X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;ds=sidebyside;f=modules%2Fssl%2Fmanifests%2Finit.pp;h=a63f8f7c07731d842e031f011475ac2bd252e817;hb=2064fb719c37fed1ae8ddaa175bec7964dac432b;hp=756661e06be479782aefc6ef80a16f1d50356a22;hpb=0e375233af569acc80ddd55b3e0b4d522eabb04c;p=mirror%2Fdsa-puppet.git

diff --git a/modules/ssl/manifests/init.pp b/modules/ssl/manifests/init.pp
index 756661e06..a63f8f7c0 100644
--- a/modules/ssl/manifests/init.pp
+++ b/modules/ssl/manifests/init.pp
@@ -11,12 +11,20 @@ class ssl {
 		ensure   => installed,
 	}
 
+	if has_role('insecure_ssl') {
+		$extra_ssl_certs_flags = ' --default'
+		$ssl_certs_config = 'puppet:///modules/ssl/ca-certificates-global.conf'
+	} else {
+		$extra_ssl_certs_flags = ''
+		$ssl_certs_config = 'puppet:///modules/ssl/ca-certificates.conf'
+	}
+
 	file { '/etc/ssl/README':
 		mode   => '0444',
 		source => 'puppet:///modules/ssl/README',
 	}
 	file { '/etc/ca-certificates.conf':
-		source => 'puppet:///modules/ssl/ca-certificates.conf',
+		source => $ssl_certs_config,
 		notify  => Exec['refresh_normal_hashes'],
 	}
 	file { '/etc/ca-certificates-debian.conf':
@@ -93,18 +101,18 @@ class ssl {
 		mode    => '0755',
 	}
 	file { '/etc/ssl/debian/certs/thishost.crt':
-		source  => "puppet:///modules/ssl/clientcerts/${::fqdn}.client.crt",
+		content => inline_template('<%= File.read(scope().call_function("hiera", ["paths.auto_clientcerts_dir"]) + "/" + @fqdn + ".client.crt") %>'),
 		notify  => Exec['refresh_debian_hashes'],
 	}
 	file { '/etc/ssl/debian/certs/ca.crt':
-		source  => 'puppet:///modules/ssl/clientcerts/ca.crt',
+		content => inline_template('<%= File.read(scope().call_function("hiera", ["paths.auto_clientcerts_dir"]) + "/ca.crt") %>'),
 		notify  => Exec['refresh_debian_hashes'],
 	}
 	file { '/etc/ssl/debian/crls/ca.crl':
-		source  => 'puppet:///modules/ssl/clientcerts/ca.crl',
+		content => inline_template('<%= File.read(scope().call_function("hiera", ["paths.auto_clientcerts_dir"]) + "/ca.crl") %>'),
 	}
 	file { '/etc/ssl/debian/certs/thishost-server.crt':
-		source  => "puppet:///modules/exim/certs/${::fqdn}.crt",
+		content => inline_template('<%= File.read(scope().call_function("hiera", ["paths.auto_certs_dir"]) + "/" + @fqdn + ".crt") %>'),
 		notify  => Exec['refresh_debian_hashes'],
 	}
 
@@ -119,13 +127,13 @@ class ssl {
 		force    => true,
 	}
 	file { '/etc/ssl/private/thishost.key':
-		source  => "puppet:///modules/ssl/clientcerts/${::fqdn}.key",
+		content => inline_template('<%= File.read(scope().call_function("hiera", ["paths.auto_clientcerts_dir"]) + "/" + @fqdn + ".key") %>'),
 		mode    => '0440',
 		group   => ssl-cert,
 		require => Package['ssl-cert'],
 	}
 	file { '/etc/ssl/private/thishost-server.key':
-		source  => "puppet:///modules/exim/certs/${::fqdn}.key",
+		content => inline_template('<%= File.read(scope().call_function("hiera", ["paths.auto_certs_dir"]) + "/" + @fqdn + ".key") %>'),
 		mode    => '0440',
 		group   => ssl-cert,
 		require => Package['ssl-cert'],
@@ -156,11 +164,6 @@ class ssl {
 		refreshonly => true,
 		require     => Package['openssl'],
 	}
-	if $::hostname == 'godard' {
-		$extra_ssl_certs_flags = ' --default'
-	} else {
-		$extra_ssl_certs_flags = ''
-	}
 
 	exec { 'refresh_normal_hashes':
 		# NOTE 1: always use update-ca-certificates to manage hashes in