From c2f13d4cf63d9d2143ebe02109eb5f157e4eea73 Mon Sep 17 00:00:00 2001 From: Peter Palfrader Date: Sat, 24 Sep 2016 09:05:22 +0000 Subject: [PATCH] change pin thing --- modules/apache2/manifests/init.pp | 15 ++--------- modules/apache2/manifests/pin.pp | 8 ------ .../templates/ssl-key-pins.erb} | 25 ++++++++++++++----- modules/roles/manifests/init.pp | 1 - 4 files changed, 21 insertions(+), 28 deletions(-) delete mode 100644 modules/apache2/manifests/pin.pp rename modules/{puppetmaster/lib/puppet/parser/functions/gen_hpkp_pin.rb => apache2/templates/ssl-key-pins.erb} (52%) diff --git a/modules/apache2/manifests/init.pp b/modules/apache2/manifests/init.pp index a3db477e5..373b8fe18 100644 --- a/modules/apache2/manifests/init.pp +++ b/modules/apache2/manifests/init.pp @@ -163,19 +163,8 @@ class apache2 { require => Package['apache2'], } - concat { '/etc/apache2/conf-available/puppet-ssl-key-pins.conf': - owner => root, - group => root, - mode => '0644', - require => Package['apache2'], - notify => Exec['service apache2 reload'], - } - concat::fragment { 'puppet-ssl-key-pins-header': - target => '/etc/apache2/conf-available/puppet-ssl-key-pins.conf', - content => '', - order => 00, - } apache2::config { 'puppet-ssl-key-pins': - nocontentok => true, + content => template('apache2/ssl-key-pins.erb'), + notify => Exec['service apache2 reload'], } } diff --git a/modules/apache2/manifests/pin.pp b/modules/apache2/manifests/pin.pp deleted file mode 100644 index 020f221d5..000000000 --- a/modules/apache2/manifests/pin.pp +++ /dev/null @@ -1,8 +0,0 @@ -define apache2::pin () { - $snippet = gen_hpkp_pin($name) - - concat::fragment { "puppet-ssl-key-pins-header-${name}": - target => '/etc/apache2/conf-available/puppet-ssl-key-pins.conf', - content => $snippet, - } -} diff --git a/modules/puppetmaster/lib/puppet/parser/functions/gen_hpkp_pin.rb b/modules/apache2/templates/ssl-key-pins.erb similarity index 52% rename from modules/puppetmaster/lib/puppet/parser/functions/gen_hpkp_pin.rb rename to modules/apache2/templates/ssl-key-pins.erb index 913bdf3f5..273cc69e3 100644 --- a/modules/puppetmaster/lib/puppet/parser/functions/gen_hpkp_pin.rb +++ b/modules/apache2/templates/ssl-key-pins.erb @@ -1,10 +1,16 @@ -module Puppet::Parser::Functions - newfunction(:gen_hpkp_pin, :type => :rvalue) do |args| - site = args.shift() +## +## THIS FILE IS UNDER PUPPET CONTROL. DON'T EDIT IT HERE. +## USE: git clone git+ssh://$USER@puppet.debian.org/srv/puppet.debian.org/git/dsa-puppet.git +## +<%= + $cert_dir_le = '/srv/puppet.debian.org/from-letsencrypt' + $cert_dir_backup = '/srv/puppet.debian.org/backup-keys' + + def make_pin_macro(site) pin_info = [] - pinfiles = [ "/srv/puppet.debian.org/from-letsencrypt/#{site}.pin", - "/srv/puppet.debian.org/backup-keys/#{site}.pin" ] + pinfiles = [ "#{$cert_dir_le}/#{site}.pin", + "#{$cert_dir_backup}/#{site}.pin" ] pinfiles.each do |fn| if File.exist?(fn) pin_info << File.read(fn).chomp() @@ -27,4 +33,11 @@ module Puppet::Parser::Functions res << "" return res.join("\n") end -end + + macros = [] + Dir.glob("#{$cert_dir_le}/*.pin") do |pinfile| + site = File.basename(pinfile, '.pin') + macros << make_pin_macro(site) + end + macros.join("\n") +-%> diff --git a/modules/roles/manifests/init.pp b/modules/roles/manifests/init.pp index e7369d450..1d7282435 100644 --- a/modules/roles/manifests/init.pp +++ b/modules/roles/manifests/init.pp @@ -91,7 +91,6 @@ class roles { if has_role('people') { ssl::service { 'people.debian.org': notify => Exec['service apache2 reload'], key => true, } onion::service { 'people.debian.org': port => 80, target_address => 'people.debian.org', target_port => 80, direct => true } - apache2::pin { 'people.debian.org': } } if has_role('security_master') { -- 2.20.1