modules/ssl/manifests/init.pp

   1 class ssl {
   2         $caconf = '/etc/ca-certificates.conf'
   3
   4         package { 'openssl':
   5                 ensure   => installed,
   6         }
   7         package { 'ssl-cert':
   8                 ensure   => installed,
   9         }
  10         package { 'ca-certificates':
  11                 ensure   => installed,
  12         }
  13
  14         file { '/etc/ca-certificates.conf':
  15                 source => 'puppet:///modules/ssl/ca-certificates.conf',
  16                 notify  => Exec['refresh_normal_hashes'],
  17         }
  18         file { '/etc/ca-certificates-debian.conf':
  19                 mode    => '0444',
  20                 source => 'puppet:///modules/ssl/ca-certificates-debian.conf',
  21                 notify  => Exec['refresh_ca_debian_hashes'],
  22         }
  23         file { '/etc/ca-certificates-global.conf':
  24                 source => 'puppet:///modules/ssl/ca-certificates-global.conf',
  25                 notify  => Exec['refresh_ca_global_hashes'],
  26         }
  27
  28         file { '/etc/apt/apt.conf.d/local-ssl-ca-global':
  29                 mode   => '0444',
  30                 source => 'puppet:///modules/ssl/local-ssl-ca-global',
  31         }
  32
  33         file { '/etc/ssl/certs/ssl-cert-snakeoil.pem':
  34                 ensure => absent,
  35                 notify => Exec['refresh_normal_hashes'],
  36         }
  37         file { '/etc/ssl/private/ssl-cert-snakeoil.key':
  38                 ensure => absent,
  39         }
  40
  41         file { '/etc/ssl/servicecerts':
  42                 ensure   => link,
  43                 purge    => true,
  44                 force    => true,
  45                 target   => '/usr/local/share/ca-certificates/debian.org',
  46                 notify   => Exec['retire_debian_links'],
  47         }
  48
  49         file { '/usr/local/share/ca-certificates/debian.org':
  50                 ensure   => directory,
  51                 source   => 'puppet:///modules/ssl/servicecerts/',
  52                 mode     => '0644', # this works; otherwise all files are +x
  53                 purge    => true,
  54                 recurse  => true,
  55                 force    => true,
  56                 notify   => Exec['refresh_normal_hashes'],
  57         }
  58         file { '/etc/ssl/certs/README':
  59                 mode   => '0444',
  60                 source => 'puppet:///modules/ssl/README.certs',
  61         }
  62         file { '/etc/ssl/ca-debian':
  63                 ensure => directory,
  64                 mode   => '0755',
  65         }
  66         file { '/etc/ssl/ca-debian/README':
  67                 mode   => '0444',
  68                 source => 'puppet:///modules/ssl/README.ca-debian',
  69         }
  70         file { '/etc/ssl/ca-global':
  71                 ensure => directory,
  72                 mode   => '0755',
  73         }
  74         file { '/etc/ssl/ca-global/README':
  75                 mode   => '0444',
  76                 source => 'puppet:///modules/ssl/README.ca-global',
  77         }
  78         file { '/etc/ssl/debian':
  79                 ensure   => directory,
  80                 source   => 'puppet:///files/empty/',
  81                 mode     => '0644', # this works; otherwise all files are +x
  82                 purge    => true,
  83                 recurse  => true,
  84                 force    => true,
  85         }
  86         file { '/etc/ssl/debian/certs':
  87                 ensure  => directory,
  88                 mode    => '0755',
  89         }
  90         file { '/etc/ssl/debian/crls':
  91                 ensure  => directory,
  92                 mode    => '0755',
  93         }
  94         file { '/etc/ssl/debian/keys':
  95                 ensure  => directory,
  96                 mode    => '0750',
  97                 group   => ssl-cert,
  98                 require => Package['ssl-cert'],
  99         }
