modules/ssl/manifests/init.pp

   1 class ssl {
   2         $caconf = '/etc/ca-certificates.conf'
   3
   4         package { 'openssl':
   5                 ensure   => installed,
   6         }
   7         package { 'ssl-cert':
   8                 ensure   => installed,
   9         }
  10         package { 'ca-certificates':
  11                 ensure   => installed,
  12         }
  13
  14         if has_role('insecure_ssl') {
  15                 $extra_ssl_certs_flags = ' --default'
  16                 $ssl_certs_config = 'puppet:///modules/ssl/ca-certificates-global.conf'
  17         } else {
  18                 $extra_ssl_certs_flags = ''
  19                 $ssl_certs_config = 'puppet:///modules/ssl/ca-certificates.conf'
  20         }
  21
  22         file { '/etc/ssl/README':
  23                 mode   => '0444',
  24                 source => 'puppet:///modules/ssl/README',
  25         }
  26         file { '/etc/ca-certificates.conf':
  27                 source => $ssl_certs_config,
  28                 notify  => Exec['refresh_normal_hashes'],
  29         }
  30         file { '/etc/ca-certificates-debian.conf':
  31                 mode    => '0444',
  32                 source => 'puppet:///modules/ssl/ca-certificates-debian.conf',
  33                 notify  => Exec['refresh_ca_debian_hashes'],
  34         }
  35         file { '/etc/ca-certificates-global.conf':
  36                 source => 'puppet:///modules/ssl/ca-certificates-global.conf',
  37                 notify  => Exec['refresh_ca_global_hashes'],
  38         }
  39
  40         file { '/etc/apt/apt.conf.d/local-ssl-ca-global':
  41                 mode   => '0444',
  42                 source => 'puppet:///modules/ssl/local-ssl-ca-global',
  43         }
  44
  45         file { '/etc/ssl/certs/ssl-cert-snakeoil.pem':
  46                 ensure => absent,
  47                 notify => Exec['refresh_normal_hashes'],
  48         }
  49         file { '/etc/ssl/private/ssl-cert-snakeoil.key':
  50                 ensure => absent,
  51         }
  52
  53         file { '/etc/ssl/servicecerts':
  54                 ensure   => absent,
  55         }
  56
  57         file { '/usr/local/share/ca-certificates/debian.org':
  58                 ensure   => directory,
  59                 source   => 'puppet:///modules/ssl/servicecerts/',
  60                 mode     => '0644', # this works; otherwise all files are +x
  61                 purge    => true,
  62                 recurse  => true,
  63                 force    => true,
  64                 notify   => [ Exec['refresh_normal_hashes'], Exec['refresh_ca_global_hashes'] ],
  65         }
  66         file { '/etc/ssl/certs/README':
  67                 ensure => absent,
  68         }
  69         file { '/etc/ssl/ca-debian':
  70                 ensure => directory,
  71                 mode   => '0755',
  72         }
  73         file { '/etc/ssl/ca-debian/README':
  74                 ensure => absent,
  75         }
  76         file { '/etc/ssl/ca-global':
  77                 ensure => directory,
  78                 mode   => '0755',
  79         }
  80         file { '/etc/ssl/ca-global/README':
  81                 ensure => absent,
  82         }
  83         file { '/etc/ssl/debian':
  84                 ensure   => directory,
  85                 source   => 'puppet:///files/empty/',
  86                 mode     => '0644', # this works; otherwise all files are +x
  87                 purge    => true,
  88                 recurse  => true,
  89                 force    => true,
  90         }
  91         file { '/etc/ssl/debian/certs':
  92                 ensure  => directory,
  93                 mode    => '0755',
  94         }
  95         file { '/etc/ssl/debian/crls':
  96                 ensure  => directory,
  97                 mode    => '0755',
  98         }
  99         file { '/etc/ssl/debian/certs/thishost.crt':
 100                 content => inline_template('<%= File.read(scope().call_function("hiera", ["paths.auto_clientcerts_dir"]) + "/" + @fqdn + ".client.crt") %>'),
 101                 notify  => Exec['refresh_debian_hashes'],
 102         }
 103         file { '/etc/ssl/debian/certs/ca.crt':
 104                 content => inline_template('<%= File.read(scope().call_function("hiera", ["paths.auto_clientcerts_dir"]) + "/ca.crt") %>'),
