From 631a223e0a27f2a65f476007046005c233ebab35 Mon Sep 17 00:00:00 2001 From: Peter Palfrader Date: Sat, 6 Feb 2016 15:53:12 +0000 Subject: [PATCH] uninstall static service certs and keys from hosts that do not serve this service --- modules/roles/manifests/static_mirror.pp | 44 ++++++++++++------------ modules/ssl/manifests/service.pp | 17 ++++++--- 2 files changed, 34 insertions(+), 27 deletions(-) diff --git a/modules/roles/manifests/static_mirror.pp b/modules/roles/manifests/static_mirror.pp index 86fad94e3..575ac41a0 100644 --- a/modules/roles/manifests/static_mirror.pp +++ b/modules/roles/manifests/static_mirror.pp @@ -72,27 +72,27 @@ class roles::static_mirror { content => template('roles/apache-www.debian.org.erb'), } - if has_static_component('dsa.debian.org' ) { ssl::service { 'dsa.debian.org' : notify => Service['apache2'], } } - if has_static_component('www.debian.org' ) { ssl::service { 'www.debian.org' : notify => Service['apache2'], } } - if has_static_component('bits.debian.org' ) { ssl::service { 'bits.debian.org' : notify => Service['apache2'], } } - if has_static_component('lintian.debian.org' ) { ssl::service { 'lintian.debian.org' : notify => Service['apache2'], } } - if has_static_component('rtc.debian.org' ) { ssl::service { 'rtc.debian.org' : notify => Service['apache2'], } } - if has_static_component('appstream.debian.org' ) { ssl::service { 'appstream.debian.org': notify => Service['apache2'], } } - if has_static_component('d-i.debian.org' ) { ssl::service { 'd-i.debian.org' : notify => Service['apache2'], } } + ssl::service { 'dsa.debian.org' : ensure => "ifstatic", notify => Service['apache2'], } + ssl::service { 'www.debian.org' : ensure => "ifstatic", notify => Service['apache2'], } + ssl::service { 'bits.debian.org' : ensure => "ifstatic", notify => Service['apache2'], } + ssl::service { 'lintian.debian.org' : ensure => "ifstatic", notify => Service['apache2'], } + ssl::service { 'rtc.debian.org' : ensure => "ifstatic", notify => Service['apache2'], } + ssl::service { 'appstream.debian.org': ensure => "ifstatic", notify => Service['apache2'], } + ssl::service { 'd-i.debian.org' : ensure => "ifstatic", notify => Service['apache2'], } - if has_static_component('news.debian.net' ) { ssl::service { 'news.debian.net' : notify => Service['apache2'], key => true, } } - if has_static_component('debaday.debian.net' ) { ssl::service { 'debaday.debian.net' : notify => Service['apache2'], key => true, } } - if has_static_component('timeline.debian.net' ) { ssl::service { 'timeline.debian.net' : notify => Service['apache2'], key => true, } } - if has_static_component('debconf0.debconf.org') { ssl::service { 'debconf0.debconf.org': notify => Service['apache2'], key => true, } } - if has_static_component('debconf1.debconf.org') { ssl::service { 'debconf1.debconf.org': notify => Service['apache2'], key => true, } } - if has_static_component('debconf2.debconf.org') { ssl::service { 'debconf2.debconf.org': notify => Service['apache2'], key => true, } } - if has_static_component('debconf3.debconf.org') { ssl::service { 'debconf3.debconf.org': notify => Service['apache2'], key => true, } } - if has_static_component('debconf4.debconf.org') { ssl::service { 'debconf4.debconf.org': notify => Service['apache2'], key => true, } } - if has_static_component('debconf5.debconf.org') { ssl::service { 'debconf5.debconf.org': notify => Service['apache2'], key => true, } } - if has_static_component('debconf6.debconf.org') { ssl::service { 'debconf6.debconf.org': notify => Service['apache2'], key => true, } } - if has_static_component('debconf7.debconf.org') { ssl::service { 'debconf7.debconf.org': notify => Service['apache2'], key => true, } } - if has_static_component('10years.debconf.org' ) { ssl::service { '10years.debconf.org' : notify => Service['apache2'], key => true, } } - if