diff options
Diffstat (limited to 'sitemodules/profiles/manifests/x509cert_common.pp')
| -rw-r--r-- | sitemodules/profiles/manifests/x509cert_common.pp | 89 |
1 files changed, 89 insertions, 0 deletions
diff --git a/sitemodules/profiles/manifests/x509cert_common.pp b/sitemodules/profiles/manifests/x509cert_common.pp new file mode 100644 index 0000000..8834bb3 --- /dev/null +++ b/sitemodules/profiles/manifests/x509cert_common.pp @@ -0,0 +1,89 @@ +# Class: profiles::x509cert_common +# ================================ +# +# This class takes care of installing certificates, their corresponding private +# keys and CA chains and is meant to be included by other profiles. +# +# Parameters +# ---------- +# +# @param certificates Hash data structure with certificate names as key and +# certificate information as value the individual +# entries are expected to have certificate, private_key +# and cachain entries with PEM encoded data. Private +# keys have to be encrypted using eyaml. The cachain +# entry should contain an array of CA certificate +# identifiers. +# +# Examples +# -------- +# +# @example +# class profiles::myprofile { +# include profiles::x509cert_common +# } +# +# Authors +# ------- +# +# Jan Dittberner <jandd@cacert.org> +# +# Copyright +# --------- +# +# Copyright 2020 Jan Dittberner + +class profile::x509cert_common ( + Hash[String, Data] $certificates, +) { + file { '/etc/ssl/public': + ensure => directory, + owner => 'root', + group => 'root', + mode => '0755', + } + file { '/etc/ssl/private': + ensure => directory, + owner => 'root', + group => 'root', + mode => '0750', + } + + $certificates.each |String $name, Data $cert_info| { + file { "/etc/ssl/private/${name}.key.pem": + ensure => file, + owner => 'root', + group => 'root', + mode => '0640', + content => $cert_info['private_key'], + } + file { "/etc/ssl/public/${name}.crt.pem": + ensure => file, + owner => 'root', + group => 'root', + mode => '0644', + content => $cert_info['certificate'], + } + + $certificate_chain = "/etc/ssl/public/${name}.chain.pem" + concat { $certificate_chain: + ensure => present, + owner => 'root', + group => 'root', + mode => '0644', + } + concat::fragment { "${name}-certificate": + order => 10, + target => $certificate_chain, + content => $cert_info['certificate'], + } + $cert_info['cacerts'].each |$index, $ca_cert| { + $order = 11 + $index, + concat::fragment { "${name}-${ca_cert}": + order => $order, + target => $certificate_chain, + source => "puppet:///modules/profiles/base/cacert_${ca_cert}.crt", + } + } + } +} |