From 896dd69710fa24a0235fc70081a71f35adbf9af1 Mon Sep 17 00:00:00 2001
From: Micah Anderson <micah@leap.se>
Date: Thu, 20 Nov 2014 15:22:09 -0500
Subject: Make sure that stunnel restarts when cert/key change (#6181)

Change-Id: I5085247a87018e18e73833119ac73225afbfea1e
---
 puppet/modules/site_stunnel/manifests/client.pp           |  6 +-----
 puppet/modules/site_stunnel/manifests/init.pp             |  2 ++
 puppet/modules/site_stunnel/manifests/override_service.pp | 13 +++++++++++++
 puppet/modules/site_stunnel/manifests/servers.pp          |  6 +-----
 4 files changed, 17 insertions(+), 10 deletions(-)
 create mode 100644 puppet/modules/site_stunnel/manifests/override_service.pp

(limited to 'puppet/modules/site_stunnel')

diff --git a/puppet/modules/site_stunnel/manifests/client.pp b/puppet/modules/site_stunnel/manifests/client.pp
index 76815174..3b10ecb8 100644
--- a/puppet/modules/site_stunnel/manifests/client.pp
+++ b/puppet/modules/site_stunnel/manifests/client.pp
@@ -35,11 +35,7 @@ define site_stunnel::client (
     pid        => "/var/run/stunnel4/${pid}.pid",
     rndfile    => $rndfile,
     debuglevel => $debuglevel,
-    sslversion => 'TLSv1',
-    subscribe  => [
-      Class['Site_config::X509::Key'],
-      Class['Site_config::X509::Cert'],
-      Class['Site_config::X509::Ca'] ];
+    sslversion => 'TLSv1';
   }
 
   site_shorewall::stunnel::client { $name:
diff --git a/puppet/modules/site_stunnel/manifests/init.pp b/puppet/modules/site_stunnel/manifests/init.pp
index b292f1cd..2e0cf5b8 100644
--- a/puppet/modules/site_stunnel/manifests/init.pp
+++ b/puppet/modules/site_stunnel/manifests/init.pp
@@ -28,5 +28,7 @@ class site_stunnel {
   $clients = $stunnel['clients']
   $client_sections = keys($clients)
   site_stunnel::clients { $client_sections: }
+
+  include site_stunnel::override_service
 }
 
diff --git a/puppet/modules/site_stunnel/manifests/override_service.pp b/puppet/modules/site_stunnel/manifests/override_service.pp
new file mode 100644
index 00000000..96187048
--- /dev/null
+++ b/puppet/modules/site_stunnel/manifests/override_service.pp
@@ -0,0 +1,13 @@
+class site_stunnel::override_service inherits stunnel::debian {
+
+  include site_config::x509::cert
+  include site_config::x509::key
+  include site_config::x509::ca
+
+  Service[stunnel] {
+    subscribe => [
+                  Class['Site_config::X509::Key'],
+                  Class['Site_config::X509::Cert'],
+                  Class['Site_config::X509::Ca'] ]
+  }
+}
diff --git a/puppet/modules/site_stunnel/manifests/servers.pp b/puppet/modules/site_stunnel/manifests/servers.pp
index 8d537644..b6fac319 100644
--- a/puppet/modules/site_stunnel/manifests/servers.pp
+++ b/puppet/modules/site_stunnel/manifests/servers.pp
@@ -35,11 +35,7 @@ define site_stunnel::servers (
     pid        => "/var/run/stunnel4/${pid}.pid",
     rndfile    => '/var/lib/stunnel4/.rnd',
     debuglevel => $debuglevel,
-    sslversion => 'TLSv1',
-    require    => [
-      Class['Site_config::X509::Key'],
-      Class['Site_config::X509::Cert'],
-      Class['Site_config::X509::Ca'] ];
+    sslversion => 'TLSv1';
   }
 
   # allow incoming connections on $accept_port
-- 
cgit v1.2.3