summaryrefslogtreecommitdiff
path: root/sitemodules/profiles/manifests/x509cert_common.pp
blob: 380b5053e5a54e30747bb72e8483ae662956ba1c (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
# Class: profiles::x509cert_common
# ================================
#
# This class takes care of installing certificates, their corresponding private
# keys and CA chains and is meant to be included by other profiles.
#
# Parameters
# ----------
#
# @param certificates    Hash data structure with certificate names as key and
#                        certificate information as value the individual
#                        entries are expected to have certificate, private_key
#                        and cachain and client_ca_certificates entries with
#                        PEM encoded data. Private keys have to be encrypted
#                        using eyaml. The cachain entry should contain an array
#                        of CA certificate identifiers. The
#                        client_ca_certificates entry should contain an array
#                        of CA certificate identifiers.
#                        The optional key_owner, key_group and key_mode entries
#                        can be used to override the defaults of 'root',
#                        'root', '0640' for the private key file ownership and
#                        permissions.
#
# Examples
# --------
#
# @example
#   class profiles::myprofile {
#     include profiles::x509cert_common
#   }
#
# Authors
# -------
#
# Jan Dittberner <jandd@cacert.org>
#
# Copyright
# ---------
#
# Copyright 2020-2021 Jan Dittberner
class profiles::x509cert_common (
  Hash[String, Data] $certificates,
) {
  file { '/etc/ssl/public':
    ensure => directory,
    owner  => 'root',
    group  => 'root',
    mode   => '0755',
  }
  file { '/etc/ssl/private':
    ensure => directory,
    owner  => 'root',
    group  => 'ssl-cert',
    mode   => '0710',
  }

  $certificates.each |String $name, Data $cert_info| {
    file { "/etc/ssl/private/${name}.key.pem":
      ensure  => file,
      owner   => pick($cert_info['key_owner'], 'root'),
      group   => pick($cert_info['key_group'], 'root'),
      mode    => pick($cert_info['key_mode'], '0640'),
      content => $cert_info['private_key'],
    }
    file { "/etc/ssl/public/${name}.crt.pem":
      ensure  => file,
      owner   => 'root',
      group   => 'root',
      mode    => '0644',
      content => $cert_info['certificate'],
    }

    $certificate_chain = "/etc/ssl/public/${name}.chain.pem"
    concat { $certificate_chain:
      ensure => present,
      owner  => 'root',
      group  => 'root',
      mode   => '0644',
    }
    concat::fragment { "${name}-certificate":
      order   => 10,
      target  => $certificate_chain,
      content => $cert_info['certificate'],
    }
    $cert_info['cacerts'].each |$index, $ca_cert| {
      $order = 11 + $index
      concat::fragment { "${name}-${ca_cert}":
        order  => $order,
        target => $certificate_chain,
        source => "puppet:///modules/profiles/base/cacert_${ca_cert}.crt",
      }
    }

    if 'client_ca_certificates' in $cert_info {
      $client_ca_certificates = "/etc/ssl/public/${name}_client_cas.pem"
      concat { $client_ca_certificates:
        ensure => present,
        owner  => 'root',
        group  => 'root',
        mode   => '0644',
      }
      $cert_info['client_ca_certificates'].each |$index, $ca_cert| {
        $order = 10 + $index
        concat::fragment { "${name}-client-${ca_cert}":
          order  => $order,
          target => $client_ca_certificates,
          source => "puppet:///modules/profiles/base/cacert_${ca_cert}.crt",
        }
      }
    }
  }
}