summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--puppet/modules/x509/.gitrepo11
-rw-r--r--puppet/modules/x509/manifests/base.pp45
-rw-r--r--puppet/modules/x509/manifests/ca.pp34
-rw-r--r--puppet/modules/x509/manifests/cert.pp34
-rw-r--r--puppet/modules/x509/manifests/init.pp2
-rw-r--r--puppet/modules/x509/manifests/key.pp37
-rw-r--r--puppet/modules/x509/manifests/variables.pp7
7 files changed, 170 insertions, 0 deletions
diff --git a/puppet/modules/x509/.gitrepo b/puppet/modules/x509/.gitrepo
new file mode 100644
index 00000000..ed6eb7ac
--- /dev/null
+++ b/puppet/modules/x509/.gitrepo
@@ -0,0 +1,11 @@
+; DO NOT EDIT (unless you know what you are doing)
+;
+; This subdirectory is a git "subrepo", and this file is maintained by the
+; git-subrepo command. See https://github.com/git-commands/git-subrepo#readme
+;
+[subrepo]
+ remote = https://leap.se/git/puppet_x509
+ branch = master
+ commit = 19254a38c1c372ae7912ea9f15500b9b1cbffe81
+ parent = d8ecd5d2f933c40f2413a58e6324558d0e689b6a
+ cmdver = 0.3.0
diff --git a/puppet/modules/x509/manifests/base.pp b/puppet/modules/x509/manifests/base.pp
new file mode 100644
index 00000000..b88cce64
--- /dev/null
+++ b/puppet/modules/x509/manifests/base.pp
@@ -0,0 +1,45 @@
+class x509::base {
+ include x509::variables
+
+ package { [ 'ssl-cert', 'ca-certificates' ]:
+ ensure => installed;
+ }
+
+ group { 'ssl-cert':
+ ensure => present,
+ system => true,
+ require => Package['ssl-cert'];
+ }
+
+ file {
+ $x509::variables::root:
+ ensure => directory,
+ mode => '0755',
+ owner => root,
+ group => root;
+
+ $x509::variables::keys:
+ ensure => directory,
+ mode => '0750',
+ owner => root,
+ group => ssl-cert;
+
+ $x509::variables::certs:
+ ensure => directory,
+ mode => '0755',
+ owner => root,
+ group => root;
+
+ $x509::variables::local_CAs:
+ ensure => directory,
+ mode => '2775',
+ owner => root,
+ group => root;
+ }
+
+ exec { 'update-ca-certificates':
+ command => '/usr/sbin/update-ca-certificates',
+ refreshonly => true,
+ subscribe => File[$x509::variables::local_CAs]
+ }
+}
diff --git a/puppet/modules/x509/manifests/ca.pp b/puppet/modules/x509/manifests/ca.pp
new file mode 100644
index 00000000..0e068cd3
--- /dev/null
+++ b/puppet/modules/x509/manifests/ca.pp
@@ -0,0 +1,34 @@
+define x509::ca (
+ $content = 'absent',
+ $source = 'absent'
+) {
+ include x509::variables
+ include x509::base
+
+ file { "${x509::variables::local_CAs}/${name}.crt" :
+ ensure => file,
+ mode => '0444',
+ group => 'ssl-cert',
+ require => Package['ca-certificates'],
+ notify => Exec['update-ca-certificates'],
+ }
+ case $content {
+ 'absent': {
+ $real_source = $source ? {
+ 'absent' => [
+ "puppet:///modules/site_x509/CAs/${::fqdn}/${name}.crt",
+ "puppet:///modules/site_x509/CAs/${name}.crt"
+ ],
+ default => "puppet:///$source",
+ }
+ File["${x509::variables::local_CAs}/${name}.crt"] {
+ source => $real_source
+ }
+ }
+ default: {
+ File["${x509::variables::local_CAs}/${name}.crt"] {
+ content => $content
+ }
+ }
+ }
+}
diff --git a/puppet/modules/x509/manifests/cert.pp b/puppet/modules/x509/manifests/cert.pp
new file mode 100644
index 00000000..0aafb76d
--- /dev/null
+++ b/puppet/modules/x509/manifests/cert.pp
@@ -0,0 +1,34 @@
+define x509::cert (
+ $content = 'absent',
+ $source = 'absent'
+) {
+ include x509::variables
+ include x509::base
+
+ file { "${x509::variables::certs}/${name}.crt":
+ ensure => file,
+ mode => '0444',
+ group => 'ssl-cert',
+ require => Package['ssl-cert']
+ }
+
+ case $content {
+ 'absent': {
+ $real_source = $source ? {
+ 'absent' => [
+ "puppet:///modules/site_x509/certs/${::fqdn}/${name}.crt",
+ "puppet:///modules/site_x509/certs/${name}.crt"
+ ],
+ default => "puppet:///$source",
+ }
+ File["${x509::variables::certs}/${name}.crt"] {
+ source => $real_source
+ }
+ }
+ default: {
+ File["${x509::variables::certs}/${name}.crt"] {
+ content => $content
+ }
+ }
+ }
+}
diff --git a/puppet/modules/x509/manifests/init.pp b/puppet/modules/x509/manifests/init.pp
new file mode 100644
index 00000000..8283e482
--- /dev/null
+++ b/puppet/modules/x509/manifests/init.pp
@@ -0,0 +1,2 @@
+class x509 {
+}
diff --git a/puppet/modules/x509/manifests/key.pp b/puppet/modules/x509/manifests/key.pp
new file mode 100644
index 00000000..fd7e25fd
--- /dev/null
+++ b/puppet/modules/x509/manifests/key.pp
@@ -0,0 +1,37 @@
+define x509::key (
+ $content = 'absent',
+ $source = 'absent',
+ $owner = 'root',
+ $group = 'ssl-cert'
+) {
+ include x509::variables
+ include x509::base
+
+ file { "${x509::variables::keys}/${name}.key":
+ ensure => file,
+ mode => '0640',
+ owner => $owner,
+ group => $group,
+ require => Package['ssl-cert']
+ }
+
+ case $content {
+ 'absent': {
+ $real_source = $source ? {
+ 'absent' => [
+ "puppet:///modules/site_x509/keys/${::fqdn}/${name}.key",
+ "puppet:///modules/site_x509/keys/${name}.key"
+ ],
+ default => "puppet:///$source",
+ }
+ File["${x509::variables::keys}/${name}.key"] {
+ source => $real_source
+ }
+ }
+ default: {
+ File["${x509::variables::keys}/${name}.key"] {
+ content => $content
+ }
+ }
+ }
+}
diff --git a/puppet/modules/x509/manifests/variables.pp b/puppet/modules/x509/manifests/variables.pp
new file mode 100644
index 00000000..e6bd2359
--- /dev/null
+++ b/puppet/modules/x509/manifests/variables.pp
@@ -0,0 +1,7 @@
+class x509::variables {
+ $root = '/etc/x509'
+ $certs = "${root}/certs"
+ $keys = "${root}/keys"
+ $x509_chain = "${root}/certs"
+ $local_CAs = '/usr/local/share/ca-certificates'
+}