ship pin set for people.debian.org

author Peter Palfrader <peter@palfrader.org>

Fri, 23 Sep 2016 20:37:27 +0000 (20:37 +0000)

committer Peter Palfrader <peter@palfrader.org>

Fri, 23 Sep 2016 20:37:27 +0000 (20:37 +0000)
author Peter Palfrader <peter@palfrader.org>
Fri, 23 Sep 2016 20:37:27 +0000 (20:37 +0000)
committer Peter Palfrader <peter@palfrader.org>
Fri, 23 Sep 2016 20:37:27 +0000 (20:37 +0000)
diff --git a/modules/apache2/manifests/pin.pp b/modules/apache2/manifests/pin.pp

new file mode 100644 (file)

index 0000000..020f221
--- /dev/null
+++ b/modules/apache2/manifests/pin.pp
@@ -0,0 +1,8 @@
+define apache2::pin () {
+       $snippet = gen_hpkp_pin($name)
+
+       concat::fragment { "puppet-ssl-key-pins-header-${name}":
+               target => '/etc/apache2/conf-available/puppet-ssl-key-pins.conf',
+               content => $snippet,
+       }
+}
diff --git a/modules/roles/manifests/init.pp b/modules/roles/manifests/init.pp

index 1d72824..e7369d4 100644 (file)
--- a/modules/roles/manifests/init.pp
+++ b/modules/roles/manifests/init.pp
@@ -91,6 +91,7 @@ class roles {
         if has_role('people') {
                 ssl::service { 'people.debian.org': notify  => Exec['service apache2 reload'], key => true, }
                 onion::service { 'people.debian.org': port => 80, target_address => 'people.debian.org', target_port => 80, direct => true }
+               apache2::pin { 'people.debian.org': }
         }
  
         if has_role('security_master') {
author	Peter Palfrader <peter@palfrader.org>
	Fri, 23 Sep 2016 20:37:27 +0000 (20:37 +0000)
committer	Peter Palfrader <peter@palfrader.org>
	Fri, 23 Sep 2016 20:37:27 +0000 (20:37 +0000)
modules/apache2/manifests/pin.pp	[new file with mode: 0644]	patch \| blob
modules/roles/manifests/init.pp		patch \| blob \| history