From 7d961995db18550eaf69682a49736101d2f91257 Mon Sep 17 00:00:00 2001 From: Peter Palfrader Date: Tue, 3 Oct 2017 10:47:51 +0200 Subject: [PATCH] Try to replace file access to auto-ca things with templates --- hieradata/common.yaml | 2 ++ modules/debian_org/manifests/mail_incoming_port.pp | 3 ++- modules/exim/manifests/init.pp | 8 ++++---- modules/exim/manifests/mx.pp | 3 ++- modules/ssl/manifests/init.pp | 12 ++++++------ modules/stunnel4/manifests/client.pp | 7 +++++-- 6 files changed, 21 insertions(+), 14 deletions(-) diff --git a/hieradata/common.yaml b/hieradata/common.yaml index 974860260..54e54e477 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -17,6 +17,8 @@ root_mail_alias: - 'debian-admin@debian.org' paths: letsencrypt_dir: '/srv/puppet.debian.org/from-letsencrypt' + auto_certs_dir: '/srv/puppet.debian.org/ca/RESULT/certs' + auto_clientcerts_dir: '/srv/puppet.debian.org/ca/RESULT/clientcerts' roles: bugsmx: - buxtehude.debian.org diff --git a/modules/debian_org/manifests/mail_incoming_port.pp b/modules/debian_org/manifests/mail_incoming_port.pp index ace2e352f..d16d5bc74 100644 --- a/modules/debian_org/manifests/mail_incoming_port.pp +++ b/modules/debian_org/manifests/mail_incoming_port.pp @@ -15,9 +15,10 @@ class debian_org::mail_incoming_port { domain => 'ip6', rule => "&SERVICE_RANGE(tcp, $mail_port, \$SMTP_V6_SOURCES)" } + $autocertdir = hiera('paths.auto_certs_dir') dnsextras::tlsa_record{ 'tlsa-mailport': zone => 'debian.org', - certfile => "/etc/puppet/modules/ssl/files/auto-certs/${::fqdn}.crt", + certfile => "${autocertdir}/${::fqdn}.crt", port => $mail_port, hostname => $::fqdn, } diff --git a/modules/exim/manifests/init.pp b/modules/exim/manifests/init.pp index bb8ad9323..caf748055 100644 --- a/modules/exim/manifests/init.pp +++ b/modules/exim/manifests/init.pp @@ -109,22 +109,22 @@ class exim { source => 'puppet:///modules/exim/common/logrotate-exim4-paniclog' } file { '/etc/exim4/ssl/thishost.crt': - source => "puppet:///modules/ssl/auto-certs/${::fqdn}.crt", + content => inline_template('<%= File.read(scope().call_function("hiera", ["paths.auto_certs_dir"]) + "/" + @fqdn + ".crt") %>'), group => 'Debian-exim', mode => '0640', } file { '/etc/exim4/ssl/thishost.key': - source => "puppet:///modules/ssl/auto-certs/${::fqdn}.key", + content => inline_template('<%= File.read(scope().call_function("hiera", ["paths.auto_certs_dir"]) + "/" + @fqdn + ".key") %>'), group => 'Debian-exim', mode => '0640', } file { '/etc/exim4/ssl/ca.crt': - source => 'puppet:///modules/ssl/auto-certs/ca.crt', + content => inline_template('<%= File.read(scope().call_function("hiera", ["paths.auto_certs_dir"]) + "/ca.crt") %>'), group => 'Debian-exim', mode => '0640', } file { '/etc/exim4/ssl/ca.crl': - source => 'puppet:///modules/ssl/auto-certs/ca.crl', + content => inline_template('<%= File.read(scope().call_function("hiera", ["paths.auto_certs_dir"]) + "/ca.crl") %>'), group => 'Debian-exim', mode => '0640', } diff --git a/modules/exim/manifests/mx.pp b/modules/exim/manifests/mx.pp index 9b5bf4bd5..59852d0a0 100644 --- a/modules/exim/manifests/mx.pp +++ b/modules/exim/manifests/mx.pp @@ -23,9 +23,10 @@ class