Also apply the ca-global blacklist on godard

[mirror/dsa-puppet.git] / modules / ssl / manifests / init.pp

diff --git a/modules/ssl/manifests/init.pp b/modules/ssl/manifests/init.pp
index dc11e97..4a629fb 100644 (file)
--- a/modules/ssl/manifests/init.pp
+++ b/modules/ssl/manifests/init.pp
@@ -11,12 +11,20 @@ class ssl {
                ensure   => installed,
        }
 
+       if $::hostname == 'godard' {
+               $extra_ssl_certs_flags = ' --default'
+               $ssl_certs_config = 'puppet:///modules/ssl/ca-certificates-global.conf'
+       } else {
+               $extra_ssl_certs_flags = ''
+               $ssl_certs_config = 'puppet:///modules/ssl/ca-certificates.conf'
+       }
+
        file { '/etc/ssl/README':
                mode   => '0444',
                source => 'puppet:///modules/ssl/README',
        }
        file { '/etc/ca-certificates.conf':
-               source => 'puppet:///modules/ssl/ca-certificates.conf',
+               source => $ssl_certs_config,
                notify  => Exec['refresh_normal_hashes'],
        }
        file { '/etc/ca-certificates-debian.conf':
@@ -156,13 +164,14 @@ class ssl {
                refreshonly => true,
                require     => Package['openssl'],
        }
+
        exec { 'refresh_normal_hashes':
                # NOTE 1: always use update-ca-certificates to manage hashes in
                #         /etc/ssl/certs otherwise /etc/ssl/ca-certificates.crt will
                #         get a hash overriding the hash that would have been generated
                #         for another certificate ... which is problem, comrade
                # NOTE 2: always ask update-ca-certificates to freshen (-f) the links
-               command     => '/usr/sbin/update-ca-certificates -f',
+               command     => "/usr/sbin/update-ca-certificates --fresh${extra_ssl_certs_flags}",
                refreshonly => true,
                require     => Package['ca-certificates'],
        }
@@ -173,7 +182,7 @@ class ssl {
                        Package['ca-certificates'],
                        File['/etc/ssl/ca-debian'],
                        File['/etc/ca-certificates-debian.conf'],
-                       File[$updatecacerts],
+                       File[$updatecacertsdsa],
                ]
        }
        exec { 'refresh_ca_global_hashes':
@@ -183,7 +192,7 @@ class ssl {
                        Package['ca-certificates'],
                        File['/etc/ssl/ca-global'],
                        File['/etc/ca-certificates-global.conf'],
-                       File[$updatecacerts],
+                       File[$updatecacertsdsa],
                ]
        }