X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Fssl%2Fmanifests%2Finit.pp;h=85e7e355840355949ffacaa8d0f1360a933e0a94;hb=dbeb02e7dfb7d85a7362c2460444a3f9aca91c94;hp=7c9ffd67b2dc4706f76087a15fd11dffb4bed3e9;hpb=488a87f4642b85c7d465e6887521596f763dcff0;p=mirror%2Fdsa-puppet.git diff --git a/modules/ssl/manifests/init.pp b/modules/ssl/manifests/init.pp index 7c9ffd67b..85e7e3558 100644 --- a/modules/ssl/manifests/init.pp +++ b/modules/ssl/manifests/init.pp @@ -11,17 +11,26 @@ class ssl { ensure => installed, } + file { '/etc/ssl/README': + mode => '0444', + source => 'puppet:///modules/ssl/README', + } file { '/etc/ca-certificates.conf': - content => "# This file is under puppet control\n# Only debian.org service certs are trusted, see /etc/ssl/certs/README\n", + source => 'puppet:///modules/ssl/ca-certificates.conf', notify => Exec['refresh_normal_hashes'], } + if (versioncmp($::lsbmajdistrelease, '8') >= 0) { + $ca_debian_conf_suffix = '' + } else { + $ca_debian_conf_suffix = '-wheezy' + } file { '/etc/ca-certificates-debian.conf': mode => '0444', - content => "# This file is under puppet control\n# Only the CAs for debian.org are trusted, see /etc/ssl/ca-debian/README\nmozilla/AddTrust_External_Root.crt\n", + source => "puppet:///modules/ssl/ca-certificates-debian${ca_debian_conf_suffix}.conf", notify => Exec['refresh_ca_debian_hashes'], } file { '/etc/ca-certificates-global.conf': - content => "# This file is under puppet control\n# All CAs are trusted, see /etc/ssl/ca-global/README\n", + source => 'puppet:///modules/ssl/ca-certificates-global.conf', notify => Exec['refresh_ca_global_hashes'], } @@ -53,27 +62,24 @@ class ssl { purge => true, recurse => true, force => true, - notify => Exec['refresh_normal_hashes'], + notify => [ Exec['refresh_normal_hashes'], Exec['refresh_ca_global_hashes'] ], } file { '/etc/ssl/certs/README': - mode => '0444', - source => 'puppet:///modules/ssl/README.certs', + ensure => absent, } file { '/etc/ssl/ca-debian': ensure => directory, mode => '0755', } file { '/etc/ssl/ca-debian/README': - mode => '0444', - source => 'puppet:///modules/ssl/README.ca-debian', + ensure => absent, } file { '/etc/ssl/ca-global': ensure => directory, mode => '0755', } file { '/etc/ssl/ca-global/README': - mode => '0444', - source => 'puppet:///modules/ssl/README.ca-global', + ensure => absent, } file { '/etc/ssl/debian': ensure => directory, @@ -91,22 +97,10 @@ class ssl { ensure => directory, mode => '0755', } - file { '/etc/ssl/debian/keys': - ensure => directory, - mode => '0750', - group => ssl-cert, - require => Package['ssl-cert'], - } file { '/etc/ssl/debian/certs/thishost.crt': source => "puppet:///modules/ssl/clientcerts/${::fqdn}.client.crt", notify => Exec['refresh_debian_hashes'], } - file { '/etc/ssl/debian/keys/thishost.key': - source => "puppet:///modules/ssl/clientcerts/${::fqdn}.key", - mode => '0440', - group => ssl-cert, - require => Package['ssl-cert'], - } file { '/etc/ssl/debian/certs/ca.crt': source => 'puppet:///modules/ssl/clientcerts/ca.crt', notify => Exec['refresh_debian_hashes'], @@ -118,7 +112,24 @@ class ssl { source => "puppet:///modules/exim/certs/${::fqdn}.crt", notify => Exec['refresh_debian_hashes'], } + + file { '/etc/ssl/debian/keys/thishost.key': + ensure => absent, + } file { '/etc/ssl/debian/keys/thishost-server.key': + ensure => absent, + } + file { '/etc/ssl/debian/keys': + ensure => absent, + force => true, + } + file { '/etc/ssl/private/thishost.key': + source => "puppet:///modules/ssl/clientcerts/${::fqdn}.key", + mode => '0440', + group => ssl-cert, + require => Package['ssl-cert'], + } + file { '/etc/ssl/private/thishost-server.key': source => "puppet:///modules/exim/certs/${::fqdn}.key", mode => '0440', group => ssl-cert,