ferm: open ssh from mirror-master to ports mirror
[mirror/dsa-puppet.git] / modules / ssl / manifests / init.pp
1 class ssl (
2         Boolean $insecure_ssl = false
3 ) {
4         package { 'openssl':
5                 ensure   => installed,
6         }
7         package { 'ssl-cert':
8                 ensure   => installed,
9         }
10         package { 'ca-certificates':
11                 ensure   => installed,
12         }
13
14         if $insecure_ssl {
15                 $extra_ssl_certs_flags = ' --default'
16                 $ssl_certs_config = 'puppet:///modules/ssl/ca-certificates-global.conf'
17         } else {
18                 $extra_ssl_certs_flags = ''
19                 $ssl_certs_config = 'puppet:///modules/ssl/ca-certificates.conf'
20         }
21
22         file { '/etc/ssl/README':
23                 mode   => '0444',
24                 source => 'puppet:///modules/ssl/README',
25         }
26         file { '/etc/ca-certificates.conf':
27                 source => $ssl_certs_config,
28                 notify  => Exec['refresh_normal_hashes'],
29         }
30         file { '/etc/ca-certificates-debian.conf':
31                 mode    => '0444',
32                 source => 'puppet:///modules/ssl/ca-certificates.conf',
33                 notify  => Exec['refresh_ca_debian_hashes'],
34         }
35         file { '/etc/ca-certificates-global.conf':
36                 source => 'puppet:///modules/ssl/ca-certificates-global.conf',
37                 notify  => Exec['refresh_ca_global_hashes'],
38         }
39
40         file { '/etc/ssl/certs/ssl-cert-snakeoil.pem':
41                 ensure => absent,
42                 notify => Exec['refresh_normal_hashes'],
43         }
44         file { '/etc/ssl/private/ssl-cert-snakeoil.key':
45                 ensure => absent,
46         }
47
48         file { '/etc/ssl/servicecerts':
49                 ensure   => absent,
50         }
51
52         file { '/usr/local/share/ca-certificates/debian.org':
53                 ensure   => absent,
54                 purge    => true,
55                 recurse  => true,
56                 force    => true,
57                 notify   => [ Exec['refresh_normal_hashes'], Exec['refresh_ca_global_hashes'] ],
58         }
59         file { '/etc/ssl/certs/README':
60                 ensure => absent,
61         }
62         file { '/etc/ssl/ca-debian':
63                 ensure => directory,
64                 mode   => '0755',
65         }
66         file { '/etc/ssl/ca-debian/README':
67                 ensure => absent,
68         }
69         file { '/etc/ssl/ca-global':
70                 ensure => directory,
71                 mode   => '0755',
72         }
73         file { '/etc/ssl/ca-global/README':
74                 ensure => absent,
75         }
76         file { '/etc/ssl/debian':
77                 ensure   => directory,
78                 source   => 'puppet:///files/empty/',
79                 mode     => '0644', # this works; otherwise all files are +x
80                 purge    => true,
81                 recurse  => true,
82                 force    => true,
83         }
84         file { '/etc/ssl/debian/certs':
85                 ensure  => directory,
86                 mode    => '0755',
87         }
88         file { '/etc/ssl/debian/crls':
89                 ensure  => directory,
90                 mode    => '0755',
91         }
92         file { '/etc/ssl/debian/certs/thishost.crt':
93                 content => inline_template('<%= File.read(scope().call_function("hiera", ["paths.auto_clientcerts_dir"]) + "/" + @fqdn + ".client.crt") %>'),
94                 notify  => Exec['refresh_debian_hashes'],
95         }
96         file { '/etc/ssl/debian/certs/ca.crt':
97                 content => inline_template('<%= File.read(scope().call_function("hiera", ["paths.auto_clientcerts_dir"]) + "/ca.crt") %>'),
98                 notify  => Exec['refresh_debian_hashes'],
99         }
100         file { '/etc/ssl/debian/crls/ca.crl':
101                 content => inline_template('<%= File.read(scope().call_function("hiera", ["paths.auto_clientcerts_dir"]) + "/ca.crl") %>'),
102         }
103         file { '/etc/ssl/debian/certs/thishost-server.crt':
