4 files changed, 59 insertions, 47 deletions

diff --git a/hieradata/common.yaml b/hieradata/common.yaml
index b020b14..41fd187 100644
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -143,3 +143,32 @@ profiles::icinga2_agent::pki_api_password: >
     T5GP0WQAzU0=]
 profiles::icinga2_agent::master_host: monitor.cacert.org
 profiles::icinga2_agent::master_ip: 10.0.0.18
+profiles::icinga2_common::ca_certificate: |
+    -----BEGIN CERTIFICATE-----
+    MIIEyjCCArKgAwIBAgIVAMGxGJbZJq/vXMuXAnAC8QvFtvhMMA0GCSqGSIb3DQEB
+    CwUAMBQxEjAQBgNVBAMMCUljaW5nYSBDQTAeFw0xOTA3MTkxODIwNDVaFw0zNDA3
+    MTUxODIwNDVaMBQxEjAQBgNVBAMMCUljaW5nYSBDQTCCAiIwDQYJKoZIhvcNAQEB
+    BQADggIPADCCAgoCggIBAMh+p0jach/6ICsP/o01nku28g0jFB/HSp5n/WZjzykW
+    MvgvYc/1lEaiuIeB93AobGB3EACNw2/Xfh1deRGP8UsIOIjeeUibfk0i4SOmFBRb
+    0ZmwUeNVygY7rmhO+fwTPi6bb2+AA50RkDP7jTpwaQFxppziTXUqW8mj0LBSLtNL
+    z8dC2YS/JLKSoNyHupQcL+pHVHO5S9QnFWTnhwIbnWSJTG13BOYw/RUz6WcxFDHl
+    Xi/lprjcorBUDsH5YBfy+/2WJ0MZFqRnCPQKb5oilR1/k+9XpmFz8W98KCujjpNm
+    BEantf7OaaYFIxxoWyrGC1RiMnkSQwa9Pcxgwflca5UC1fW0Jx2zsgDscdWp+Xeo
+    lhYtyHa6upgny66SvekjM9mAm6vtlsBplxYZtz6BgqoxXqk0AwAwiU/9nyXGekAp
+    FPMmENBLZvANuA6hdaMJQpOoyHBDOT8teoIJOut92ptk5bVE4gxwcWc1uFCP05nr
+    gA8iTXnabihXbm2Wb8kk/+34wEru5jpwMh1NEH/TvaqPnly/dBHkmEhJquYyoZFS
+    ttKl64XXdy9HGaTaA6b3dQPeZqHbmadRZzcsxjn+zP8Nu8OTZ4HXkAJ2e3nxlRKs
+    2EaZDJK4SoNBvvkYLScLLYH5X1uC2gs6AHiQDiczQYxMqai5pEnrLHO7B/pE+d/1
+    AgMBAAGjEzARMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAGYh
+    pqAK55ei8+S+rXt1wQbejAphJ2GtTft8XjlfVbpk7s7wd/Wt0gLAs4dvPPI1U0k9
+    N6E5WJrn31QbaXHFDwdxFw1ViLxDmepAp+Kp3pQE5bPNjo5e6iwgOGVB20R20ADo
+    foUfk5u6WfGGSJznDkTTdoYdSsHm1d1nsZKt0i2QFnLEIEBOJW4gwY4LiW7ArfYS
+    21Ji9VLgKxF9We4Y0ppY+7rU8r/aNDrYv0Ghe+IA0+k8KoTGuhBXzxfwUUZ+1+yA
+    JYSmxFzhPJCdwRX3IBn4uTVMRlugntgpmB7m5RyW18MUlAw52Ppe5EtOke1lxxh0
+    G5KYt+pKPnkOVj2LRLvOcAOO47i42q+3P4m2elkPHTrI2JmnTwWNjpkNNc4LeFXs
+    3HE3SoSvXvImabhBfioqThVMAEEjrtkAQSOFg281vaIgUPbwqcVmbOHv/2Cow0xw
+    gYrp+hB0hhf5rpYi1SMLTKIQUJT6CKnIgN9KHMwcz6Zq4WcshXQxZZrazXomJJ9k
+    WKBpvys1Mfn0Y+phqmCXW7D9Yh1T32pnyOTm8kUonBhIoDEwYN5v175ySw8jjiUD
+    Dlkc/kuv3szLVWx63FvOPc6ra9rmmdwmDaVTd9fGlo/NrquCQOGu59hiACPept+I
+    y+bP1kZ0Z+5qrmlX0zrcLspzXOyY0VX/YZ3unzyp
+    -----END CERTIFICATE-----
diff --git a/hieradata/nodes/monitor.yaml b/hieradata/nodes/monitor.yaml
index 7f95c82..4ac6e59 100644
--- a/hieradata/nodes/monitor.yaml
+++ b/hieradata/nodes/monitor.yaml
