a72ab07bef
Make SSL/TLS certificate file handling and snakeoil fallback logic more flexible, no longer expecting you to unconditionally set file paths so you can just provide contents and allow the module to store them in a location it considers sane. Also adjust the vhost template to match the pattern we've been standardizing on across existing modules (such as our recently improved mediawiki module), with clearer variable scope lookups and stronger crypto configuration. While in the vicinity, also remove a hard-coded default ServerAdmin E-mail address default to make the module less OpenStack-community specific. Change-Id: I238682ac05bdd20ec293b7a16370563763e35249
141 lines
4.7 KiB
Puppet
141 lines
4.7 KiB
Puppet
# Copyright 2016 Hewlett Packard Enterprise Development Company, L.P.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
#
|
|
# == Class: phabricator::certificates
|
|
#
|
|
# Sets up SSL certificates for the module.
|
|
#
|
|
class phabricator::certificates (
|
|
# SSL Certificates.
|
|
$ssl_cert_file = $phabricator::vars::ssl_cert_file,
|
|
$ssl_cert_file_contents = $phabricator::vars::ssl_cert_file_contents,
|
|
$ssl_chain_file = $phabricator::vars::ssl_chain_file,
|
|
$ssl_chain_file_contents = $phabricator::vars::ssl_chain_file_contents,
|
|
$ssl_key_file = $phabricator::vars::ssl_key_file,
|
|
$ssl_key_file_contents = $phabricator::vars::ssl_key_file_contents,
|
|
) {
|
|
|
|
# To use the standard ssl-certs package snakeoil certificate, leave both
|
|
# $ssl_cert_file and $ssl_cert_file_contents empty. To use an existing
|
|
# certificate, specify its path for $ssl_cert_file and leave
|
|
# $ssl_cert_file_contents empty. To manage the certificate with puppet,
|
|
# provide $ssl_cert_file_contents and optionally specify the path to use for
|
|
# it in $ssl_cert_file.
|
|
if ($ssl_cert_file == undef) and ($ssl_cert_file_contents == undef) {
|
|
$cert_file = '/etc/ssl/certs/ssl-cert-snakeoil.pem'
|
|
if ! defined(Package['ssl-cert']) {
|
|
package { 'ssl-cert':
|
|
ensure => present,
|
|
}
|
|
}
|
|
} else {
|
|
if $ssl_cert_file == undef {
|
|
$cert_file = "/etc/ssl/certs/${::fqdn}.pem"
|
|
if ! defined(File['/etc/ssl/certs']) {
|
|
file { '/etc/ssl/certs':
|
|
ensure => directory,
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0755',
|
|
before => File[$cert_file],
|
|
}
|
|
}
|
|
} else {
|
|
$cert_file = $ssl_cert_file
|
|
}
|
|
if $ssl_cert_file_contents != undef {
|
|
file { $cert_file:
|
|
ensure => present,
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0644',
|
|
content => $ssl_cert_file_contents,
|
|
}
|
|
}
|
|
}
|
|
|
|
# To avoid using an intermediate certificate chain, leave both
|
|
# $ssl_chain_file and $ssl_chain_file_contents empty. To use an existing
|
|
# chain, specify its path for $ssl_chain_file and leave
|
|
# $ssl_chain_file_contents empty. To manage the chain with puppet, provide
|
|
# $ssl_chain_file_contents and optionally specify the path to use for it in
|
|
# $ssl_chain_file.
|
|
if ($ssl_chain_file == undef) and ($ssl_chain_file_contents == undef) {
|
|
$chain_file = undef
|
|
} else {
|
|
if $ssl_chain_file == undef {
|
|
$chain_file = "/etc/ssl/certs/${::fqdn}_intermediate.pem"
|
|
if ! defined(File['/etc/ssl/certs']) {
|
|
file { '/etc/ssl/certs':
|
|
ensure => directory,
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0755',
|
|
before => File[$chain_file],
|
|
}
|
|
}
|
|
} else {
|
|
$chain_file = $ssl_chain_file
|
|
}
|
|
if $ssl_chain_file_contents != undef {
|
|
file { $chain_file:
|
|
ensure => present,
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0644',
|
|
content => $ssl_chain_file_contents,
|
|
}
|
|
}
|
|
}
|
|
|
|
# To use the standard ssl-certs package snakeoil key, leave both
|
|
# $ssl_key_file and $ssl_key_file_contents empty. To use an existing key,
|
|
# specify its path for $ssl_key_file and leave $ssl_key_file_contents empty.
|
|
# To manage the key with puppet, provide $ssl_key_file_contents and
|
|
# optionally specify the path to use for it in $ssl_key_file.
|
|
if ($ssl_key_file == undef) and ($ssl_key_file_contents == undef) {
|
|
$key_file = '/etc/ssl/private/ssl-cert-snakeoil.key'
|
|
if ! defined(Package['ssl-cert']) {
|
|
package { 'ssl-cert':
|
|
ensure => present,
|
|
}
|
|
}
|
|
} else {
|
|
if $ssl_key_file == undef {
|
|
$key_file = "/etc/ssl/private/${::fqdn}.key"
|
|
if ! defined(File['/etc/ssl/private']) {
|
|
file { '/etc/ssl/private':
|
|
ensure => directory,
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0700',
|
|
before => File[$key_file],
|
|
}
|
|
}
|
|
} else {
|
|
$key_file = $ssl_key_file
|
|
}
|
|
if $ssl_key_file_contents != undef {
|
|
file { $key_file:
|
|
ensure => present,
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0600',
|
|
content => $ssl_key_file_contents,
|
|
}
|
|
}
|
|
}
|
|
|
|
}
|