104                 content => inline_template('<%= File.read(scope().call_function("hiera", ["paths.auto_certs_dir"]) + "/" + @fqdn + ".crt") %>'),
105                 notify  => Exec['refresh_debian_hashes'],
106         }
107
108         file { '/etc/ssl/debian/keys/thishost.key':
109                 ensure => absent,
110         }
111         file { '/etc/ssl/debian/keys/thishost-server.key':
112                 ensure => absent,
113         }
114         file { '/etc/ssl/debian/keys':
115                 ensure => absent,
116                 force    => true,
117         }
118         file { '/etc/ssl/private/thishost.key':
119                 content => inline_template('<%= File.read(scope().call_function("hiera", ["paths.auto_clientcerts_dir"]) + "/" + @fqdn + ".key") %>'),
120                 mode    => '0440',
121                 group   => ssl-cert,
122                 require => Package['ssl-cert'],
123         }
124         file { '/etc/ssl/private/thishost-server.key':
125                 content => inline_template('<%= File.read(scope().call_function("hiera", ["paths.auto_certs_dir"]) + "/" + @fqdn + ".key") %>'),
126                 mode    => '0440',
127                 group   => ssl-cert,
128                 require => Package['ssl-cert'],
129         }
130
131         $updatecacertsdsa = '/usr/local/sbin/update-ca-certificates-dsa'
132         if (versioncmp($::lsbmajdistrelease, '9') >= 0) {
133                 file { $updatecacertsdsa:
134                         ensure => absent,
135                 }
136                 $updatecacerts = '/usr/sbin/update-ca-certificates'
137         } else {
138                 file { $updatecacertsdsa:
139                         mode   => '0555',
140                         source => 'puppet:///modules/ssl/update-ca-certificates-dsa',
141                 }
142                 $updatecacerts = $updatecacertsdsa
143         }
144
145         file { '/etc/apt/apt.conf.d/local-ssl-ca-global':
146                 mode   => '0444',
147                 content => template('ssl/local-ssl-ca-global.erb'),
148         }
149
150
151         exec { 'refresh_debian_hashes':
152                 command     => 'c_rehash /etc/ssl/debian/certs',
153                 refreshonly => true,
154                 require     => Package['openssl'],
155         }
156
157         exec { 'refresh_normal_hashes':
158                 # NOTE 1: always use update-ca-certificates to manage hashes in
159                 #         /etc/ssl/certs otherwise /etc/ssl/ca-certificates.crt will
160                 #         get a hash overriding the hash that would have been generated
161                 #         for another certificate ... which is problem, comrade
162                 # NOTE 2: always ask update-ca-certificates to freshen (-f) the links
163                 command     => "/usr/sbin/update-ca-certificates --fresh${extra_ssl_certs_flags}",
164                 refreshonly => true,
165                 require     => Package['ca-certificates'],
166         }
167         exec { 'refresh_ca_debian_hashes':
168                 command     => "${updatecacerts} --fresh --certsconf /etc/ca-certificates-debian.conf --localcertsdir /dev/null --etccertsdir /etc/ssl/ca-debian --hooksdir /dev/null",
169                 refreshonly => true,
170                 require     => [
171                         Package['ca-certificates'],
172                         File['/etc/ssl/ca-debian'],
173                         File['/etc/ca-certificates-debian.conf'],
174                         File[$updatecacertsdsa],
175                 ]
176         }
177         exec { 'refresh_ca_global_hashes':
178                 command     => "${updatecacerts} --fresh --default --certsconf /etc/ca-certificates-global.conf --etccertsdir /etc/ssl/ca-global --hooksdir /dev/null",
179                 refreshonly => true,
180                 require     => [
181                         Package['ca-certificates'],
182                         File['/etc/ssl/ca-global'],
183                         File['/etc/ca-certificates-global.conf'],
184                         File[$updatecacertsdsa],
185                 ]
186         }
187
188 }