modules/ssl/manifests/service.pp

   1 define ssl::service($ensure = present, $tlsaport = 443, $notify = [], $key = false) {
   2         $tlsaports = any2array($tlsaport)
   3
   4         if ($ensure == "ifstatic") {
   5                 $ssl_ensure = has_static_component($name) ? {
   6                         true => "present",
   7                         false => "absent"
   8                 }
   9         } else {
  10                 $ssl_ensure = $ensure
  11         }
  12
  13         file { "/etc/ssl/debian/certs/$name.crt":
  14                 ensure => $ssl_ensure,
  15                 source => [ "puppet:///modules/ssl/servicecerts/${name}.crt", "puppet:///modules/ssl/from-letsencrypt/${name}.crt" ],
  16                 notify => [ Exec['refresh_debian_hashes'], $notify ],
  17         }
  18         file { "/etc/ssl/debian/certs/$name.crt-chain":
  19                 ensure => $ssl_ensure,
  20                 source => [ "puppet:///modules/ssl/chains/${name}.crt", "puppet:///modules/ssl/servicecerts/${name}.crt", "puppet:///modules/ssl/from-letsencrypt/${name}.crt-chain" ],
  21                 notify => [ $notify ],
  22                 links  => follow,
  23         }
  24         file { "/etc/ssl/debian/certs/$name.crt-chained":
  25                 ensure => $ssl_ensure,
  26                 content => template('ssl/chained.erb'),
  27                 notify => [ $notify ],
  28         }
  29         if $key {
  30                 file { "/etc/ssl/private/$name.key":
  31                         ensure => $ssl_ensure,
  32                         mode   => '0440',
  33                         group => 'ssl-cert',
  34                         content => template('ssl/key.erb'),
  35                         notify => [ $notify ],
  36                         links  => follow,
  37                 }
  38
  39                 file { "/etc/ssl/private/$name.key-certchain":
  40                         ensure => $ssl_ensure,
  41                         mode   => '0440',
  42                         group => 'ssl-cert',
  43                         content => template('ssl/key-chained.erb'),
  44                         notify => [ $notify ],
  45                         links  => follow,
  46                 }
  47         }
  48
  49         if (size($tlsaports) > 0 and $ssl_ensure == "present") {
  50                 $portlist = join($tlsaports, "-")
  51                 dnsextras::tlsa_record{ "tlsa-${name}-${portlist}":
  52                         zone     => 'debian.org',
  53                         certfile => [ "/etc/puppet/modules/ssl/files/servicecerts/${name}.crt", "/etc/puppet/modules/ssl/files/from-letsencrypt/${name}.crt" ],
  54                         port     => $tlsaport,
  55                         hostname => "$name",
  56                 }
  57         }
  58 }