projects / mirror / dsa-puppet.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
uninstall static service certs and keys from hosts that do not serve this service
[mirror/dsa-puppet.git] / modules / ssl / manifests / service.pp
1 define ssl::service($ensure = present, $tlsaport = 443, $notify = [], $key = false) {
2         if ($ensure == "ifstatic") {
3                 $ssl_ensure = has_static_component($name) ? {
4                         true => "present",
5                         false => "absent"
6                 }
7         } else {
8                 $ssl_ensure = $ensure
9         }
10
11         file { "/etc/ssl/debian/certs/$name.crt":
12                 ensure => $ssl_ensure,
13                 source => [ "puppet:///modules/ssl/servicecerts/${name}.crt", "puppet:///modules/ssl/from-letsencrypt/${name}.crt" ],
14                 notify => [ Exec['refresh_debian_hashes'], $notify ],
15         }
16         file { "/etc/ssl/debian/certs/$name.crt-chain":
17                 ensure => $ssl_ensure,
18                 source => [ "puppet:///modules/ssl/chains/${name}.crt", "puppet:///modules/ssl/servicecerts/${name}.crt", "puppet:///modules/ssl/from-letsencrypt/${name}.crt-chain" ],
19                 notify => [ $notify ],
20                 links  => follow,
21         }
22         file { "/etc/ssl/debian/certs/$name.crt-chained":
23                 ensure => $ssl_ensure,
24                 content => template('ssl/chained.erb'),
25                 notify => [ $notify ],
26         }
27         if $key {
28                 file { "/etc/ssl/private/$name.key":
29                         ensure => $ssl_ensure,
30                         mode   => '0440',
31                         group => 'ssl-cert',
32                         source => [ "puppet:///modules/ssl/keys/${name}.crt", "puppet:///modules/ssl/from-letsencrypt/${name}.key" ],
33                         notify => [ $notify ],
34                         links  => follow,
35                 }
36         }
37
38         if ($tlsaport > 0 and $ssl_ensure == "present") {
39                 dnsextras::tlsa_record{ "tlsa-${name}-${tlsaport}":
40                         zone     => 'debian.org',
41                         certfile => [ "/etc/puppet/modules/ssl/files/servicecerts/${name}.crt", "/etc/puppet/modules/ssl/files/from-letsencrypt/${name}.crt" ],
42                         port     => $tlsaport,
43                         hostname => "$name",
44                 }
45         }
46 }
Unnamed repository; edit this file 'description' to name the repository.