ship debtags key

diff --git a/modules/roles/manifests/debtags.pp b/modules/roles/manifests/debtags.pp
index 945ed2a..b58cf20 100644 (file)
--- a/modules/roles/manifests/debtags.pp
+++ b/modules/roles/manifests/debtags.pp
@@ -4,6 +4,7 @@ class roles::debtags {
 
        ssl::service { 'debtags.debian.org':
                notify => Service['apache2'],
+               key => true,
        }
 
        apache2::site { '010-debtags.debian.org':

diff --git a/modules/ssl/manifests/service.pp b/modules/ssl/manifests/service.pp
index da0a97f..a9d4fd4 100644 (file)
--- a/modules/ssl/manifests/service.pp
+++ b/modules/ssl/manifests/service.pp
@@ -1,4 +1,4 @@
-define ssl::service($ensure = present, $tlsaport = 443, $notify = []) {
+define ssl::service($ensure = present, $tlsaport = 443, $notify = [], $key = false) {
        $link_target = $ensure ? {
                present => link,
                absent  => absent,
@@ -18,6 +18,15 @@ define ssl::service($ensure = present, $tlsaport = 443, $notify = []) {
                content => template('ssl/chained.erb'),
                notify => [ $notify ],
        }
+       if $key {
+               file { "/etc/ssl/private/$name.key":
+                       mode   => '0440',
+                       group => 'ssl-cert',
+                       source => [ "puppet:///modules/ssl/keys/${name}.crt", "puppet:///modules/ssl/from-letsencrypt/${name}.key" ],
+                       notify => [ $notify ],
+                       links  => follow,
+               }
+       }
 
        if $tlsaport > 0 {
                dnsextras::tlsa_record{ "tlsa-${name}-${tlsaport}":