Also apply the ca-global blacklist on godard

author Paul Wise <pabs@debian.org>

Sun, 3 Sep 2017 12:37:57 +0000 (20:37 +0800)

committer Paul Wise <pabs@debian.org>

Sun, 3 Sep 2017 12:37:57 +0000 (20:37 +0800)
author Paul Wise <pabs@debian.org>
Sun, 3 Sep 2017 12:37:57 +0000 (20:37 +0800)
committer Paul Wise <pabs@debian.org>
Sun, 3 Sep 2017 12:37:57 +0000 (20:37 +0800)
diff --git a/modules/ssl/manifests/init.pp b/modules/ssl/manifests/init.pp

index 756661e..4a629fb 100644 (file)
--- a/modules/ssl/manifests/init.pp
+++ b/modules/ssl/manifests/init.pp
@@ -11,12 +11,20 @@ class ssl {
                 ensure   => installed,
         }
  
+       if $::hostname == 'godard' {
+               $extra_ssl_certs_flags = ' --default'
+               $ssl_certs_config = 'puppet:///modules/ssl/ca-certificates-global.conf'
+       } else {
+               $extra_ssl_certs_flags = ''
+               $ssl_certs_config = 'puppet:///modules/ssl/ca-certificates.conf'
+       }
+
         file { '/etc/ssl/README':
                 mode   => '0444',
                 source => 'puppet:///modules/ssl/README',
         }
         file { '/etc/ca-certificates.conf':
-               source => 'puppet:///modules/ssl/ca-certificates.conf',
+               source => $ssl_certs_config,
                 notify  => Exec['refresh_normal_hashes'],
         }
         file { '/etc/ca-certificates-debian.conf':
@@ -156,11 +164,6 @@ class ssl {
                 refreshonly => true,
                 require     => Package['openssl'],
         }
-       if $::hostname == 'godard' {
-               $extra_ssl_certs_flags = ' --default'
-       } else {
-               $extra_ssl_certs_flags = ''
-       }
  
         exec { 'refresh_normal_hashes':
                 # NOTE 1: always use update-ca-certificates to manage hashes in
author	Paul Wise <pabs@debian.org>
	Sun, 3 Sep 2017 12:37:57 +0000 (20:37 +0800)
committer	Paul Wise <pabs@debian.org>
	Sun, 3 Sep 2017 12:37:57 +0000 (20:37 +0800)