diff options
| author | Jan Dittberner <jandd@cacert.org> | 2018-04-15 12:29:28 +0200 |
|---|---|---|
| committer | Jan Dittberner <jandd@cacert.org> | 2018-04-15 12:29:28 +0200 |
| commit | 1486b793d25f8ff536b04541226c2c1afbef143c (patch) | |
| tree | 9929253ec270fabb2c2ff4a555a73cfc2d7e0829 | |
| parent | 0895ed3353006b5909e6ec78079b6d1ac0dd59b3 (diff) | |
| download | cacert-puppet-1486b793d25f8ff536b04541226c2c1afbef143c.tar.gz cacert-puppet-1486b793d25f8ff536b04541226c2c1afbef143c.tar.xz cacert-puppet-1486b793d25f8ff536b04541226c2c1afbef143c.zip | |
Only setup CRL cron job if needed
The CRL job is only needed if client certificates have to be verified. This
commit adds parameters to the base profile to take care of conditional
installation of the update-crls job and customizes the job based on a
configurable list of services that need to be reloaded after CRL updates.
| -rw-r--r-- | hieradata/nodes/monitor.yaml | 3 | ||||
| -rw-r--r-- | hieradata/nodes/svn.yaml | 3 | ||||
| -rw-r--r-- | sitemodules/profiles/manifests/base.pp | 66 | ||||
| -rw-r--r-- | sitemodules/profiles/templates/base/apt_sources.list.epp | 2 | ||||
| -rwxr-xr-x | sitemodules/profiles/templates/base/update-crls.epp (renamed from sitemodules/profiles/files/base/update-crls) | 9 |
5 files changed, 54 insertions, 29 deletions
diff --git a/hieradata/nodes/monitor.yaml b/hieradata/nodes/monitor.yaml index 068a343..db2a326 100644 --- a/hieradata/nodes/monitor.yaml +++ b/hieradata/nodes/monitor.yaml @@ -4,3 +4,6 @@ classes: profiles::base::admins: - jandd - law +profiles::base::crl_job_enable: true +profiles::base::crl_job_services: + - apache2 diff --git a/hieradata/nodes/svn.yaml b/hieradata/nodes/svn.yaml index 7a66efe..6d6e107 100644 --- a/hieradata/nodes/svn.yaml +++ b/hieradata/nodes/svn.yaml @@ -4,3 +4,6 @@ classes: profiles::base::admins: - jandd - law +profiles::base::crl_job_enable: true +profiles::base::crl_job_services: + - apache2 diff --git a/sitemodules/profiles/manifests/base.pp b/sitemodules/profiles/manifests/base.pp index ea3855f..bf2a354 100644 --- a/sitemodules/profiles/manifests/base.pp +++ b/sitemodules/profiles/manifests/base.pp @@ -14,6 +14,10 @@ # # @param rootalias alias that gets emails for root # +# @param crl_job_enable whether to setup the hourly CRL update job +# +# @param crl_job_services which services to reload after the CRL update +# # Examples # -------- # @@ -33,9 +37,11 @@ # Copyright 2016-2018 Jan Dittberner # class profiles::base ( - Array[String] $admins = [], - Hash[String, Data] $users = {}, - String $rootalias = "${trusted['certname']}-admin@cacert.org", + Array[String] $admins = [], + Hash[String, Data] $users = {}, + String $rootalias = "${trusted['certname']}-admin@cacert.org", + Boolean $crl_job_enable = false, + Array[String] $crl_job_services = [], ) { # ensure admin users for this container $admins.each |String $username| { @@ -180,31 +186,39 @@ class profiles::base ( recipient => $rootalias, } - package { ['ca-certificates', 'ca-cacert']: - ensure => installed, - } + if ($crl_job_enable) { + package { ['ca-certificates', 'ca-cacert']: + ensure => installed, + } - file { '/var/local/ssl': - ensure => directory, - owner => 'root', - group => 'root', - mode => '0755', - } + file { '/var/local/ssl': + ensure => directory, + owner => 'root', + group => 'root', + mode => '0755', + } - file { '/var/local/ssl/crls': - ensure => directory, - owner => 'root', - group => 'root', - mode => '0755', - require => File['/var/local/ssl'], - } + file { '/var/local/ssl/crls': + ensure => directory, + owner => 'root', + group => 'root', + mode => '0755', + require => File['/var/local/ssl'], + } - file { '/etc/cron.hourly/update-crls': - ensure => file, - owner => 'root', - group => 'root', - mode => '0755', - source => 'puppet:///modules/profiles/base/update-crls', - require => [Package['ca-certificates'], Package['ca-cacert'], File['/var/local/ssl/crls']], + file { '/etc/cron.hourly/update-crls': + ensure => file, + owner => 'root', + group => 'root', + mode => '0755', + content => epp( + 'profiles/base/update-crls.epp', + { 'service' => $crl_job_services }), + require => [Package['ca-certificates'], Package['ca-cacert'], File['/var/local/ssl/crls']], + } + } else { + file { '/etc/cron.hourly/update-crls': + ensure => absent, + } } } diff --git a/sitemodules/profiles/templates/base/apt_sources.list.epp b/sitemodules/profiles/templates/base/apt_sources.list.epp index ecc8cde..8709862 100644 --- a/sitemodules/profiles/templates/base/apt_sources.list.epp +++ b/sitemodules/profiles/templates/base/apt_sources.list.epp @@ -1,4 +1,4 @@ -<%- | String $oscodename = "" |-%> +<%- | String $oscodename = "" | -%> # THIS FILE IS MANAGED BY PUPPET, MANUAL CHANGES WILL BE OVERWRITTEN AT THE # NEXT PUPPET RUN. deb http://ftp.nl.debian.org/debian <%= $oscodename %> main diff --git a/sitemodules/profiles/files/base/update-crls b/sitemodules/profiles/templates/base/update-crls.epp index 6c1e8d2..65bc7e8 100755 --- a/sitemodules/profiles/files/base/update-crls +++ b/sitemodules/profiles/templates/base/update-crls.epp @@ -1,5 +1,9 @@ +<% | Array[String] $services | %> #!/bin/sh +# THIS FILE IS MANAGED BY PUPPET, MANUAL CHANGES WILL BE OVERWRITTEN AT THE +# NEXT PUPPET RUN. + set -e CRL_PATH='/var/local/ssl/crls/' @@ -19,7 +23,8 @@ do done c_rehash "$CRL_PATH" 2>/dev/null >&2 - -service apache2 reload > /dev/null +<% $services.each |$service| { -%> +service <%= $service %> reload > /dev/null +<% } %> exit 0 |