require => Package['apache2'],
}
- concat { '/etc/apache2/conf-available/puppet-ssl-key-pins.conf':
- owner => root,
- group => root,
- mode => '0644',
- require => Package['apache2'],
- notify => Exec['service apache2 reload'],
- }
- concat::fragment { 'puppet-ssl-key-pins-header':
- target => '/etc/apache2/conf-available/puppet-ssl-key-pins.conf',
- content => '',
- order => 00,
- }
apache2::config { 'puppet-ssl-key-pins':
- nocontentok => true,
+ content => template('apache2/ssl-key-pins.erb'),
+ notify => Exec['service apache2 reload'],
}
}
+++ /dev/null
-define apache2::pin () {
- $snippet = gen_hpkp_pin($name)
-
- concat::fragment { "puppet-ssl-key-pins-header-${name}":
- target => '/etc/apache2/conf-available/puppet-ssl-key-pins.conf',
- content => $snippet,
- }
-}
--- /dev/null
+##
+## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE.
+## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git
+##
+
+<%=
+ $cert_dir_le = '/srv/puppet.debian.org/from-letsencrypt'
+ $cert_dir_backup = '/srv/puppet.debian.org/backup-keys'
+
+ def make_pin_macro(site)
+ pin_info = []
+ pinfiles = [ "#{$cert_dir_le}/#{site}.pin",
+ "#{$cert_dir_backup}/#{site}.pin" ]
+ pinfiles.each do |fn|
+ if File.exist?(fn)
+ pin_info << File.read(fn).chomp()
+ end
+ end
+
+ res = []
+ res << "<Macro http-pkp-#{site}>"
+ if pin_info.size >= 2 then
+ pin_info = pin_info.map{ |x| x.gsub('"', '\"') }
+ pin_info << "max-age=300"
+ pin_str = pin_info.join("; ")
+ res << " Header always set Public-Key-Pins \"#{pin_str}\""
+ else
+ res << " # mod macro does not like empty macros, so here's some content:"
+ res << " <Directory /non-existant>"
+ res << " </Directory>"
+ end
+ res << "</Macro>"
+ res << ""
+ return res.join("\n")
+ end
+
+ macros = []
+ Dir.glob("#{$cert_dir_le}/*.pin") do |pinfile|
+ site = File.basename(pinfile, '.pin')
+ macros << make_pin_macro(site)
+ end
+ macros.join("\n")
+-%>
+++ /dev/null
-module Puppet::Parser::Functions
- newfunction(:gen_hpkp_pin, :type => :rvalue) do |args|
- site = args.shift()
-
- pin_info = []
- pinfiles = [ "/srv/puppet.debian.org/from-letsencrypt/#{site}.pin",
- "/srv/puppet.debian.org/backup-keys/#{site}.pin" ]
- pinfiles.each do |fn|
- if File.exist?(fn)
- pin_info << File.read(fn).chomp()
- end
- end
-
- res = []
- res << "<Macro http-pkp-#{site}>"
- if pin_info.size >= 2 then
- pin_info = pin_info.map{ |x| x.gsub('"', '\"') }
- pin_info << "max-age=300"
- pin_str = pin_info.join("; ")
- res << " Header always set Public-Key-Pins \"#{pin_str}\""
- else
- res << " # mod macro does not like empty macros, so here's some content:"
- res << " <Directory /non-existant>"
- res << " </Directory>"
- end
- res << "</Macro>"
- res << ""
- return res.join("\n")
- end
-end
if has_role('people') {
ssl::service { 'people.debian.org': notify => Exec['service apache2 reload'], key => true, }
onion::service { 'people.debian.org': port => 80, target_address => 'people.debian.org', target_port => 80, direct => true }
- apache2::pin { 'people.debian.org': }
}
if has_role('security_master') {
projects / mirror / dsa-puppet.git / commitdiff