projects
/
mirror
/
dsa-puppet.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Regen manda-node04 NTP key
[mirror/dsa-puppet.git]
/
modules
/
ssl
/
manifests
/
service.pp
diff --git
a/modules/ssl/manifests/service.pp
b/modules/ssl/manifests/service.pp
index
a9d4fd4
..
069df0a
100644
(file)
--- a/
modules/ssl/manifests/service.pp
+++ b/
modules/ssl/manifests/service.pp
@@
-1,37
+1,57
@@
define ssl::service($ensure = present, $tlsaport = 443, $notify = [], $key = false) {
define ssl::service($ensure = present, $tlsaport = 443, $notify = [], $key = false) {
- $link_target = $ensure ? {
- present => link,
- absent => absent,
- default => fail ( "Unknown ensure value: '$ensure'" ),
+ $tlsaports = any2array($tlsaport)
+
+ if ($ensure == "ifstatic") {
+ $ssl_ensure = has_static_component($name) ? {
+ true => "present",
+ false => "absent"
+ }
+ } else {
+ $ssl_ensure = $ensure
}
file { "/etc/ssl/debian/certs/$name.crt":
}
file { "/etc/ssl/debian/certs/$name.crt":
- source => [ "puppet:///modules/ssl/servicecerts/${name}.crt", "puppet:///modules/ssl/from-letsencrypt/${name}.crt" ],
+ ensure => $ssl_ensure,
+ content => template('ssl/crt.erb'),
notify => [ Exec['refresh_debian_hashes'], $notify ],
}
file { "/etc/ssl/debian/certs/$name.crt-chain":
notify => [ Exec['refresh_debian_hashes'], $notify ],
}
file { "/etc/ssl/debian/certs/$name.crt-chain":
- source => [ "puppet:///modules/ssl/chains/${name}.crt", "puppet:///modules/ssl/servicecerts/${name}.crt", "puppet:///modules/ssl/from-letsencrypt/${name}.crt-chain" ],
+ ensure => $ssl_ensure,
+ content => template('ssl/crt-chain.erb'),
notify => [ $notify ],
links => follow,
}
file { "/etc/ssl/debian/certs/$name.crt-chained":
notify => [ $notify ],
links => follow,
}
file { "/etc/ssl/debian/certs/$name.crt-chained":
- content => template('ssl/chained.erb'),
+ ensure => $ssl_ensure,
+ content => template('ssl/crt-chained.erb'),
notify => [ $notify ],
}
if $key {
file { "/etc/ssl/private/$name.key":
notify => [ $notify ],
}
if $key {
file { "/etc/ssl/private/$name.key":
+ ensure => $ssl_ensure,
+ mode => '0440',
+ group => 'ssl-cert',
+ content => template('ssl/key.erb'),
+ notify => [ $notify ],
+ links => follow,
+ }
+
+ file { "/etc/ssl/private/$name.key-certchain":
+ ensure => $ssl_ensure,
mode => '0440',
group => 'ssl-cert',
mode => '0440',
group => 'ssl-cert',
-
source => [ "puppet:///modules/ssl/keys/${name}.crt", "puppet:///modules/ssl/from-letsencrypt/${name}.key" ]
,
+
content => template('ssl/key-chained.erb')
,
notify => [ $notify ],
links => follow,
}
}
notify => [ $notify ],
links => follow,
}
}
- if $tlsaport > 0 {
- dnsextras::tlsa_record{ "tlsa-${name}-${tlsaport}":
+ if (size($tlsaports) > 0 and $ssl_ensure == "present") {
+ $portlist = join($tlsaports, "-")
+ $certdir = hiera('paths.letsencrypt_dir')
+ dnsextras::tlsa_record{ "tlsa-${name}-${portlist}":
zone => 'debian.org',
zone => 'debian.org',
- certfile => [ "
/etc/puppet/modules/ssl/files/servicecerts/${name}.crt", "/etc/puppet/modules/ssl/files/from-letsencrypt
/${name}.crt" ],
+ certfile => [ "
${certdir}
/${name}.crt" ],
port => $tlsaport,
hostname => "$name",
}
port => $tlsaport,
hostname => "$name",
}