summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--hieradata/nodes/monitor.yaml3
-rw-r--r--hieradata/nodes/svn.yaml3
-rw-r--r--sitemodules/profiles/manifests/base.pp66
-rw-r--r--sitemodules/profiles/templates/base/apt_sources.list.epp2
-rwxr-xr-xsitemodules/profiles/templates/base/update-crls.epp (renamed from sitemodules/profiles/files/base/update-crls)9
5 files changed, 54 insertions, 29 deletions
diff --git a/hieradata/nodes/monitor.yaml b/hieradata/nodes/monitor.yaml
index 068a343..db2a326 100644
--- a/hieradata/nodes/monitor.yaml
+++ b/hieradata/nodes/monitor.yaml
@@ -4,3 +4,6 @@ classes:
profiles::base::admins:
- jandd
- law
+profiles::base::crl_job_enable: true
+profiles::base::crl_job_services:
+ - apache2
diff --git a/hieradata/nodes/svn.yaml b/hieradata/nodes/svn.yaml
index 7a66efe..6d6e107 100644
--- a/hieradata/nodes/svn.yaml
+++ b/hieradata/nodes/svn.yaml
@@ -4,3 +4,6 @@ classes:
profiles::base::admins:
- jandd
- law
+profiles::base::crl_job_enable: true
+profiles::base::crl_job_services:
+ - apache2
diff --git a/sitemodules/profiles/manifests/base.pp b/sitemodules/profiles/manifests/base.pp
index ea3855f..bf2a354 100644
--- a/sitemodules/profiles/manifests/base.pp
+++ b/sitemodules/profiles/manifests/base.pp
@@ -14,6 +14,10 @@
#
# @param rootalias alias that gets emails for root
#
+# @param crl_job_enable whether to setup the hourly CRL update job
+#
+# @param crl_job_services which services to reload after the CRL update
+#
# Examples
# --------
#
@@ -33,9 +37,11 @@
# Copyright 2016-2018 Jan Dittberner
#
class profiles::base (
- Array[String] $admins = [],
- Hash[String, Data] $users = {},
- String $rootalias = "${trusted['certname']}-admin@cacert.org",
+ Array[String] $admins = [],
+ Hash[String, Data] $users = {},
+ String $rootalias = "${trusted['certname']}-admin@cacert.org",
+ Boolean $crl_job_enable = false,
+ Array[String] $crl_job_services = [],
) {
# ensure admin users for this container
$admins.each |String $username| {
@@ -180,31 +186,39 @@ class profiles::base (
recipient => $rootalias,
}
- package { ['ca-certificates', 'ca-cacert']:
- ensure => installed,
- }
+ if ($crl_job_enable) {
+ package { ['ca-certificates', 'ca-cacert']:
+ ensure => installed,
+ }
- file { '/var/local/ssl':
- ensure => directory,
- owner => 'root',
- group => 'root',
- mode => '0755',
- }
+ file { '/var/local/ssl':
+ ensure => directory,
+ owner => 'root',
+ group => 'root',
+ mode => '0755',
+ }
- file { '/var/local/ssl/crls':
- ensure => directory,
- owner => 'root',
- group => 'root',
- mode => '0755',
- require => File['/var/local/ssl'],
- }
+ file { '/var/local/ssl/crls':
+ ensure => directory,
+ owner => 'root',
+ group => 'root',
+ mode => '0755',
+ require => File['/var/local/ssl'],
+ }
- file { '/etc/cron.hourly/update-crls':
- ensure => file,
- owner => 'root',
- group => 'root',
- mode => '0755',
- source => 'puppet:///modules/profiles/base/update-crls',
- require => [Package['ca-certificates'], Package['ca-cacert'], File['/var/local/ssl/crls']],
+ file { '/etc/cron.hourly/update-crls':
+ ensure => file,
+ owner => 'root',
+ group => 'root',
+ mode => '0755',
+ content => epp(
+ 'profiles/base/update-crls.epp',
+ { 'service' => $crl_job_services }),
+ require => [Package['ca-certificates'], Package['ca-cacert'], File['/var/local/ssl/crls']],
+ }
+ } else {
+ file { '/etc/cron.hourly/update-crls':
+ ensure => absent,
+ }
}
}
diff --git a/sitemodules/profiles/templates/base/apt_sources.list.epp b/sitemodules/profiles/templates/base/apt_sources.list.epp
index ecc8cde..8709862 100644
--- a/sitemodules/profiles/templates/base/apt_sources.list.epp
+++ b/sitemodules/profiles/templates/base/apt_sources.list.epp
@@ -1,4 +1,4 @@
-<%- | String $oscodename = "" |-%>
+<%- | String $oscodename = "" | -%>
# THIS FILE IS MANAGED BY PUPPET, MANUAL CHANGES WILL BE OVERWRITTEN AT THE
# NEXT PUPPET RUN.
deb http://ftp.nl.debian.org/debian <%= $oscodename %> main
diff --git a/sitemodules/profiles/files/base/update-crls b/sitemodules/profiles/templates/base/update-crls.epp
index 6c1e8d2..65bc7e8 100755
--- a/sitemodules/profiles/files/base/update-crls
+++ b/sitemodules/profiles/templates/base/update-crls.epp
@@ -1,5 +1,9 @@
+<% | Array[String] $services | %>
#!/bin/sh
+# THIS FILE IS MANAGED BY PUPPET, MANUAL CHANGES WILL BE OVERWRITTEN AT THE
+# NEXT PUPPET RUN.
+
set -e
CRL_PATH='/var/local/ssl/crls/'
@@ -19,7 +23,8 @@ do
done
c_rehash "$CRL_PATH" 2>/dev/null >&2
-
-service apache2 reload > /dev/null
+<% $services.each |$service| { -%>
+service <%= $service %> reload > /dev/null
+<% } %>
exit 0