@@ -155,35 +155,6 @@ profiles::icinga2_master::ca_key: >
     QHfjLm7Vy2L/2vsAqJHmaYwLJbnCO4KbCGzoLFBBE2gz17wYIPIgDbVxjNRu
     W1HABIXMJ8IEQJnN9mDYZWjUsutf8FRFsfAPMoAGX5M5tLVrTUQbXUjtpJ6v
     RA3cuu7epXa+RGV/NdgBV1k=]
-profiles::icinga2_master::ca_certificate: |
-    -----BEGIN CERTIFICATE-----
-    MIIEyjCCArKgAwIBAgIVAMGxGJbZJq/vXMuXAnAC8QvFtvhMMA0GCSqGSIb3DQEB
-    CwUAMBQxEjAQBgNVBAMMCUljaW5nYSBDQTAeFw0xOTA3MTkxODIwNDVaFw0zNDA3
-    MTUxODIwNDVaMBQxEjAQBgNVBAMMCUljaW5nYSBDQTCCAiIwDQYJKoZIhvcNAQEB
-    BQADggIPADCCAgoCggIBAMh+p0jach/6ICsP/o01nku28g0jFB/HSp5n/WZjzykW
-    MvgvYc/1lEaiuIeB93AobGB3EACNw2/Xfh1deRGP8UsIOIjeeUibfk0i4SOmFBRb
-    0ZmwUeNVygY7rmhO+fwTPi6bb2+AA50RkDP7jTpwaQFxppziTXUqW8mj0LBSLtNL
-    z8dC2YS/JLKSoNyHupQcL+pHVHO5S9QnFWTnhwIbnWSJTG13BOYw/RUz6WcxFDHl
-    Xi/lprjcorBUDsH5YBfy+/2WJ0MZFqRnCPQKb5oilR1/k+9XpmFz8W98KCujjpNm
-    BEantf7OaaYFIxxoWyrGC1RiMnkSQwa9Pcxgwflca5UC1fW0Jx2zsgDscdWp+Xeo
-    lhYtyHa6upgny66SvekjM9mAm6vtlsBplxYZtz6BgqoxXqk0AwAwiU/9nyXGekAp
-    FPMmENBLZvANuA6hdaMJQpOoyHBDOT8teoIJOut92ptk5bVE4gxwcWc1uFCP05nr
-    gA8iTXnabihXbm2Wb8kk/+34wEru5jpwMh1NEH/TvaqPnly/dBHkmEhJquYyoZFS
-    ttKl64XXdy9HGaTaA6b3dQPeZqHbmadRZzcsxjn+zP8Nu8OTZ4HXkAJ2e3nxlRKs
-    2EaZDJK4SoNBvvkYLScLLYH5X1uC2gs6AHiQDiczQYxMqai5pEnrLHO7B/pE+d/1
-    AgMBAAGjEzARMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAGYh
-    pqAK55ei8+S+rXt1wQbejAphJ2GtTft8XjlfVbpk7s7wd/Wt0gLAs4dvPPI1U0k9
-    N6E5WJrn31QbaXHFDwdxFw1ViLxDmepAp+Kp3pQE5bPNjo5e6iwgOGVB20R20ADo
-    foUfk5u6WfGGSJznDkTTdoYdSsHm1d1nsZKt0i2QFnLEIEBOJW4gwY4LiW7ArfYS
-    21Ji9VLgKxF9We4Y0ppY+7rU8r/aNDrYv0Ghe+IA0+k8KoTGuhBXzxfwUUZ+1+yA
-    JYSmxFzhPJCdwRX3IBn4uTVMRlugntgpmB7m5RyW18MUlAw52Ppe5EtOke1lxxh0
-    G5KYt+pKPnkOVj2LRLvOcAOO47i42q+3P4m2elkPHTrI2JmnTwWNjpkNNc4LeFXs
-    3HE3SoSvXvImabhBfioqThVMAEEjrtkAQSOFg281vaIgUPbwqcVmbOHv/2Cow0xw
-    gYrp+hB0hhf5rpYi1SMLTKIQUJT6CKnIgN9KHMwcz6Zq4WcshXQxZZrazXomJJ9k
-    WKBpvys1Mfn0Y+phqmCXW7D9Yh1T32pnyOTm8kUonBhIoDEwYN5v175ySw8jjiUD
-    Dlkc/kuv3szLVWx63FvOPc6ra9rmmdwmDaVTd9fGlo/NrquCQOGu59hiACPept+I
-    y+bP1kZ0Z+5qrmlX0zrcLspzXOyY0VX/YZ3unzyp
-    -----END CERTIFICATE-----
 profiles::icinga2_master::host_key: >
     ENC[PKCS7,MIIOHQYJKoZIhvcNAQcDoIIODjCCDgoCAQAxggEhMIIBHQIBADAFMAACAQEw
     DQYJKoZIhvcNAQEBBQAEggEASQymCvxrCeRMnoUhNaP646T/OWnBGMRatfh5
diff --git a/sitemodules/profiles/manifests/icinga2_common.pp b/sitemodules/profiles/manifests/icinga2_common.pp
