diff options
| -rw-r--r-- | hieradata/nodes/monitor.yaml | 3 | ||||
| -rw-r--r-- | hieradata/nodes/svn.yaml | 3 | ||||
| -rw-r--r-- | sitemodules/profiles/manifests/base.pp | 66 | ||||
| -rw-r--r-- | sitemodules/profiles/templates/base/apt_sources.list.epp | 2 | ||||
| -rwxr-xr-x | sitemodules/profiles/templates/base/update-crls.epp (renamed from sitemodules/profiles/files/base/update-crls) | 9 |
5 files changed, 54 insertions, 29 deletions
diff --git a/hieradata/nodes/monitor.yaml b/hieradata/nodes/monitor.yaml index 068a343..db2a326 100644 --- a/hieradata/nodes/monitor.yaml +++ b/hieradata/nodes/monitor.yaml @@ -4,3 +4,6 @@ classes: profiles::base::admins: - jandd - law +profiles::base::crl_job_enable: true +profiles::base::crl_job_services: + - apache2 diff --git a/hieradata/nodes/svn.yaml b/hieradata/nodes/svn.yaml index 7a66efe..6d6e107 100644 --- a/hieradata/nodes/svn.yaml +++ b/hieradata/nodes/svn.yaml @@ -4,3 +4,6 @@ classes: profiles::base::admins: - jandd - law +profiles::base::crl_job_enable: true +profiles::base::crl_job_services: + - apache2 diff --git a/sitemodules/profiles/manifests/base.pp b/sitemodules/profiles/manifests/base.pp index ea3855f..bf2a354 100644 --- a/sitemodules/profiles/manifests/base.pp +++ b/sitemodules/profiles/manifests/base.pp @@ -14,6 +14,10 @@ # # @param rootalias alias that gets emails for root # +# @param crl_job_enable whether to setup the hourly CRL update job +# +# @param crl_job_services which services to reload after the CRL update +# # Examples # -------- # @@ -33,9 +37,11 @@ # Copyright 2016-2018 Jan Dittberner # class profiles::base ( - Array[String] $admins = [], - Hash[String, Data] $users = {}, - String $rootalias = "${trusted['certname']}-admin@cacert.org", + Array[String] $admins = [], + Hash[String, Data] $users = {}, + String $rootalias = "${trusted['certname']}-admin@cacert.org", + Boolean $crl_job_enable = false, + Array[String] $crl_job_services = [], ) { # ensure admin users for this container $admins.each |String $username| { @@ -180,31 +186,39 @@ class profiles::base ( recipient => $rootalias, } - package { ['ca-certificates', 'ca-cacert']: - ensure => installed, - } + if ($crl_job_enable) { + package { ['ca-certificates', 'ca-cacert']: + ensure => installed, + } - file { '/var/local/ssl': - ensure => directory, - owner => 'root', - group => 'root', - mode => '0755', - } + file { '/var/local/ssl': + ensure => directory, + owner => 'root', + group => 'root', + mode => '0755', + } - file { '/var/local/ssl/crls': - ensure => directory, - owner => 'root', - group => 'root', - mode => '0755', - require => File['/var/local/ssl'], - } + file { '/var/local/ssl/crls': + ensure => directory, + owner => 'root', + group => 'root', + mode => '0755', + require => File['/var/local/ssl'], + } - file { '/etc/cron.hourly/update-crls': - ensure => file, - owner => 'root', - group => 'root', - mode => '0755', - source => 'puppet:///modules/profiles/base/update-crls', - require => [Package['ca-certificates'], Package['ca-cacert'], File['/var/local/ssl/crls']], + file { '/etc/cron.hourly/update-crls': + ensure => file, + owner => 'root', + group => 'root', + mode => '0755', + content => epp( + 'profiles/base/update-crls.epp', + { 'service' => $crl_job_services }), + require => [Package['ca-certificates'], Package['ca-cacert'], File['/var/local/ssl/crls']], + } + } else { + file { '/etc/cron.hourly/update-crls': + ensure => absent, + } } } diff --git a/sitemodules/profiles/templates/base/apt_sources.list.epp b/sitemodules/profiles/templates/base/apt_sources.list.epp index ecc8cde..8709862 100644 --- a/sitemodules/profiles/templates/base/apt_sources.list.epp +++ b/sitemodules/profiles/templates/base/apt_sources.list.epp @@ -1,4 +1,4 @@ -<%- | String $oscodename = "" |-%> +<%- | String $oscodename = "" | -%> # THIS FILE IS MANAGED BY PUPPET, MANUAL CHANGES WILL BE OVERWRITTEN AT THE # NEXT PUPPET RUN. deb http://ftp.nl.debian.org/debian <%= $oscodename %> main diff --git a/sitemodules/profiles/files/base/update-crls b/sitemodules/profiles/templates/base/update-crls.epp index 6c1e8d2..65bc7e8 100755 --- a/sitemodules/profiles/files/base/update-crls +++ b/sitemodules/profiles/templates/base/update-crls.epp @@ -1,5 +1,9 @@ +<% | Array[String] $services | %> #!/bin/sh +# THIS FILE IS MANAGED BY PUPPET, MANUAL CHANGES WILL BE OVERWRITTEN AT THE +# NEXT PUPPET RUN. + set -e CRL_PATH='/var/local/ssl/crls/' @@ -19,7 +23,8 @@ do done c_rehash "$CRL_PATH" 2>/dev/null >&2 - -service apache2 reload > /dev/null +<% $services.each |$service| { -%> +service <%= $service %> reload > /dev/null +<% } %> exit 0 |