X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Fssl%2Fmanifests%2Finit.pp;h=636d2b567bdef2a1239959125d459c36c4e2dc19;hb=d325df56af008cc979ef463ba8eb1f69e74ff6af;hp=270a3c0b43948b0eb3abb5c8c1c0e13381dd2a2e;hpb=80174ec18891d09b9cb20fccb58948400e3db6b4;p=mirror%2Fdsa-puppet.git

diff --git a/modules/ssl/manifests/init.pp b/modules/ssl/manifests/init.pp
index 270a3c0b4..636d2b567 100644
--- a/modules/ssl/manifests/init.pp
+++ b/modules/ssl/manifests/init.pp
@@ -1,6 +1,4 @@
 class ssl {
-
-	$cacert = 'mozilla/UTN_USERFirst_Hardware_Root_CA.crt'
 	$caconf = '/etc/ca-certificates.conf'
 
 	package { 'openssl':
@@ -13,6 +11,37 @@ class ssl {
 		ensure   => installed,
 	}
 
+	file { '/etc/ssl/README':
+		mode   => '0444',
+		source => 'puppet:///modules/ssl/README',
+	}
+	file { '/etc/ca-certificates.conf':
+		source => 'puppet:///modules/ssl/ca-certificates.conf',
+		notify  => Exec['refresh_normal_hashes'],
+	}
+	file { '/etc/ca-certificates-debian.conf':
+		mode    => '0444',
+		source => 'puppet:///modules/ssl/ca-certificates-debian.conf',
+		notify  => Exec['refresh_ca_debian_hashes'],
+	}
+	file { '/etc/ca-certificates-global.conf':
+		source => 'puppet:///modules/ssl/ca-certificates-global.conf',
+		notify  => Exec['refresh_ca_global_hashes'],
+	}
+
+	file { '/etc/apt/apt.conf.d/local-ssl-ca-global':
+		mode   => '0444',
+		source => 'puppet:///modules/ssl/local-ssl-ca-global',
+	}
+
+	file { '/etc/ssl/certs/ssl-cert-snakeoil.pem':
+		ensure => absent,
+		notify => Exec['refresh_normal_hashes'],
+	}
+	file { '/etc/ssl/private/ssl-cert-snakeoil.key':
+		ensure => absent,
+	}
+
 	file { '/etc/ssl/servicecerts':
 		ensure   => link,
 		purge    => true,
@@ -28,7 +57,24 @@ class ssl {
 		purge    => true,
 		recurse  => true,
 		force    => true,
-		notify   => Exec['refresh_normal_hashes'],
+		notify   => [ Exec['refresh_normal_hashes'], Exec['refresh_ca_global_hashes'] ],
+	}
+	file { '/etc/ssl/certs/README':
+		ensure => absent,
+	}
+	file { '/etc/ssl/ca-debian':
+		ensure => directory,
+		mode   => '0755',
+	}
+	file { '/etc/ssl/ca-debian/README':
+		ensure => absent,
+	}
+	file { '/etc/ssl/ca-global':
+		ensure => directory,
+		mode   => '0755',
+	}
+	file { '/etc/ssl/ca-global/README':
+		ensure => absent,
 	}
 	file { '/etc/ssl/debian':
 		ensure   => directory,
@@ -46,22 +92,10 @@ class ssl {
 		ensure  => directory,
 		mode    => '0755',
 	}
-	file { '/etc/ssl/debian/keys':
-		ensure  => directory,
-		mode    => '0750',
-		group   => ssl-cert,
-		require => Package['ssl-cert'],
-	}
 	file { '/etc/ssl/debian/certs/thishost.crt':
 		source  => "puppet:///modules/ssl/clientcerts/${::fqdn}.client.crt",
 		notify  => Exec['refresh_debian_hashes'],
 	}
-	file { '/etc/ssl/debian/keys/thishost.key':
-		source  => "puppet:///modules/ssl/clientcerts/${::fqdn}.key",
-		mode    => '0440',
-		group   => ssl-cert,
-		require => Package['ssl-cert'],
-	}
 	file { '/etc/ssl/debian/certs/ca.crt':
 		source  => 'puppet:///modules/ssl/clientcerts/ca.crt',
 		notify  => Exec['refresh_debian_hashes'],
@@ -73,13 +107,44 @@ class ssl {
 		source  => "puppet:///modules/exim/certs/${::fqdn}.crt",
 		notify  => Exec['refresh_debian_hashes'],
 	}
+
+	file { '/etc/ssl/debian/keys/thishost.key':
+		ensure => absent,
+	}
 	file { '/etc/ssl/debian/keys/thishost-server.key':
+		ensure => absent,
+	}
+	file { '/etc/ssl/debian/keys':
+		ensure => absent,
+		force    => true,
+	}
+	file { '/etc/ssl/private/thishost.key':
+		source  => "puppet:///modules/ssl/clientcerts/${::fqdn}.key",
+		mode    => '0440',
+		group   => ssl-cert,
+		require => Package['ssl-cert'],
+	}
+	file { '/etc/ssl/private/thishost-server.key':
 		source  => "puppet:///modules/exim/certs/${::fqdn}.key",
 		mode    => '0440',
 		group   => ssl-cert,
 		require => Package['ssl-cert'],
 	}
 
+	$updatecacertsdsa = '/usr/local/sbin/update-ca-certificates-dsa'
+	if (versioncmp($::lsbmajdistrelease, '9') >= 0) {
+		file { $updatecacertsdsa:
+			ensure => absent,
+		}
+		$updatecacerts = '/usr/sbin/update-ca-certificates'
+	} else {
+		file { $updatecacertsdsa:
+			mode   => '0555',
+			source => 'puppet:///modules/ssl/update-ca-certificates-dsa',
+		}
+		$updatecacerts = $updatecacertsdsa
+	}
+
 	exec { 'retire_debian_links':
 		command     => 'find -lname "../servicecerts/*" -exec rm {} +',
 		cwd         => '/etc/ssl/certs',
@@ -101,5 +166,25 @@ class ssl {
 		refreshonly => true,
 		require     => Package['ca-certificates'],
 	}
+	exec { 'refresh_ca_debian_hashes':
+		command     => "${updatecacerts} --fresh --certsconf /etc/ca-certificates-debian.conf --localcertsdir /dev/null --etccertsdir /etc/ssl/ca-debian --hooksdir /dev/null",
+		refreshonly => true,
+		require     => [
+			Package['ca-certificates'],
+			File['/etc/ssl/ca-debian'],
+			File['/etc/ca-certificates-debian.conf'],
+			File[$updatecacertsdsa],
+		]
+	}
+	exec { 'refresh_ca_global_hashes':
+		command     => "${updatecacerts} --fresh --default --certsconf /etc/ca-certificates-global.conf --etccertsdir /etc/ssl/ca-global --hooksdir /dev/null",
+		refreshonly => true,
+		require     => [
+			Package['ca-certificates'],
+			File['/etc/ssl/ca-global'],
+			File['/etc/ca-certificates-global.conf'],
+			File[$updatecacertsdsa],
+		]
+	}
 
 }