index c1c9be2..1703d2b 100644
--- a/sitemodules/profiles/manifests/icinga2_common.pp
+++ b/sitemodules/profiles/manifests/icinga2_common.pp
@@ -3,6 +3,19 @@
 #
 # Common configuration code for Icinga2 agent and master setups.
 #
+# This manifest is meant to be included from other manifests.
+#
+# Parameters
+# ----------
+#
+# @param ca_certificate         Icinga2 CA certificate content
+#
+# Examples
+# --------
+#
+# @example
+#   include profiles::icinga2_common
+#
 # Authors
 # -------
 #
@@ -13,6 +26,7 @@
 #
 # Copyright 2019 Jan Dittberner
 class profiles::icinga2_common (
+  String $ca_certificate,
 ) {
   if $::lsbdistcodename == 'stretch' {
     apt::pin { 'icinga2_backports':
@@ -32,4 +46,19 @@ class profiles::icinga2_common (
   package { 'icinga2':
     ensure => latest,
   }
+  file { '/etc/icinga2/pki':
+    ensure  => directory,
+    owner   => 'nagios',
+    group   => 'nagios',
+    mode    => '0700',
+    require => Package['icinga2'],
+  }
+  file { '/etc/icinga2/pki/ca.crt':
+    ensure  => file,
+    content => $ca_certificate,
+    owner   => 'nagios',
+    group   => 'nagios',
+    mode    => '0644',
+    require => File['/etc/icinga2/pki'],
+  }
 }
diff --git a/sitemodules/profiles/manifests/icinga2_master.pp b/sitemodules/profiles/manifests/icinga2_master.pp
index d1c26e7..f1764e0 100644
--- a/sitemodules/profiles/manifests/icinga2_master.pp
+++ b/sitemodules/profiles/manifests/icinga2_master.pp
@@ -17,7 +17,6 @@
 #                               Icinga2 node authentication
 # @param api_users              Icinga2 API users
 # @param ca_key                 Icinga2 CA private key content
-# @param ca_certificate         Icinga2 CA certificate content
 # @param host_key               Icinga2 host private key content
 # @param host_certificate       Icinga2 host certificate content
 # @param host_csr               Icinga2 host certificate signing request
@@ -50,7 +49,6 @@ class profiles::icinga2_master (
   String $icinga2_ticket_salt,
   Array[Hash[String, Variant[String, Tuple[String, 1]]]] $api_users,
   String $ca_key,
-  String $ca_certificate,
   String $host_key,
   String $host_certificate,
   String $host_csr,
@@ -243,27 +241,12 @@ class profiles::icinga2_master (
   }
   file { '/var/lib/icinga2/ca/ca.crt':
     ensure  => file,
-    content => $ca_certificate,
+    content => $::profiles::icinga2_common::ca_certificate,
     owner   => 'nagios',
     group   => 'nagios',
     mode    => '0644',
     require => File['/var/lib/icinga2/ca'],
   }
-  file { '/etc/icinga2/pki':
-    ensure  => directory,
-    owner   => 'nagios',
-    group   => 'nagios',
-    mode    => '0700',
-    require => Package['icinga2'],
-  }
-  file { '/etc/icinga2/pki/ca.crt':
-    ensure  => file,
-    content => $ca_certificate,
-    owner   => 'nagios',
-    group   => 'nagios',
-    mode    => '0644',
-    require => File['/etc/icinga2/pki'],
-  }
   file { "/etc/icinga2/pki/${facts['fqdn']}.key":
     ensure  => file,
     content => $host_key,