+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+<%=
+ $cert_dir_le = '/srv/puppet.debian.org/from-letsencrypt'
+ $cert_dir_backup = '/srv/puppet.debian.org/backup-keys'
+
+ def make_pin_macro(site)
+ pin_info = []
+ pinfiles = [ "#{$cert_dir_le}/#{site}.pin",
+ "#{$cert_dir_backup}/#{site}.pin" ]
+ pinfiles.each do |fn|
+ if File.exist?(fn)
+ pin_info << File.read(fn).chomp()
+ end
+ end
+
+ res = []
+ res << "<Macro http-pkp-#{site}>"
+ if pin_info.size >= 2 then
+ pin_info = pin_info.map{ |x| x.gsub('"', '\"') }
+ pin_info << "max-age=300"
+ pin_str = pin_info.join("; ")
+ res << " Header always set Public-Key-Pins \"#{pin_str}\""
+ else
+ res << " # mod macro does not like empty macros, so here's some content:"
+ res << " <Directory /non-existant>"
+ res << " </Directory>"
+ end
+ res << "</Macro>"
+ res << ""
+ return res.join("\n")
+ end
+
+ macros = []
+ Dir.glob("#{$cert_dir_le}/*.pin") do |pinfile|
+ site = File.basename(pinfile, '.pin')
+ macros << make_pin_macro(site)
+ end
+ macros.join("\n")
+-%>