exim::mx inherits exim { domain => 'ip6', rule => '&SERVICE_RANGE(tcp, submission, $SMTP_V6_SOURCES)', } + $autocertdir = hiera('paths.auto_certs_dir') dnsextras::tlsa_record{ "tlsa-submission": zone => 'debian.org', - certfile => "/etc/puppet/modules/ssl/files/auto-certs/${::fqdn}.crt", + certfile => "${autocertdir}/${::fqdn}.crt", port => 587, hostname => "$::fqdn", } diff --git a/modules/ssl/manifests/init.pp b/modules/ssl/manifests/init.pp index 9d9581b2b..c6373b232 100644 --- a/modules/ssl/manifests/init.pp +++ b/modules/ssl/manifests/init.pp @@ -101,18 +101,18 @@ class ssl { mode => '0755', } file { '/etc/ssl/debian/certs/thishost.crt': - source => "puppet:///modules/ssl/auto-clientcerts/${::fqdn}.client.crt", + content => inline_template('<%= File.read(scope().call_function("hiera", ["paths.auto_clientcerts_dir"]) + "/" + @fqdn + "client.crt") %>'), notify => Exec['refresh_debian_hashes'], } file { '/etc/ssl/debian/certs/ca.crt': - source => 'puppet:///modules/ssl/auto-clientcerts/ca.crt', + content => inline_template('<%= File.read(scope().call_function("hiera", ["paths.auto_clientcerts_dir"]) + "/ca.crt") %>'), notify => Exec['refresh_debian_hashes'], } file { '/etc/ssl/debian/crls/ca.crl': - source => 'puppet:///modules/ssl/auto-clientcerts/ca.crl', + content => inline_template('<%= File.read(scope().call_function("hiera", ["paths.auto_clientcerts_dir"]) + "/ca.crl") %>'), } file { '/etc/ssl/debian/certs/thishost-server.crt': - source => "puppet:///modules/ssl/auto-certs/${::fqdn}.crt", + content => inline_template('<%= File.read(scope().call_function("hiera", ["paths.auto_certs_dir"]) + "/" + @fqdn + ".crt") %>'), notify => Exec['refresh_debian_hashes'], } @@ -127,13 +127,13 @@ class ssl { force => true, } file { '/etc/ssl/private/thishost.key': - source => "puppet:///modules/ssl/auto-clientcerts/${::fqdn}.key", + content => inline_template('<%= File.read(scope().call_function("hiera", ["paths.auto_clientcerts_dir"]) + "/" + @fqdn + ".key") %>'), mode => '0440', group => ssl-cert, require => Package['ssl-cert'], } file { '/etc/ssl/private/thishost-server.key': - source => "puppet:///modules/ssl/auto-certs/${::fqdn}.key", + content => inline_template('<%= File.read(scope().call_function("hiera", ["paths.auto_certs_dir"]) + "/" + @fqdn + ".key") %>'), mode => '0440', group => ssl-cert, require => Package['ssl-cert'], diff --git a/modules/stunnel4/manifests/client.pp b/modules/stunnel4/manifests/client.pp index b13e3d49c..e34cb10e9 100644 --- a/modules/stunnel4/manifests/client.pp +++ b/modules/stunnel4/manifests/client.pp @@ -3,8 +3,11 @@ define stunnel4::client($accept, $connecthost, $connectport) { include stunnel4 file { "/etc/stunnel/puppet-${name}-peer.pem": - content => generate('/bin/cat', "/etc/puppet/modules/ssl/files/auto-certs/${connecthost}.crt", - '/etc/puppet/modules/ssl/files/auto-certs/ca.crt'), + content => inline_template( @("EOF"), + <%= File.read(scope().call_function("hiera", ["paths.auto_certs_dir"]) + "/" + @connecthost + ".crt") %> + <%= File.read(scope().call_function("hiera", ["paths.auto_certs_dir"]) + "/ca.crt") %> + | EOF + ), notify => Exec["restart_stunnel_${name}"], } -- 2.20.1