 105                 notify  => Exec['refresh_debian_hashes'],
 106         }
 107         file { '/etc/ssl/debian/crls/ca.crl':
 108                 content => inline_template('<%= File.read(scope().call_function("hiera", ["paths.auto_clientcerts_dir"]) + "/ca.crl") %>'),
 109         }
 110         file { '/etc/ssl/debian/certs/thishost-server.crt':
 111                 content => inline_template('<%= File.read(scope().call_function("hiera", ["paths.auto_certs_dir"]) + "/" + @fqdn + ".crt") %>'),
 112                 notify  => Exec['refresh_debian_hashes'],
 113         }
 114
 115         file { '/etc/ssl/debian/keys/thishost.key':
 116                 ensure => absent,
 117         }
 118         file { '/etc/ssl/debian/keys/thishost-server.key':
 119                 ensure => absent,
 120         }
 121         file { '/etc/ssl/debian/keys':
 122                 ensure => absent,
 123                 force    => true,
 124         }
 125         file { '/etc/ssl/private/thishost.key':
 126                 content => inline_template('<%= File.read(scope().call_function("hiera", ["paths.auto_clientcerts_dir"]) + "/" + @fqdn + ".key") %>'),
 127                 mode    => '0440',
 128                 group   => ssl-cert,
 129                 require => Package['ssl-cert'],
 130         }
 131         file { '/etc/ssl/private/thishost-server.key':
 132                 content => inline_template('<%= File.read(scope().call_function("hiera", ["paths.auto_certs_dir"]) + "/" + @fqdn + ".key") %>'),
 133                 mode    => '0440',
 134                 group   => ssl-cert,
 135                 require => Package['ssl-cert'],
 136         }
 137
 138         $updatecacertsdsa = '/usr/local/sbin/update-ca-certificates-dsa'
 139         if (versioncmp($::lsbmajdistrelease, '9') >= 0) {
 140                 file { $updatecacertsdsa:
 141                         ensure => absent,
 142                 }
 143                 $updatecacerts = '/usr/sbin/update-ca-certificates'
 144         } else {
 145                 file { $updatecacertsdsa:
 146                         mode   => '0555',
 147                         source => 'puppet:///modules/ssl/update-ca-certificates-dsa',
 148                 }
 149                 $updatecacerts = $updatecacertsdsa
 150         }
 151
 152         exec { 'refresh_debian_hashes':
 153                 command     => 'c_rehash /etc/ssl/debian/certs',
 154                 refreshonly => true,
 155                 require     => Package['openssl'],
 156         }
 157
 158         exec { 'refresh_normal_hashes':
 159                 # NOTE 1: always use update-ca-certificates to manage hashes in
 160                 #         /etc/ssl/certs otherwise /etc/ssl/ca-certificates.crt will
 161                 #         get a hash overriding the hash that would have been generated
 162                 #         for another certificate ... which is problem, comrade
 163                 # NOTE 2: always ask update-ca-certificates to freshen (-f) the links
 164                 command     => "/usr/sbin/update-ca-certificates --fresh${extra_ssl_certs_flags}",
 165                 refreshonly => true,
 166                 require     => Package['ca-certificates'],
 167         }
 168         exec { 'refresh_ca_debian_hashes':
 169                 command     => "${updatecacerts} --fresh --certsconf /etc/ca-certificates-debian.conf --localcertsdir /dev/null --etccertsdir /etc/ssl/ca-debian --hooksdir /dev/null",
 170                 refreshonly => true,
 171                 require     => [
 172                         Package['ca-certificates'],
 173                         File['/etc/ssl/ca-debian'],
 174                         File['/etc/ca-certificates-debian.conf'],
 175                         File[$updatecacertsdsa],
 176                 ]
 177         }
 178         exec { 'refresh_ca_global_hashes':
 179                 command     => "${updatecacerts} --fresh --default --certsconf /etc/ca-certificates-global.conf --etccertsdir /etc/ssl/ca-global --hooksdir /dev/null",
 180                 refreshonly => true,
 181                 require     => [
 182                         Package['ca-certificates'],
 183                         File['/etc/ssl/ca-global'],
 184                         File['/etc/ca-certificates-global.conf'],
 185                         File[$updatecacertsdsa],
 186                 ]
 187         }
 188
 189 }