has_static_component('es.debconf.org' ) { ssl::service { 'es.debconf.org' : notify => Service['apache2'], key => true, } } - if has_static_component('fr.debconf.org' ) { ssl::service { 'fr.debconf.org' : notify => Service['apache2'], key => true, } } - if has_static_component('miniconf10.debconf.org') { ssl::service { 'miniconf10.debconf.org': notify => Service['apache2'], key => true, } } + ssl::service { 'news.debian.net' : ensure => "ifstatic", notify => Service['apache2'], key => true, } + ssl::service { 'debaday.debian.net' : ensure => "ifstatic", notify => Service['apache2'], key => true, } + ssl::service { 'timeline.debian.net' : ensure => "ifstatic", notify => Service['apache2'], key => true, } + ssl::service { 'debconf0.debconf.org' : ensure => "ifstatic", notify => Service['apache2'], key => true, } + ssl::service { 'debconf1.debconf.org' : ensure => "ifstatic", notify => Service['apache2'], key => true, } + ssl::service { 'debconf2.debconf.org' : ensure => "ifstatic", notify => Service['apache2'], key => true, } + ssl::service { 'debconf3.debconf.org' : ensure => "ifstatic", notify => Service['apache2'], key => true, } + ssl::service { 'debconf4.debconf.org' : ensure => "ifstatic", notify => Service['apache2'], key => true, } + ssl::service { 'debconf5.debconf.org' : ensure => "ifstatic", notify => Service['apache2'], key => true, } + ssl::service { 'debconf6.debconf.org' : ensure => "ifstatic", notify => Service['apache2'], key => true, } + ssl::service { 'debconf7.debconf.org' : ensure => "ifstatic", notify => Service['apache2'], key => true, } + ssl::service { '10years.debconf.org' : ensure => "ifstatic", notify => Service['apache2'], key => true, } + ssl::service { 'es.debconf.org' : ensure => "ifstatic", notify => Service['apache2'], key => true, } + ssl::service { 'fr.debconf.org' : ensure => "ifstatic", notify => Service['apache2'], key => true, } + ssl::service { 'miniconf10.debconf.org': ensure => "ifstatic", notify => Service['apache2'], key => true, } } diff --git a/modules/ssl/manifests/service.pp b/modules/ssl/manifests/service.pp index a9d4fd45b..4f25a7610 100644 --- a/modules/ssl/manifests/service.pp +++ b/modules/ssl/manifests/service.pp @@ -1,25 +1,32 @@ define ssl::service($ensure = present, $tlsaport = 443, $notify = [], $key = false) { - $link_target = $ensure ? { - present => link, - absent => absent, - default => fail ( "Unknown ensure value: '$ensure'" ), + if ($ensure == "ifstatic") { + $ssl_ensure = has_static_component($name) ? { + true => "present", + false => "absent" + } + } else { + $ssl_ensure = $ensure } file { "/etc/ssl/debian/certs/$name.crt": + ensure => $ssl_ensure, source => [ "puppet:///modules/ssl/servicecerts/${name}.crt", "puppet:///modules/ssl/from-letsencrypt/${name}.crt" ], notify => [ Exec['refresh_debian_hashes'], $notify ], } file { "/etc/ssl/debian/certs/$name.crt-chain": + ensure => $ssl_ensure, source => [ "puppet:///modules/ssl/chains/${name}.crt", "puppet:///modules/ssl/servicecerts/${name}.crt", "puppet:///modules/ssl/from-letsencrypt/${name}.crt-chain" ], notify => [ $notify ], links => follow, } file { "/etc/ssl/debian/certs/$name.crt-chained": + ensure => $ssl_ensure, content => template('ssl/chained.erb'), notify => [ $notify ], } if $key { file { "/etc/ssl/private/$name.key": + ensure => $ssl_ensure, mode => '0440', group => 'ssl-cert', source => [ "puppet:///modules/ssl/keys/${name}.crt", "puppet:///modules/ssl/from-letsencrypt/${name}.key" ], @@ -28,7 +35,7 @@ define ssl::service($ensure = present, $tlsaport = 443, $notify = [], $key = fal } } - if $tlsaport > 0 { + if ($tlsaport > 0 and $ssl_ensure == "present") { dnsextras::tlsa_record{ "tlsa-${name}-${tlsaport}": zone => 'debian.org', certfile => [ "/etc/puppet/modules/ssl/files/servicecerts/${name}.crt", "/etc/puppet/modules/ssl/files/from-letsencrypt/${name}.crt" ], -- 2.20.1