Try to replace file access to auto-ca things with templates

diff --git a/hieradata/common.yaml b/hieradata/common.yaml
index 9748602..54e54e4 100644 (file)
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -17,6 +17,8 @@ root_mail_alias:
   - 'debian-admin@debian.org'
 paths:
   letsencrypt_dir: '/srv/puppet.debian.org/from-letsencrypt'
+  auto_certs_dir: '/srv/puppet.debian.org/ca/RESULT/certs'
+  auto_clientcerts_dir: '/srv/puppet.debian.org/ca/RESULT/clientcerts'
 roles:
   bugsmx:
     - buxtehude.debian.org

diff --git a/modules/debian_org/manifests/mail_incoming_port.pp b/modules/debian_org/manifests/mail_incoming_port.pp
index ace2e35..d16d5bc 100644 (file)
--- a/modules/debian_org/manifests/mail_incoming_port.pp
+++ b/modules/debian_org/manifests/mail_incoming_port.pp
@@ -15,9 +15,10 @@ class debian_org::mail_incoming_port {
                domain      => 'ip6',
                rule        => "&SERVICE_RANGE(tcp, $mail_port, \$SMTP_V6_SOURCES)"
        }
+       $autocertdir = hiera('paths.auto_certs_dir')
        dnsextras::tlsa_record{ 'tlsa-mailport':
                zone     => 'debian.org',
-               certfile => "/etc/puppet/modules/ssl/files/auto-certs/${::fqdn}.crt",
+               certfile => "${autocertdir}/${::fqdn}.crt",
                port     => $mail_port,
                hostname => $::fqdn,
        }

diff --git a/modules/exim/manifests/init.pp b/modules/exim/manifests/init.pp
index bb8ad93..caf7480 100644 (file)
--- a/modules/exim/manifests/init.pp
+++ b/modules/exim/manifests/init.pp
@@ -109,22 +109,22 @@ class exim {
                source => 'puppet:///modules/exim/common/logrotate-exim4-paniclog'
        }
        file { '/etc/exim4/ssl/thishost.crt':
-               source  => "puppet:///modules/ssl/auto-certs/${::fqdn}.crt",
+               content => inline_template('<%= File.read(scope().call_function("hiera", ["paths.auto_certs_dir"]) + "/" + @fqdn + ".crt") %>'),
                group   => 'Debian-exim',
                mode    => '0640',
        }
        file { '/etc/exim4/ssl/thishost.key':
-               source  => "puppet:///modules/ssl/auto-certs/${::fqdn}.key",
+               content => inline_template('<%= File.read(scope().call_function("hiera", ["paths.auto_certs_dir"]) + "/" + @fqdn + ".key") %>'),
                group   => 'Debian-exim',
                mode    => '0640',
        }
        file { '/etc/exim4/ssl/ca.crt':
-               source  => 'puppet:///modules/ssl/auto-certs/ca.crt',
+               content => inline_template('<%= File.read(scope().call_function("hiera", ["paths.auto_certs_dir"]) + "/ca.crt") %>'),
                group   => 'Debian-exim',
                mode    => '0640',
        }
        file { '/etc/exim4/ssl/ca.crl':
-               source  => 'puppet:///modules/ssl/auto-certs/ca.crl',
+               content => inline_template('<%= File.read(scope().call_function("hiera", ["paths.auto_certs_dir"]) + "/ca.crl") %>'),
                group   => 'Debian-exim',
                mode    => '0640',
        }

diff --git a/modules/exim/manifests/mx.pp b/modules/exim/manifests/mx.pp
index 9b5bf4b..59852d0 100644 (file)
--- a/modules/exim/manifests/mx.pp
+++ b/modules/exim/manifests/mx.pp
@@ -23,9 +23,10 @@ class exim::mx inherits exim {
                domain      => 'ip6',
                rule        => '&SERVICE_RANGE(tcp, submission, $SMTP_V6_SOURCES)',
        }
+       $autocertdir = hiera('paths.auto_certs_dir')
        dnsextras::tlsa_record{ "tlsa-submission":
                zone => 'debian.org',
-               certfile => "/etc/puppet/modules/ssl/files/auto-certs/${::fqdn}.crt",
+               certfile => "${autocertdir}/${::fqdn}.crt",
                port => 587,
                hostname => "$::fqdn",
        }

