1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
|
# Class: profiles::x509cert_common
# ================================
#
# This class takes care of installing certificates, their corresponding private
# keys and CA chains and is meant to be included by other profiles.
#
# Parameters
# ----------
#
# @param certificates Hash data structure with certificate names as key and
# certificate information as value the individual
# entries are expected to have certificate, private_key
# and cachain and client_ca_certificates entries with
# PEM encoded data. Private keys have to be encrypted
# using eyaml. The cachain entry should contain an array
# of CA certificate identifiers. The
# client_ca_certificates entry should contain an array
# of CA certificate identifiers.
# The optional key_owner, key_group and key_mode entries
# can be used to override the defaults of 'root',
# 'root', '0640' for the private key file ownership and
# permissions.
#
# Examples
# --------
#
# @example
# class profiles::myprofile {
# include profiles::x509cert_common
# }
#
# Authors
# -------
#
# Jan Dittberner <jandd@cacert.org>
#
# Copyright
# ---------
#
# Copyright 2020-2021 Jan Dittberner
class profiles::x509cert_common (
Hash[String, Data] $certificates,
) {
group { 'ssl-cert':
ensure => present,
system => true,
}
file { '/etc/ssl/public':
ensure => directory,
owner => 'root',
group => 'root',
mode => '0755',
}
file { '/etc/ssl/private':
ensure => directory,
owner => 'root',
group => 'ssl-cert',
mode => '0710',
}
$certificates.each |String $name, Data $cert_info| {
file { "/etc/ssl/private/${name}.key.pem":
ensure => file,
owner => pick($cert_info['key_owner'], 'root'),
group => pick($cert_info['key_group'], 'ssl-cert'),
mode => pick($cert_info['key_mode'], '0640'),
content => $cert_info['private_key'],
}
file { "/etc/ssl/public/${name}.crt.pem":
ensure => file,
owner => 'root',
group => 'root',
mode => '0644',
content => $cert_info['certificate'],
}
$certificate_chain = "/etc/ssl/public/${name}.chain.pem"
concat { $certificate_chain:
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
}
concat::fragment { "${name}-certificate":
order => 10,
target => $certificate_chain,
content => $cert_info['certificate'],
}
$cert_info['cacerts'].each |$index, $ca_cert| {
$order = 11 + $index
concat::fragment { "${name}-${ca_cert}":
order => $order,
target => $certificate_chain,
source => "puppet:///modules/profiles/base/cacert_${ca_cert}.crt",
}
}
if 'client_ca_certificates' in $cert_info {
$client_ca_certificates = "/etc/ssl/public/${name}_client_cas.pem"
concat { $client_ca_certificates:
ensure => present,
owner => 'root',
group => 'root',
mode => '0644',
}
$cert_info['client_ca_certificates'].each |$index, $ca_cert| {
$order = 10 + $index
concat::fragment { "${name}-client-${ca_cert}":
order => $order,
target => $client_ca_certificates,
source => "puppet:///modules/profiles/base/cacert_${ca_cert}.crt",
}
}
}
}
}
|
