modules/ssl/manifests/init.pp

   1 class ssl {
   2
   3         $cacert = 'mozilla/UTN_USERFirst_Hardware_Root_CA.crt'
   4         $caconf = '/etc/ca-certificates.conf'
   5
   6         package { 'openssl':
   7                 ensure   => installed,
   8         }
   9         package { 'ssl-cert':
  10                 ensure   => installed,
  11         }
  12         package { 'ca-certificates':
  13                 ensure   => installed,
  14         }
  15
  16         file { '/etc/ssl/servicecerts':
  17                 ensure   => link,
  18                 purge    => true,
  19                 force    => true,
  20                 target   => '/usr/local/share/ca-certificates/debian.org',
  21                 notify   => Exec['retire_debian_links'],
  22         }
  23
  24         file { '/usr/local/share/ca-certificates/debian.org':
  25                 ensure   => directory,
  26                 source   => 'puppet:///modules/ssl/servicecerts/',
  27                 mode     => '0644', # this works; otherwise all files are +x
  28                 purge    => true,
  29                 recurse  => true,
  30                 force    => true,
  31                 notify   => Exec['refresh_normal_hashes'],
  32         }
  33         file { '/etc/ssl/debian':
  34                 ensure   => directory,
  35                 source   => 'puppet:///files/empty/',
  36                 mode     => '0644', # this works; otherwise all files are +x
  37                 purge    => true,
  38                 recurse  => true,
  39                 force    => true,
  40         }
  41         file { '/etc/ssl/debian/certs':
  42                 ensure  => directory,
  43                 mode    => '0755',
  44         }
  45         file { '/etc/ssl/debian/crls':
  46                 ensure  => directory,
  47                 mode    => '0755',
  48         }
  49         file { '/etc/ssl/debian/keys':
  50                 ensure  => directory,
  51                 mode    => '0750',
  52                 group   => ssl-cert,
  53                 require => Package['ssl-cert'],
  54         }
  55         file { '/etc/ssl/debian/certs/thishost.crt':
  56                 source  => "puppet:///modules/ssl/clientcerts/${::fqdn}.client.crt",
  57                 notify  => Exec['refresh_debian_hashes'],
  58         }
  59         file { '/etc/ssl/debian/keys/thishost.key':
  60                 source  => "puppet:///modules/ssl/clientcerts/${::fqdn}.key",
  61                 mode    => '0440',
  62                 group   => ssl-cert,
  63                 require => Package['ssl-cert'],
  64         }
  65         file { '/etc/ssl/debian/certs/ca.crt':
  66                 source  => 'puppet:///modules/ssl/clientcerts/ca.crt',
  67                 notify  => Exec['refresh_debian_hashes'],
  68         }
  69         file { '/etc/ssl/debian/crls/ca.crl':
  70                 source  => 'puppet:///modules/ssl/clientcerts/ca.crl',
  71         }
  72         file { '/etc/ssl/debian/certs/thishost-server.crt':
  73                 source  => "puppet:///modules/exim/certs/${::fqdn}.crt",
  74                 notify  => Exec['refresh_debian_hashes'],
  75         }
  76         file { '/etc/ssl/debian/keys/thishost-server.key':
  77                 source  => "puppet:///modules/exim/certs/${::fqdn}.key",
  78                 mode    => '0440',
  79                 group   => ssl-cert,
  80                 require => Package['ssl-cert'],
  81         }
  82
  83         exec { 'retire_debian_links':
  84                 command     => 'find -lname "../servicecerts/*" -exec rm {} +',
  85                 cwd         => '/etc/ssl/certs',
  86                 refreshonly => true,
  87                 notify      => Exec['refresh_normal_hashes'],
  88         }
  89         exec { 'refresh_debian_hashes':
  90                 command     => 'c_rehash /etc/ssl/debian/certs',
  91                 refreshonly => true,
  92                 require     => Package['openssl'],
  93         }
  94         exec { 'refresh_normal_hashes':
  95                 # NOTE 1: always use update-ca-certificates to manage hashes in
  96                 #         /etc/ssl/certs otherwise /etc/ssl/ca-certificates.crt will
  97                 #         get a hash overriding the hash that would have been generated
  98                 #         for another certificate ... which is problem, comrade
  99                 # NOTE 2: always ask update-ca-certificates to freshen (-f) the links
 100                 command     => '/usr/sbin/update-ca-certificates -f',
 101                 refreshonly => true,
 102                 require     => Package['ca-certificates'],
 103         }
 104
 105 }