 100         file { '/etc/ssl/debian/certs/thishost.crt':
 101                 source  => "puppet:///modules/ssl/clientcerts/${::fqdn}.client.crt",
 102                 notify  => Exec['refresh_debian_hashes'],
 103         }
 104         file { '/etc/ssl/debian/keys/thishost.key':
 105                 source  => "puppet:///modules/ssl/clientcerts/${::fqdn}.key",
 106                 mode    => '0440',
 107                 group   => ssl-cert,
 108                 require => Package['ssl-cert'],
 109         }
 110         file { '/etc/ssl/debian/certs/ca.crt':
 111                 source  => 'puppet:///modules/ssl/clientcerts/ca.crt',
 112                 notify  => Exec['refresh_debian_hashes'],
 113         }
 114         file { '/etc/ssl/debian/crls/ca.crl':
 115                 source  => 'puppet:///modules/ssl/clientcerts/ca.crl',
 116         }
 117         file { '/etc/ssl/debian/certs/thishost-server.crt':
 118                 source  => "puppet:///modules/exim/certs/${::fqdn}.crt",
 119                 notify  => Exec['refresh_debian_hashes'],
 120         }
 121         file { '/etc/ssl/debian/keys/thishost-server.key':
 122                 source  => "puppet:///modules/exim/certs/${::fqdn}.key",
 123                 mode    => '0440',
 124                 group   => ssl-cert,
 125                 require => Package['ssl-cert'],
 126         }
 127
 128         file { '/usr/local/sbin/update-ca-certificates-dsa':
 129                 mode   => '0555',
 130                 source => 'puppet:///modules/ssl/update-ca-certificates-dsa',
 131         }
 132
 133         exec { 'retire_debian_links':
 134                 command     => 'find -lname "../servicecerts/*" -exec rm {} +',
 135                 cwd         => '/etc/ssl/certs',
 136                 refreshonly => true,
 137                 notify      => Exec['refresh_normal_hashes'],
 138         }
 139         exec { 'refresh_debian_hashes':
 140                 command     => 'c_rehash /etc/ssl/debian/certs',
 141                 refreshonly => true,
 142                 require     => Package['openssl'],
 143         }
 144         exec { 'refresh_normal_hashes':
 145                 # NOTE 1: always use update-ca-certificates to manage hashes in
 146                 #         /etc/ssl/certs otherwise /etc/ssl/ca-certificates.crt will
 147                 #         get a hash overriding the hash that would have been generated
 148                 #         for another certificate ... which is problem, comrade
 149                 # NOTE 2: always ask update-ca-certificates to freshen (-f) the links
 150                 command     => '/usr/sbin/update-ca-certificates -f',
 151                 refreshonly => true,
 152                 require     => Package['ca-certificates'],
 153         }
 154         exec { 'refresh_ca_debian_hashes':
 155                 command     => '/usr/local/sbin/update-ca-certificates-dsa --fresh --certsconf /etc/ca-certificates-debian.conf --localcertsdir /dev/null --etccertsdir /etc/ssl/ca-debian --hooksdir /dev/null',
 156                 refreshonly => true,
 157                 require     => [
 158                         Package['ca-certificates'],
 159                         File['/etc/ssl/ca-debian'],
 160                         File['/etc/ca-certificates-debian.conf'],
 161                         File['/usr/local/sbin/update-ca-certificates-dsa'],
 162                 ]
 163         }
 164         exec { 'refresh_ca_global_hashes':
 165                 command     => '/usr/local/sbin/update-ca-certificates-dsa --fresh --default --certsconf /etc/ca-certificates-global.conf --etccertsdir /etc/ssl/ca-global --hooksdir /dev/null',
 166                 refreshonly => true,
 167                 require     => [
 168                         Package['ca-certificates'],
 169                         File['/etc/ssl/ca-global'],
 170                         File['/etc/ca-certificates-global.conf'],
 171                         File['/usr/local/sbin/update-ca-certificates-dsa'],
 172                 ]
 173         }
 174
 175 }