Use a template to get more of the from-letsencrypt certs and keys, and no longer...

diff --git a/modules/rsync/manifests/site.pp b/modules/rsync/manifests/site.pp
index 7549694..60cab39 100644 (file)
--- a/modules/rsync/manifests/site.pp
+++ b/modules/rsync/manifests/site.pp
@@ -120,10 +120,7 @@ define rsync::site (
 
                dnsextras::tlsa_record{ "tlsa-${sslname}-1873":
                        zone     => 'debian.org',
-                       certfile => [
-                               "/etc/puppet/modules/ssl/files/servicecerts/${sslname}.crt",
-                               "/etc/puppet/modules/ssl/files/from-letsencrypt/${sslname}.crt",
-                       ],
+                       certfile => [ "/srv/puppet.debian.org/from-letsencrypt/${sslname}.crt" ],
                        port     => 1873,
                        hostname => $sslname,
                }

diff --git a/modules/ssl/manifests/service.pp b/modules/ssl/manifests/service.pp
index eeeec92..c507351 100644 (file)
--- a/modules/ssl/manifests/service.pp
+++ b/modules/ssl/manifests/service.pp
@@ -12,18 +12,18 @@ define ssl::service($ensure = present, $tlsaport = 443, $notify = [], $key = fal
 
        file { "/etc/ssl/debian/certs/$name.crt":
                ensure => $ssl_ensure,
-               source => [ "puppet:///modules/ssl/servicecerts/${name}.crt", "puppet:///modules/ssl/from-letsencrypt/${name}.crt" ],
+               content => template('ssl/crt.erb'),
                notify => [ Exec['refresh_debian_hashes'], $notify ],
        }
        file { "/etc/ssl/debian/certs/$name.crt-chain":
                ensure => $ssl_ensure,
-               source => [ "puppet:///modules/ssl/chains/${name}.crt", "puppet:///modules/ssl/servicecerts/${name}.crt", "puppet:///modules/ssl/from-letsencrypt/${name}.crt-chain" ],
+               content => template('ssl/crt-chain.erb'),
                notify => [ $notify ],
                links  => follow,
        }
        file { "/etc/ssl/debian/certs/$name.crt-chained":
                ensure => $ssl_ensure,
-               content => template('ssl/chained.erb'),
+               content => template('ssl/crt-chained.erb'),
                notify => [ $notify ],
        }
        if $key {
@@ -50,7 +50,7 @@ define ssl::service($ensure = present, $tlsaport = 443, $notify = [], $key = fal
                $portlist = join($tlsaports, "-")
                dnsextras::tlsa_record{ "tlsa-${name}-${portlist}":
                        zone     => 'debian.org',
-                       certfile => [ "/etc/puppet/modules/ssl/files/servicecerts/${name}.crt", "/etc/puppet/modules/ssl/files/from-letsencrypt/${name}.crt" ],
+                       certfile => [ "/srv/puppet.debian.org/from-letsencrypt/${name}.crt" ],
                        port     => $tlsaport,
                        hostname => "$name",
                }

diff --git a/modules/ssl/templates/chained.erb b/modules/ssl/templates/chained.erb
deleted file mode 100644 (file)
index 737b9f5..0000000
--- a/modules/ssl/templates/chained.erb
+++ /dev/null
@@ -1,14 +0,0 @@
-<%=
-  out = ""
-  fn = "/etc/puppet/modules/ssl/files/servicecerts/#{@name}.crt"
-  if File.exist?(fn) then
-    out = File.read(fn)
-
-    chain = "/etc/puppet/modules/ssl/files/chains/#{@name}.crt"
-    out += File.exist?(chain) ? ("\n" + File.read(chain)) : ''
-  else
-    fn = "/etc/puppet/modules/ssl/files/from-letsencrypt/#{@name}.crt-chained"
-    out = File.read(fn)
-  end
-  out
-%>

diff --git a/modules/ssl/templates/crt-chain.erb b/modules/ssl/templates/crt-chain.erb
new file mode 100644 (file)
index 0000000..94cd708
--- /dev/null
+++ b/modules/ssl/templates/crt-chain.erb
@@ -0,0 +1,5 @@
+<%=
+  fn = "/srv/puppet.debian.org/from-letsencrypt/#{@name}.crt-chain"
+  out = File.read(fn)
+  out
+%>

diff --git a/modules/ssl/templates/crt-chained.erb b/modules/ssl/templates/crt-chained.erb
new file mode 100644 (file)
index 0000000..aba48f6
--- /dev/null
+++ b/modules/ssl/templates/crt-chained.erb
@@ -0,0 +1,5 @@
+<%=
+  fn = "/srv/puppet.debian.org/from-letsencrypt/#{@name}.crt-chained"
+  out = File.read(fn)
+  out
+%>

diff --git a/modules/ssl/templates/crt.erb b/modules/ssl/templates/crt.erb
new file mode 100644 (file)
index 0000000..52f639a
--- /dev/null
+++ b/modules/ssl/templates/crt.erb
@@ -0,0 +1,5 @@
+<%=
+  fn = "/srv/puppet.debian.org/from-letsencrypt/#{@name}.crt"
+  out = File.read(fn)
+  out
+%>

diff --git a/modules/ssl/templates/key-chained.erb b/modules/ssl/templates/key-chained.erb
index 75b3428..a3f9445 100644 (file)
--- a/modules/ssl/templates/key-chained.erb
+++ b/modules/ssl/templates/key-chained.erb
@@ -1,25 +1,10 @@
 <%=
-  out = ""
-  fn = "/etc/puppet/modules/ssl/files/keys/#{@name}.crt"
-  if File.exist?(fn) then
-    out = File.read(fn)
-  else
-    fn = "/etc/puppet/modules/ssl/files/from-letsencrypt/#{@name}.key"
-    out = File.read(fn)
-  end
+  fn = "/srv/puppet.debian.org/from-letsencrypt/#{@name}.key"
+  out = File.read(fn)
   out
 %>
 <%=
-  out = ""
-  fn = "/etc/puppet/modules/ssl/files/servicecerts/#{@name}.crt"
-  if File.exist?(fn) then
-    out = File.read(fn)
-
-    chain = "/etc/puppet/modules/ssl/files/chains/#{@name}.crt"
-    out += File.exist?(chain) ? ("\n" + File.read(chain)) : ''
-  else
-    fn = "/etc/puppet/modules/ssl/files/from-letsencrypt/#{@name}.crt-chained"
-    out = File.read(fn)
-  end
+  fn = "/srv/puppet.debian.org/from-letsencrypt/#{@name}.crt-chained"
+  out = File.read(fn)
   out
 %>