uninstall static service certs and keys from hosts that do not serve this service

diff --git a/modules/roles/manifests/static_mirror.pp b/modules/roles/manifests/static_mirror.pp
index 86fad94..575ac41 100644 (file)
--- a/modules/roles/manifests/static_mirror.pp
+++ b/modules/roles/manifests/static_mirror.pp
@@ -72,27 +72,27 @@ class roles::static_mirror {
                content => template('roles/apache-www.debian.org.erb'),
        }
 
-       if has_static_component('dsa.debian.org'       ) { ssl::service { 'dsa.debian.org'      : notify => Service['apache2'], } }
-       if has_static_component('www.debian.org'       ) { ssl::service { 'www.debian.org'      : notify => Service['apache2'], } }
-       if has_static_component('bits.debian.org'      ) { ssl::service { 'bits.debian.org'     : notify => Service['apache2'], } }
-       if has_static_component('lintian.debian.org'   ) { ssl::service { 'lintian.debian.org'  : notify => Service['apache2'], } }
-       if has_static_component('rtc.debian.org'       ) { ssl::service { 'rtc.debian.org'      : notify => Service['apache2'], } }
-       if has_static_component('appstream.debian.org' ) { ssl::service { 'appstream.debian.org': notify => Service['apache2'], } }
-       if has_static_component('d-i.debian.org'       ) { ssl::service { 'd-i.debian.org'      : notify => Service['apache2'], } }
+       ssl::service { 'dsa.debian.org'      : ensure => "ifstatic", notify => Service['apache2'], }
+       ssl::service { 'www.debian.org'      : ensure => "ifstatic", notify => Service['apache2'], }
+       ssl::service { 'bits.debian.org'     : ensure => "ifstatic", notify => Service['apache2'], }
+       ssl::service { 'lintian.debian.org'  : ensure => "ifstatic", notify => Service['apache2'], }
+       ssl::service { 'rtc.debian.org'      : ensure => "ifstatic", notify => Service['apache2'], }
+       ssl::service { 'appstream.debian.org': ensure => "ifstatic", notify => Service['apache2'], }
+       ssl::service { 'd-i.debian.org'      : ensure => "ifstatic", notify => Service['apache2'], }
 
-       if has_static_component('news.debian.net'     ) { ssl::service { 'news.debian.net'     : notify => Service['apache2'], key => true, } }
-       if has_static_component('debaday.debian.net'  ) { ssl::service { 'debaday.debian.net'  : notify => Service['apache2'], key => true, } }
-       if has_static_component('timeline.debian.net' ) { ssl::service { 'timeline.debian.net' : notify => Service['apache2'], key => true, } }
-       if has_static_component('debconf0.debconf.org') { ssl::service { 'debconf0.debconf.org': notify => Service['apache2'], key => true, } }
-       if has_static_component('debconf1.debconf.org') { ssl::service { 'debconf1.debconf.org': notify => Service['apache2'], key => true, } }
-       if has_static_component('debconf2.debconf.org') { ssl::service { 'debconf2.debconf.org': notify => Service['apache2'], key => true, } }
-       if has_static_component('debconf3.debconf.org') { ssl::service { 'debconf3.debconf.org': notify => Service['apache2'], key => true, } }
-       if has_static_component('debconf4.debconf.org') { ssl::service { 'debconf4.debconf.org': notify => Service['apache2'], key => true, } }
-       if has_static_component('debconf5.debconf.org') { ssl::service { 'debconf5.debconf.org': notify => Service['apache2'], key => true, } }
-       if has_static_component('debconf6.debconf.org') { ssl::service { 'debconf6.debconf.org': notify => Service['apache2'], key => true, } }
-       if has_static_component('debconf7.debconf.org') { ssl::service { 'debconf7.debconf.org': notify => Service['apache2'], key => true, } }
-       if has_static_component('10years.debconf.org' ) { ssl::service { '10years.debconf.org' : notify => Service['apache2'], key => true, } }
-       if has_static_component('es.debconf.org'      ) { ssl::service { 'es.debconf.org'      : notify => Service['apache2'], key => true, } }
-       if has_static_component('fr.debconf.org'      ) { ssl::service { 'fr.debconf.org'      : notify => Service['apache2'], key => true, } }
-       if has_static_component('miniconf10.debconf.org') { ssl::service { 'miniconf10.debconf.org': notify => Service['apache2'], key => true, } }
+       ssl::service { 'news.debian.net'       : ensure => "ifstatic", notify => Service['apache2'], key => true, }
+       ssl::service { 'debaday.debian.net'    : ensure => "ifstatic", notify => Service['apache2'], key => true, }
+       ssl::service { 'timeline.debian.net'   : ensure => "ifstatic", notify => Service['apache2'], key => true, }
+       ssl::service { 'debconf0.debconf.org'  : ensure => "ifstatic", notify => Service['apache2'], key => true, }
+       ssl::service { 'debconf1.debconf.org'  : ensure => "ifstatic", notify => Service['apache2'], key => true, }
+       ssl::service { 'debconf2.debconf.org'  : ensure => "ifstatic", notify => Service['apache2'], key => true, }
+       ssl::service { 'debconf3.debconf.org'  : ensure => "ifstatic", notify => Service['apache2'], key => true, }
+       ssl::service { 'debconf4.debconf.org'  : ensure => "ifstatic", notify => Service['apache2'], key => true, }
+       ssl::service { 'debconf5.debconf.org'  : ensure => "ifstatic", notify => Service['apache2'], key => true, }
+       ssl::service { 'debconf6.debconf.org'  : ensure => "ifstatic", notify => Service['apache2'], key => true, }
+       ssl::service { 'debconf7.debconf.org'  : ensure => "ifstatic", notify => Service['apache2'], key => true, }
+       ssl::service { '10years.debconf.org'   : ensure => "ifstatic", notify => Service['apache2'], key => true, }
+       ssl::service { 'es.debconf.org'        : ensure => "ifstatic", notify => Service['apache2'], key => true, }
+       ssl::service { 'fr.debconf.org'        : ensure => "ifstatic", notify => Service['apache2'], key => true, }
+       ssl::service { 'miniconf10.debconf.org': ensure => "ifstatic", notify => Service['apache2'], key => true, }
 }

