diff options
-rw-r--r-- | puppet/modules/x509/.gitrepo | 11 | ||||
-rw-r--r-- | puppet/modules/x509/manifests/base.pp | 45 | ||||
-rw-r--r-- | puppet/modules/x509/manifests/ca.pp | 34 | ||||
-rw-r--r-- | puppet/modules/x509/manifests/cert.pp | 34 | ||||
-rw-r--r-- | puppet/modules/x509/manifests/init.pp | 2 | ||||
-rw-r--r-- | puppet/modules/x509/manifests/key.pp | 37 | ||||
-rw-r--r-- | puppet/modules/x509/manifests/variables.pp | 7 |
7 files changed, 170 insertions, 0 deletions
diff --git a/puppet/modules/x509/.gitrepo b/puppet/modules/x509/.gitrepo new file mode 100644 index 00000000..ed6eb7ac --- /dev/null +++ b/puppet/modules/x509/.gitrepo @@ -0,0 +1,11 @@ +; DO NOT EDIT (unless you know what you are doing) +; +; This subdirectory is a git "subrepo", and this file is maintained by the +; git-subrepo command. See https://github.com/git-commands/git-subrepo#readme +; +[subrepo] + remote = https://leap.se/git/puppet_x509 + branch = master + commit = 19254a38c1c372ae7912ea9f15500b9b1cbffe81 + parent = d8ecd5d2f933c40f2413a58e6324558d0e689b6a + cmdver = 0.3.0 diff --git a/puppet/modules/x509/manifests/base.pp b/puppet/modules/x509/manifests/base.pp new file mode 100644 index 00000000..b88cce64 --- /dev/null +++ b/puppet/modules/x509/manifests/base.pp @@ -0,0 +1,45 @@ +class x509::base { + include x509::variables + + package { [ 'ssl-cert', 'ca-certificates' ]: + ensure => installed; + } + + group { 'ssl-cert': + ensure => present, + system => true, + require => Package['ssl-cert']; + } + + file { + $x509::variables::root: + ensure => directory, + mode => '0755', + owner => root, + group => root; + + $x509::variables::keys: + ensure => directory, + mode => '0750', + owner => root, + group => ssl-cert; + + $x509::variables::certs: + ensure => directory, + mode => '0755', + owner => root, + group => root; + + $x509::variables::local_CAs: + ensure => directory, + mode => '2775', + owner => root, + group => root; + } + + exec { 'update-ca-certificates': + command => '/usr/sbin/update-ca-certificates', + refreshonly => true, + subscribe => File[$x509::variables::local_CAs] + } +} diff --git a/puppet/modules/x509/manifests/ca.pp b/puppet/modules/x509/manifests/ca.pp new file mode 100644 index 00000000..0e068cd3 --- /dev/null +++ b/puppet/modules/x509/manifests/ca.pp @@ -0,0 +1,34 @@ +define x509::ca ( + $content = 'absent', + $source = 'absent' +) { + include x509::variables + include x509::base + + file { "${x509::variables::local_CAs}/${name}.crt" : + ensure => file, + mode => '0444', + group => 'ssl-cert', + require => Package['ca-certificates'], + notify => Exec['update-ca-certificates'], + } + case $content { + 'absent': { + $real_source = $source ? { + 'absent' => [ + "puppet:///modules/site_x509/CAs/${::fqdn}/${name}.crt", + "puppet:///modules/site_x509/CAs/${name}.crt" + ], + default => "puppet:///$source", + } + File["${x509::variables::local_CAs}/${name}.crt"] { + source => $real_source + } + } + default: { + File["${x509::variables::local_CAs}/${name}.crt"] { + content => $content + } + } + } +} diff --git a/puppet/modules/x509/manifests/cert.pp b/puppet/modules/x509/manifests/cert.pp new file mode 100644 index 00000000..0aafb76d --- /dev/null +++ b/puppet/modules/x509/manifests/cert.pp @@ -0,0 +1,34 @@ +define x509::cert ( + $content = 'absent', + $source = 'absent' +) { + include x509::variables + include x509::base + + file { "${x509::variables::certs}/${name}.crt": + ensure => file, + mode => '0444', + group => 'ssl-cert', + require => Package['ssl-cert'] + } + + case $content { + 'absent': { + $real_source = $source ? { + 'absent' => [ + "puppet:///modules/site_x509/certs/${::fqdn}/${name}.crt", + "puppet:///modules/site_x509/certs/${name}.crt" + ], + default => "puppet:///$source", + } + File["${x509::variables::certs}/${name}.crt"] { + source => $real_source + } + } + default: { + File["${x509::variables::certs}/${name}.crt"] { + content => $content + } + } + } +} diff --git a/puppet/modules/x509/manifests/init.pp b/puppet/modules/x509/manifests/init.pp new file mode 100644 index 00000000..8283e482 --- /dev/null +++ b/puppet/modules/x509/manifests/init.pp @@ -0,0 +1,2 @@ +class x509 { +} diff --git a/puppet/modules/x509/manifests/key.pp b/puppet/modules/x509/manifests/key.pp new file mode 100644 index 00000000..fd7e25fd --- /dev/null +++ b/puppet/modules/x509/manifests/key.pp @@ -0,0 +1,37 @@ +define x509::key ( + $content = 'absent', + $source = 'absent', + $owner = 'root', + $group = 'ssl-cert' +) { + include x509::variables + include x509::base + + file { "${x509::variables::keys}/${name}.key": + ensure => file, + mode => '0640', + owner => $owner, + group => $group, + require => Package['ssl-cert'] + } + + case $content { + 'absent': { + $real_source = $source ? { + 'absent' => [ + "puppet:///modules/site_x509/keys/${::fqdn}/${name}.key", + "puppet:///modules/site_x509/keys/${name}.key" + ], + default => "puppet:///$source", + } + File["${x509::variables::keys}/${name}.key"] { + source => $real_source + } + } + default: { + File["${x509::variables::keys}/${name}.key"] { + content => $content + } + } + } +} diff --git a/puppet/modules/x509/manifests/variables.pp b/puppet/modules/x509/manifests/variables.pp new file mode 100644 index 00000000..e6bd2359 --- /dev/null +++ b/puppet/modules/x509/manifests/variables.pp @@ -0,0 +1,7 @@ +class x509::variables { + $root = '/etc/x509' + $certs = "${root}/certs" + $keys = "${root}/keys" + $x509_chain = "${root}/certs" + $local_CAs = '/usr/local/share/ca-certificates' +} |