Use a template to get more of the from-letsencrypt certs and keys, and no longer...

[mirror/dsa-puppet.git] / modules / ssl / manifests / service.pp

diff --git a/modules/ssl/manifests/service.pp b/modules/ssl/manifests/service.pp
index 4f25a76..c507351 100644 (file)
--- a/modules/ssl/manifests/service.pp
+++ b/modules/ssl/manifests/service.pp
@@ -1,4 +1,6 @@
 define ssl::service($ensure = present, $tlsaport = 443, $notify = [], $key = false) {
+       $tlsaports = any2array($tlsaport)
+
        if ($ensure == "ifstatic") {
                $ssl_ensure = has_static_component($name) ? {
                        true => "present",
@@ -10,18 +12,18 @@ define ssl::service($ensure = present, $tlsaport = 443, $notify = [], $key = fal
 
        file { "/etc/ssl/debian/certs/$name.crt":
                ensure => $ssl_ensure,
-               source => [ "puppet:///modules/ssl/servicecerts/${name}.crt", "puppet:///modules/ssl/from-letsencrypt/${name}.crt" ],
+               content => template('ssl/crt.erb'),
                notify => [ Exec['refresh_debian_hashes'], $notify ],
        }
        file { "/etc/ssl/debian/certs/$name.crt-chain":
                ensure => $ssl_ensure,
-               source => [ "puppet:///modules/ssl/chains/${name}.crt", "puppet:///modules/ssl/servicecerts/${name}.crt", "puppet:///modules/ssl/from-letsencrypt/${name}.crt-chain" ],
+               content => template('ssl/crt-chain.erb'),
                notify => [ $notify ],
                links  => follow,
        }
        file { "/etc/ssl/debian/certs/$name.crt-chained":
                ensure => $ssl_ensure,
-               content => template('ssl/chained.erb'),
+               content => template('ssl/crt-chained.erb'),
                notify => [ $notify ],
        }
        if $key {
@@ -29,16 +31,26 @@ define ssl::service($ensure = present, $tlsaport = 443, $notify = [], $key = fal
                        ensure => $ssl_ensure,
                        mode   => '0440',
                        group => 'ssl-cert',
-                       source => [ "puppet:///modules/ssl/keys/${name}.crt", "puppet:///modules/ssl/from-letsencrypt/${name}.key" ],
+                       content => template('ssl/key.erb'),
+                       notify => [ $notify ],
+                       links  => follow,
+               }
+
+               file { "/etc/ssl/private/$name.key-certchain":
+                       ensure => $ssl_ensure,
+                       mode   => '0440',
+                       group => 'ssl-cert',
+                       content => template('ssl/key-chained.erb'),
                        notify => [ $notify ],
                        links  => follow,
                }
        }
 
-       if ($tlsaport > 0 and $ssl_ensure == "present") {
-               dnsextras::tlsa_record{ "tlsa-${name}-${tlsaport}":
+       if (size($tlsaports) > 0 and $ssl_ensure == "present") {
+               $portlist = join($tlsaports, "-")
+               dnsextras::tlsa_record{ "tlsa-${name}-${portlist}":
                        zone     => 'debian.org',
-                       certfile => [ "/etc/puppet/modules/ssl/files/servicecerts/${name}.crt", "/etc/puppet/modules/ssl/files/from-letsencrypt/${name}.crt" ],
+                       certfile => [ "/srv/puppet.debian.org/from-letsencrypt/${name}.crt" ],
                        port     => $tlsaport,
                        hostname => "$name",
                }