diff --git a/modules/ssl/manifests/service.pp b/modules/ssl/manifests/service.pp
index a9d4fd4..4f25a76 100644 (file)
--- a/modules/ssl/manifests/service.pp
+++ b/modules/ssl/manifests/service.pp
@@ -1,25 +1,32 @@
 define ssl::service($ensure = present, $tlsaport = 443, $notify = [], $key = false) {
-       $link_target = $ensure ? {
-               present => link,
-               absent  => absent,
-               default => fail ( "Unknown ensure value: '$ensure'" ),
+       if ($ensure == "ifstatic") {
+               $ssl_ensure = has_static_component($name) ? {
+                       true => "present",
+                       false => "absent"
+               }
+       } else {
+               $ssl_ensure = $ensure
        }
 
        file { "/etc/ssl/debian/certs/$name.crt":
+               ensure => $ssl_ensure,
                source => [ "puppet:///modules/ssl/servicecerts/${name}.crt", "puppet:///modules/ssl/from-letsencrypt/${name}.crt" ],
                notify => [ Exec['refresh_debian_hashes'], $notify ],
        }
        file { "/etc/ssl/debian/certs/$name.crt-chain":
+               ensure => $ssl_ensure,
                source => [ "puppet:///modules/ssl/chains/${name}.crt", "puppet:///modules/ssl/servicecerts/${name}.crt", "puppet:///modules/ssl/from-letsencrypt/${name}.crt-chain" ],
                notify => [ $notify ],
                links  => follow,
        }
        file { "/etc/ssl/debian/certs/$name.crt-chained":
+               ensure => $ssl_ensure,
                content => template('ssl/chained.erb'),
                notify => [ $notify ],
        }
        if $key {
                file { "/etc/ssl/private/$name.key":
+                       ensure => $ssl_ensure,
                        mode   => '0440',
                        group => 'ssl-cert',
                        source => [ "puppet:///modules/ssl/keys/${name}.crt", "puppet:///modules/ssl/from-letsencrypt/${name}.key" ],
@@ -28,7 +35,7 @@ define ssl::service($ensure = present, $tlsaport = 443, $notify = [], $key = fal
                }
        }
 
-       if $tlsaport > 0 {
+       if ($tlsaport > 0 and $ssl_ensure == "present") {
                dnsextras::tlsa_record{ "tlsa-${name}-${tlsaport}":
                        zone     => 'debian.org',
                        certfile => [ "/etc/puppet/modules/ssl/files/servicecerts/${name}.crt", "/etc/puppet/modules/ssl/files/from-letsencrypt/${name}.crt" ],