diff options
author | Micah Anderson <micah@riseup.net> | 2013-02-19 15:18:30 -0500 |
---|---|---|
committer | Micah Anderson <micah@riseup.net> | 2013-02-19 15:18:30 -0500 |
commit | 4dcc5f884cd22d0673f6493799ace2f03a9e66fe (patch) | |
tree | 3f3f5c217c40f3037c1b2a9cd8da3fe91fdd8389 /puppet/modules/site_openvpn/manifests/keys.pp | |
parent | 253b765620961bbc9d96e8f3653b0b9693d29811 (diff) | |
parent | 2e5eec3856b58aaff0a2049599a6455e6ff91122 (diff) |
Merge remote-tracking branch 'origin/release/v0.2.0'0.2.0
Diffstat (limited to 'puppet/modules/site_openvpn/manifests/keys.pp')
-rw-r--r-- | puppet/modules/site_openvpn/manifests/keys.pp | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/puppet/modules/site_openvpn/manifests/keys.pp b/puppet/modules/site_openvpn/manifests/keys.pp new file mode 100644 index 00000000..f3c5b423 --- /dev/null +++ b/puppet/modules/site_openvpn/manifests/keys.pp @@ -0,0 +1,51 @@ +class site_openvpn::keys { + + x509::key { + 'leap_openvpn': + content => $site_openvpn::x509_config['key'], + notify => Service[openvpn]; + } + + x509::cert { + 'leap_openvpn': + content => $site_openvpn::x509_config['cert'], + notify => Service[openvpn]; + } + + x509::ca { + 'leap_ca': + content => $site_openvpn::x509_config['ca_cert'], + notify => Service[openvpn]; + } + + file { '/etc/openvpn/keys/dh.pem': + content => $site_openvpn::x509_config['dh'], + mode => '0644', + } + + # + # CA bundle -- we want to have the possibility of allowing multiple CAs. + # For now, the reason is to transition to using client CA. In the future, + # we will want to be able to smoothly phase out one CA and phase in another. + # I tried "--capath" for this, but it did not work. + # + + concat { + '/etc/openvpn/ca_bundle.pem': + owner => root, + group => root, + mode => 644, + warn => true, + notify => Service['openvpn']; + } + + concat::fragment { + 'client_ca_cert': + content => $site_openvpn::x509_config['client_ca_cert'], + target => '/etc/openvpn/ca_bundle.pem'; + 'ca_cert': + content => $site_openvpn::x509_config['ca_cert'], + target => '/etc/openvpn/ca_bundle.pem'; + } + +} |