repository; edit this file 'description' to name the repository.