X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Fssl%2Fmanifests%2Finit.pp;h=85e7e355840355949ffacaa8d0f1360a933e0a94;hb=dbeb02e7dfb7d85a7362c2460444a3f9aca91c94;hp=bc4ae9f095159068ea2cec74d1a011b367ca873e;hpb=2f7cea2feb5fb85c0f91f76bc23fb3b87bc985d6;p=mirror%2Fdsa-puppet.git diff --git a/modules/ssl/manifests/init.pp b/modules/ssl/manifests/init.pp index bc4ae9f09..85e7e3558 100644 --- a/modules/ssl/manifests/init.pp +++ b/modules/ssl/manifests/init.pp @@ -1,6 +1,4 @@ class ssl { - - $cacert = 'mozilla/UTN_USERFirst_Hardware_Root_CA.crt' $caconf = '/etc/ca-certificates.conf' package { 'openssl': @@ -13,14 +11,75 @@ class ssl { ensure => installed, } + file { '/etc/ssl/README': + mode => '0444', + source => 'puppet:///modules/ssl/README', + } + file { '/etc/ca-certificates.conf': + source => 'puppet:///modules/ssl/ca-certificates.conf', + notify => Exec['refresh_normal_hashes'], + } + if (versioncmp($::lsbmajdistrelease, '8') >= 0) { + $ca_debian_conf_suffix = '' + } else { + $ca_debian_conf_suffix = '-wheezy' + } + file { '/etc/ca-certificates-debian.conf': + mode => '0444', + source => "puppet:///modules/ssl/ca-certificates-debian${ca_debian_conf_suffix}.conf", + notify => Exec['refresh_ca_debian_hashes'], + } + file { '/etc/ca-certificates-global.conf': + source => 'puppet:///modules/ssl/ca-certificates-global.conf', + notify => Exec['refresh_ca_global_hashes'], + } + + file { '/etc/apt/apt.conf.d/local-ssl-ca-global': + mode => '0444', + source => 'puppet:///modules/ssl/local-ssl-ca-global', + } + + file { '/etc/ssl/certs/ssl-cert-snakeoil.pem': + ensure => absent, + notify => Exec['refresh_normal_hashes'], + } + file { '/etc/ssl/private/ssl-cert-snakeoil.key': + ensure => absent, + } + file { '/etc/ssl/servicecerts': + ensure => link, + purge => true, + force => true, + target => '/usr/local/share/ca-certificates/debian.org', + notify => Exec['retire_debian_links'], + } + + file { '/usr/local/share/ca-certificates/debian.org': ensure => directory, source => 'puppet:///modules/ssl/servicecerts/', mode => '0644', # this works; otherwise all files are +x purge => true, recurse => true, force => true, - notify => Exec['refresh_debian_links'], + notify => [ Exec['refresh_normal_hashes'], Exec['refresh_ca_global_hashes'] ], + } + file { '/etc/ssl/certs/README': + ensure => absent, + } + file { '/etc/ssl/ca-debian': + ensure => directory, + mode => '0755', + } + file { '/etc/ssl/ca-debian/README': + ensure => absent, + } + file { '/etc/ssl/ca-global': + ensure => directory, + mode => '0755', + } + file { '/etc/ssl/ca-global/README': + ensure => absent, } file { '/etc/ssl/debian': ensure => directory, @@ -38,22 +97,10 @@ class ssl { ensure => directory, mode => '0755', } - file { '/etc/ssl/debian/keys': - ensure => directory, - mode => '0750', - group => ssl-cert, - require => Package['ssl-cert'], - } file { '/etc/ssl/debian/certs/thishost.crt': source => "puppet:///modules/ssl/clientcerts/${::fqdn}.client.crt", notify => Exec['refresh_debian_hashes'], } - file { '/etc/ssl/debian/keys/thishost.key': - source => "puppet:///modules/ssl/clientcerts/${::fqdn}.key", - mode => '0440', - group => ssl-cert, - require => Package['ssl-cert'], - } file { '/etc/ssl/debian/certs/ca.crt': source => 'puppet:///modules/ssl/clientcerts/ca.crt', notify => Exec['refresh_debian_hashes'], @@ -65,30 +112,40 @@ class ssl { source => "puppet:///modules/exim/certs/${::fqdn}.crt", notify => Exec['refresh_debian_hashes'], } + + file { '/etc/ssl/debian/keys/thishost.key': + ensure => absent, + } file { '/etc/ssl/debian/keys/thishost-server.key': + ensure => absent, + } + file { '/etc/ssl/debian/keys': + ensure => absent, + force => true, + } + file { '/etc/ssl/private/thishost.key': + source => "puppet:///modules/ssl/clientcerts/${::fqdn}.key", + mode => '0440', + group => ssl-cert, + require => Package['ssl-cert'], + } + file { '/etc/ssl/private/thishost-server.key': source => "puppet:///modules/exim/certs/${::fqdn}.key", mode => '0440', group => ssl-cert, require => Package['ssl-cert'], } - exec { 'refresh_debian_links': - command => 'cp -f -s ../servicecerts/* .', - cwd => '/etc/ssl/certs', - refreshonly => true, - notify => Exec['delete_unused_links'], + file { '/usr/local/sbin/update-ca-certificates-dsa': + mode => '0555', + source => 'puppet:///modules/ssl/update-ca-certificates-dsa', } - exec { 'delete_unused_links': - command => 'find -L . -mindepth 1 -maxdepth 1 -type l -delete', + + exec { 'retire_debian_links': + command => 'find -lname "../servicecerts/*" -exec rm {} +', cwd => '/etc/ssl/certs', refreshonly => true, - notify => Exec['refresh_normal_hashes'], # see NOTE 1 - } - exec { 'modify_configuration': - command => "sed -i -e 's#!${cacert}#${cacert}#' ${caconf}", - onlyif => "grep -Fqx '!${cacert}' ${caconf}", notify => Exec['refresh_normal_hashes'], - require => Package['ca-certificates'], } exec { 'refresh_debian_hashes': command => 'c_rehash /etc/ssl/debian/certs', @@ -105,5 +162,25 @@ class ssl { refreshonly => true, require => Package['ca-certificates'], } + exec { 'refresh_ca_debian_hashes': + command => '/usr/local/sbin/update-ca-certificates-dsa --fresh --certsconf /etc/ca-certificates-debian.conf --localcertsdir /dev/null --etccertsdir /etc/ssl/ca-debian --hooksdir /dev/null', + refreshonly => true, + require => [ + Package['ca-certificates'], + File['/etc/ssl/ca-debian'], + File['/etc/ca-certificates-debian.conf'], + File['/usr/local/sbin/update-ca-certificates-dsa'], + ] + } + exec { 'refresh_ca_global_hashes': + command => '/usr/local/sbin/update-ca-certificates-dsa --fresh --default --certsconf /etc/ca-certificates-global.conf --etccertsdir /etc/ssl/ca-global --hooksdir /dev/null', + refreshonly => true, + require => [ + Package['ca-certificates'], + File['/etc/ssl/ca-global'], + File['/etc/ca-certificates-global.conf'], + File['/usr/local/sbin/update-ca-certificates-dsa'], + ] + } }