sitemodules/profiles/manifests/x509cert_common.pp


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89

# Class: profiles::x509cert_common
# ================================
#
# This class takes care of installing certificates, their corresponding private
# keys and CA chains and is meant to be included by other profiles.
#
# Parameters
# ----------
#
# @param certificates    Hash data structure with certificate names as key and
#                        certificate information as value the individual
#                        entries are expected to have certificate, private_key
#                        and cachain entries with PEM encoded data. Private
#                        keys have to be encrypted using eyaml. The cachain
#                        entry should contain an array of CA certificate
#                        identifiers.
#
# Examples
# --------
#
# @example
#   class profiles::myprofile {
#     include profiles::x509cert_common
#   }
#
# Authors
# -------
#
# Jan Dittberner <jandd@cacert.org>
#
# Copyright
# ---------
#
# Copyright 2020 Jan Dittberner

class profile::x509cert_common (
  Hash[String, Data] $certificates,
) {
  file { '/etc/ssl/public':
    ensure => directory,
    owner  => 'root',
    group  => 'root',
    mode   => '0755',
  }
  file { '/etc/ssl/private':
    ensure => directory,
    owner  => 'root',
    group  => 'root',
    mode   => '0750',
  }

  $certificates.each |String $name, Data $cert_info| {
    file { "/etc/ssl/private/${name}.key.pem":
      ensure  => file,
      owner   => 'root',
      group   => 'root',
      mode    => '0640',
      content => $cert_info['private_key'],
    }
    file { "/etc/ssl/public/${name}.crt.pem":
      ensure  => file,
      owner   => 'root',
      group   => 'root',
      mode    => '0644',
      content => $cert_info['certificate'],
    }

    $certificate_chain = "/etc/ssl/public/${name}.chain.pem"
    concat { $certificate_chain:
      ensure => present,
      owner  => 'root',
      group  => 'root',
      mode   => '0644',
    }
    concat::fragment { "${name}-certificate":
      order   => 10,
      target  => $certificate_chain,
      content => $cert_info['certificate'],
    }
    $cert_info['cacerts'].each |$index, $ca_cert| {
      $order = 11 + $index,
      concat::fragment { "${name}-${ca_cert}":
        order  => $order,
        target => $certificate_chain,
        source => "puppet:///modules/profiles/base/cacert_${ca_cert}.crt",
      }
    }
  }
}