diff --git a/modules/ssl/manifests/init.pp b/modules/ssl/manifests/init.pp
index 9d9581b..c6373b2 100644 (file)
--- a/modules/ssl/manifests/init.pp
+++ b/modules/ssl/manifests/init.pp
@@ -101,18 +101,18 @@ class ssl {
                mode    => '0755',
        }
        file { '/etc/ssl/debian/certs/thishost.crt':
-               source  => "puppet:///modules/ssl/auto-clientcerts/${::fqdn}.client.crt",
+               content => inline_template('<%= File.read(scope().call_function("hiera", ["paths.auto_clientcerts_dir"]) + "/" + @fqdn + "client.crt") %>'),
                notify  => Exec['refresh_debian_hashes'],
        }
        file { '/etc/ssl/debian/certs/ca.crt':
-               source  => 'puppet:///modules/ssl/auto-clientcerts/ca.crt',
+               content => inline_template('<%= File.read(scope().call_function("hiera", ["paths.auto_clientcerts_dir"]) + "/ca.crt") %>'),
                notify  => Exec['refresh_debian_hashes'],
        }
        file { '/etc/ssl/debian/crls/ca.crl':
-               source  => 'puppet:///modules/ssl/auto-clientcerts/ca.crl',
+               content => inline_template('<%= File.read(scope().call_function("hiera", ["paths.auto_clientcerts_dir"]) + "/ca.crl") %>'),
        }
        file { '/etc/ssl/debian/certs/thishost-server.crt':
-               source  => "puppet:///modules/ssl/auto-certs/${::fqdn}.crt",
+               content => inline_template('<%= File.read(scope().call_function("hiera", ["paths.auto_certs_dir"]) + "/" + @fqdn + ".crt") %>'),
                notify  => Exec['refresh_debian_hashes'],
        }
 
@@ -127,13 +127,13 @@ class ssl {
                force    => true,
        }
        file { '/etc/ssl/private/thishost.key':
-               source  => "puppet:///modules/ssl/auto-clientcerts/${::fqdn}.key",
+               content => inline_template('<%= File.read(scope().call_function("hiera", ["paths.auto_clientcerts_dir"]) + "/" + @fqdn + ".key") %>'),
                mode    => '0440',
                group   => ssl-cert,
                require => Package['ssl-cert'],
        }
        file { '/etc/ssl/private/thishost-server.key':
-               source  => "puppet:///modules/ssl/auto-certs/${::fqdn}.key",
+               content => inline_template('<%= File.read(scope().call_function("hiera", ["paths.auto_certs_dir"]) + "/" + @fqdn + ".key") %>'),
                mode    => '0440',
                group   => ssl-cert,
                require => Package['ssl-cert'],

diff --git a/modules/stunnel4/manifests/client.pp b/modules/stunnel4/manifests/client.pp
index b13e3d4..e34cb10 100644 (file)
--- a/modules/stunnel4/manifests/client.pp
+++ b/modules/stunnel4/manifests/client.pp
@@ -3,8 +3,11 @@ define stunnel4::client($accept, $connecthost, $connectport) {
        include stunnel4
 
        file { "/etc/stunnel/puppet-${name}-peer.pem":
-               content => generate('/bin/cat', "/etc/puppet/modules/ssl/files/auto-certs/${connecthost}.crt",
-                       '/etc/puppet/modules/ssl/files/auto-certs/ca.crt'),
+               content => inline_template( @("EOF"),
+                                               <%= File.read(scope().call_function("hiera", ["paths.auto_certs_dir"]) + "/" + @connecthost + ".crt") %>
+                                               <%= File.read(scope().call_function("hiera", ["paths.auto_certs_dir"]) + "/ca.crt") %>
+                                               | EOF
+                                       ),
                notify  => Exec["restart_stunnel_${name}"],
        }