modules/ssl/manifests/init.pp

   1 class ssl {
   2
   3         package {
   4                 'openssl':
   5                         ensure => installed,
   6                         ;
   7                 'ssl-cert':
   8                         ensure => installed,
   9                         ;
  10                 'ca-certificates':
  11                         ensure => installed,
  12                         ;
  13         }
  14
  15         file { '/etc/ssl/servicecerts':
  16                 ensure  => directory,
  17                 mode    => '0755',
  18                 purge   => true,
  19                 recurse => true,
  20                 force   => true,
  21                 source  => 'puppet:///modules/ssl/servicecerts/',
  22                 notify  => Exec['make_new_service_links']
  23         }
  24
  25         file { '/etc/ssl/debian':
  26                 ensure  => directory,
  27                 mode    => '0755',
  28                 purge   => true,
  29                 recurse => true,
  30                 force   => true,
  31                 source  => 'puppet:///files/empty/'
  32         }
  33         file { '/etc/ssl/debian/certs':
  34                 ensure => directory,
  35                 mode   => '0755',
  36         }
  37         file { '/etc/ssl/debian/crls':
  38                 ensure => directory,
  39                 mode   => '0755',
  40         }
  41         file { '/etc/ssl/debian/keys':
  42                 ensure => directory,
  43                 group  => ssl-cert,
  44                 mode   => '0750',
  45                 require => Package['ssl-cert'],
  46         }
  47         file { '/etc/ssl/debian/certs/thishost.crt':
  48                 source => "puppet:///modules/ssl/clientcerts/${::fqdn}.client.crt",
  49                 notify => Exec['c_rehash /etc/ssl/debian/certs'],
  50         }
  51         file { '/etc/ssl/debian/keys/thishost.key':
  52                 source => "puppet:///modules/ssl/clientcerts/${::fqdn}.key",
  53                 mode   => '0440',
  54                 group   => ssl-cert,
  55                 require => Package['ssl-cert'],
  56         }
  57         file { '/etc/ssl/debian/certs/ca.crt':
  58                 source => 'puppet:///modules/ssl/clientcerts/ca.crt',
  59                 notify => Exec['c_rehash /etc/ssl/debian/certs'],
  60         }
  61         file { '/etc/ssl/debian/crls/ca.crl':
  62                 source  => 'puppet:///modules/ssl/clientcerts/ca.crl',
  63         }
  64
  65         file { '/etc/ssl/debian/certs/thishost-server.crt':
  66                 source  => "puppet:///modules/exim/certs/${::fqdn}.crt",
  67                 notify => Exec['c_rehash /etc/ssl/debian/certs'],
  68         }
  69         file { '/etc/ssl/debian/keys/thishost-server.key':
  70                 source  => "puppet:///modules/exim/certs/${::fqdn}.key",
  71                 mode    => '0440',
  72                 group   => ssl-cert,
  73                 require => Package['ssl-cert'],
  74         }
  75
  76         exec { 'make_new_service_links':
  77                 command     => 'cp -f --symbolic-link ../servicecerts/* .',
  78                 cwd         => '/etc/ssl/certs',
  79                 refreshonly => true,
  80                 notify      => Exec['cleanup_dead_links']
  81         }
  82
  83         exec { 'cleanup_dead_links':
  84                 command     => 'find -L /etc/ssl/certs -mindepth 1 -maxdepth 1 -type l -delete',
  85                 refreshonly => true,
  86                 notify      => Exec['c_rehash /etc/ssl/certs']
  87         }
  88
  89         exec { 'c_rehash /etc/ssl/certs':
  90                 refreshonly => true,
  91         }
  92
  93         exec { 'c_rehash /etc/ssl/debian/certs':
  94                 refreshonly => true,
  95         }
  96
  97         exec { 'modify_ca_certificates_conf':
  98                 command     => 'sed -i -e \'s#!mozilla/UTN_USERFirst_Hardware_Root_CA.crt#mozilla/UTN_USERFirst_Hardware_Root_CA.crt#\' /etc/ca-certificates.conf',
  99                 cwd         => '/etc/ssl/certs',
 100                 onlyif      => 'grep -Fqx \'!mozilla/UTN_USERFirst_Hardware_Root_CA.crt\' /etc/ca-certificates.conf',
 101                 notify      => Exec['update_ca_certificates']
 102         }
 103         exec { 'update_ca_certificates':
 104                 command     => '/usr/sbin/update-ca-certificates',
 105                 cwd         => '/etc/ssl/certs',
 106                 refreshonly => true
 107         }
 108
 109 }