summaryrefslogtreecommitdiff
path: root/sitemodules/profiles/manifests/x509cert_common.pp
diff options
context:
space:
mode:
authorJan Dittberner <jandd@cacert.org>2020-06-06 01:41:03 +0200
committerJan Dittberner <jandd@cacert.org>2020-06-06 01:41:03 +0200
commitcb19b060bccb57b1e7f04b90a9a35536ec9716ca (patch)
tree4190d1cb0ae06e15853817cb15aa0e5df8ebf89b /sitemodules/profiles/manifests/x509cert_common.pp
parent19ecbdef27eb489a43e892ab7ba8c5d3615399f4 (diff)
downloadcacert-puppet-cb19b060bccb57b1e7f04b90a9a35536ec9716ca.tar.gz
cacert-puppet-cb19b060bccb57b1e7f04b90a9a35536ec9716ca.tar.xz
cacert-puppet-cb19b060bccb57b1e7f04b90a9a35536ec9716ca.zip
Add new profile x509cert_common
This commit adds a new profile that takes care of putting X.509 server certificates as well as their private keys and certificates at a common location. The hiera data for the email host have been adapted for this new profile which will be used by a new profile for managing nginx based reverse proxies.
Diffstat (limited to 'sitemodules/profiles/manifests/x509cert_common.pp')
-rw-r--r--sitemodules/profiles/manifests/x509cert_common.pp89
1 files changed, 89 insertions, 0 deletions
diff --git a/sitemodules/profiles/manifests/x509cert_common.pp b/sitemodules/profiles/manifests/x509cert_common.pp
new file mode 100644
index 0000000..8834bb3
--- /dev/null
+++ b/sitemodules/profiles/manifests/x509cert_common.pp
@@ -0,0 +1,89 @@
+# Class: profiles::x509cert_common
+# ================================
+#
+# This class takes care of installing certificates, their corresponding private
+# keys and CA chains and is meant to be included by other profiles.
+#
+# Parameters
+# ----------
+#
+# @param certificates Hash data structure with certificate names as key and
+# certificate information as value the individual
+# entries are expected to have certificate, private_key
+# and cachain entries with PEM encoded data. Private
+# keys have to be encrypted using eyaml. The cachain
+# entry should contain an array of CA certificate
+# identifiers.
+#
+# Examples
+# --------
+#
+# @example
+# class profiles::myprofile {
+# include profiles::x509cert_common
+# }
+#
+# Authors
+# -------
+#
+# Jan Dittberner <jandd@cacert.org>
+#
+# Copyright
+# ---------
+#
+# Copyright 2020 Jan Dittberner
+
+class profile::x509cert_common (
+ Hash[String, Data] $certificates,
+) {
+ file { '/etc/ssl/public':
+ ensure => directory,
+ owner => 'root',
+ group => 'root',
+ mode => '0755',
+ }
+ file { '/etc/ssl/private':
+ ensure => directory,
+ owner => 'root',
+ group => 'root',
+ mode => '0750',
+ }
+
+ $certificates.each |String $name, Data $cert_info| {
+ file { "/etc/ssl/private/${name}.key.pem":
+ ensure => file,
+ owner => 'root',
+ group => 'root',
+ mode => '0640',
+ content => $cert_info['private_key'],
+ }
+ file { "/etc/ssl/public/${name}.crt.pem":
+ ensure => file,
+ owner => 'root',
+ group => 'root',
+ mode => '0644',
+ content => $cert_info['certificate'],
+ }
+
+ $certificate_chain = "/etc/ssl/public/${name}.chain.pem"
+ concat { $certificate_chain:
+ ensure => present,
+ owner => 'root',
+ group => 'root',
+ mode => '0644',
+ }
+ concat::fragment { "${name}-certificate":
+ order => 10,
+ target => $certificate_chain,
+ content => $cert_info['certificate'],
+ }
+ $cert_info['cacerts'].each |$index, $ca_cert| {
+ $order = 11 + $index,
+ concat::fragment { "${name}-${ca_cert}":
+ order => $order,
+ target => $certificate_chain,
+ source => "puppet:///modules/profiles/base/cacert_${ca_cert}.crt",
+ }
+ }
+ }
+}