]> git.donarmstrong.com Git - dsa-puppet.git/blob - modules/ssl/manifests/init.pp
projects / dsa-puppet.git / blob
? search:


30cc261c0200de5681f72c509f2829438540596c
[dsa-puppet.git] / modules / ssl / manifests / init.pp
1 class ssl {
2
3         $cacert = 'mozilla/UTN_USERFirst_Hardware_Root_CA.crt'
4         $caconf = '/etc/ca-certificates.conf'
5
6         package { 'openssl':
7                 ensure   => installed,
8         }
9         package { 'ssl-cert':
10                 ensure   => installed,
11         }
12         package { 'ca-certificates':
13                 ensure   => installed,
14         }
15
16         file { '/etc/ssl/servicecerts':
17                 ensure   => directory,
18                 source   => 'puppet:///modules/ssl/servicecerts/',
19                 mode     => '0644',
20                 purge    => true,
21                 recurse  => true,
22                 force    => true,
23                 notify   => Exec['refresh_debian_links'],
24         }
25         file { '/etc/ssl/debian':
26                 ensure   => directory,
27                 source   => 'puppet:///files/empty/',
28                 mode     => '0644',
29                 purge    => true,
30                 recurse  => true,
31                 force    => true,
32         }
33         file { '/etc/ssl/debian/certs':
34                 ensure  => directory,
35                 mode    => '0755',
36         }
37         file { '/etc/ssl/debian/crls':
38                 ensure  => directory,
39                 mode    => '0755',
40         }
41         file { '/etc/ssl/debian/keys':
42                 ensure  => directory,
43                 mode    => '0750',
44                 group   => ssl-cert,
45                 require => Package['ssl-cert'],
46         }
47         file { '/etc/ssl/debian/certs/thishost.crt':
48                 source  => "puppet:///modules/ssl/clientcerts/${::fqdn}.client.crt",
49                 notify  => Exec['refresh_debian_hashes'],
50         }
51         file { '/etc/ssl/debian/keys/thishost.key':
52                 source  => "puppet:///modules/ssl/clientcerts/${::fqdn}.key",
53                 mode    => '0440',
54                 group   => ssl-cert,
55                 require => Package['ssl-cert'],
56         }
57         file { '/etc/ssl/debian/certs/ca.crt':
58                 source  => 'puppet:///modules/ssl/clientcerts/ca.crt',
59                 notify  => Exec['refresh_debian_hashes'],
60         }
61         file { '/etc/ssl/debian/crls/ca.crl':
62                 source  => 'puppet:///modules/ssl/clientcerts/ca.crl',
63         }
64         file { '/etc/ssl/debian/certs/thishost-server.crt':
65                 source  => "puppet:///modules/exim/certs/${::fqdn}.crt",
66                 notify  => Exec['refresh_debian_hashes'],
67         }
68         file { '/etc/ssl/debian/keys/thishost-server.key':
69                 source  => "puppet:///modules/exim/certs/${::fqdn}.key",
70                 mode    => '0440',
71                 group   => ssl-cert,
72                 require => Package['ssl-cert'],
73         }
74
75         exec { 'refresh_debian_links':
76                 command     => 'cp -f -s ../servicecerts/* .',
77                 cwd         => '/etc/ssl/certs',
78                 refreshonly => true,
79                 notify      => Exec['delete_unused_links'],
80         }
81         exec { 'delete_unused_links':
82                 command     => 'find -L . -mindepth 1 -maxdepth 1 -type l -delete',
83                 cwd         => '/etc/ssl/certs',
84                 refreshonly => true,
85                 notify      => Exec['refresh_normal_hashes'], # see NOTE 1
86         }
87         exec { 'modify_configuration':
88                 command     => "sed -i -e 's#!${cacert}#${cacert}' ${caconf}",
89                 onlyif      => "grep -Fqx '!${cacert}' ${caconf}",
90                 notify      => Exec['refresh_normal_hashes'],
91                 require     => Package['ca-certificates'],
92         }
93         exec { 'refresh_debian_hashes':
94                 refreshonly => true,
95                 require     => Package['openssl'],
96         }
97         exec { 'refresh_normal_hashes':
98                 # NOTE 1: always use update-ca-certificates to manage hashes in
99                 #         /etc/ssl/certs otherwise /etc/ssl/ca-certificates.crt will
100                 #         get a hash overriding the hash that would have been generated
101                 #         for another certificate ... which is problem, comrade
102                 # NOTE 2: always ask update-ca-certificates to freshen (-f) the links
103                 command     => '/usr/sbin/update-ca-certificates -f',
104                 refreshonly => true,
105                 require     => Package['ca-certificates'],
106         }
107
108 }
Unnamed repository; edit this file 'description' to name the repository.