-
-
Notifications
You must be signed in to change notification settings - Fork 51
/
init.pp
131 lines (127 loc) · 4.4 KB
/
init.pp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
# @summary
# This module manages the shared system-wide truststore.
#
# @example Basic usage
# class { 'ca_cert': }
#
# @example Purge unmanaged user CAs
# class { 'ca_cert':
# purge_unmanaged_CAs => true,
# }
#
# @example Custom certificates handling
# class { 'ca_cert':
# update_cmd => '/usr/bin/c_rehash',
# trusted_cert_dir => '/var/ssl/certs,
# cert_dir_group => 'system',
# cert_dir_mode => '0755',
# ca_file_group => 'system',
# ca_file_mode => '0644',
# ca_file_extension => 'pem',
# }
#
# @param update_cmd
# Command to be used to update CA certificates.
# Default provided by Hiera for supported Operating Systems.
#
# @param trusted_cert_dir
# Absolute directory path to the folder containing trusted certificates.
# Default provided by Hiera for supported Operating Systems.
#
# @param distrusted_cert_dir
# Absolute directory path to the folder containing distrusted certificates.
# Default provided by Hiera for supported Operating Systems.
#
# @param ca_certificates_conf
# Some distros use a configuration file to mark distrusted certificates.
# Default provided by Hiera for supported Operating Systems.
#
# @param install_package
# Whether or not this module should install the ca_certificates package.
# The package contains the system default (typically Mozilla) CA
# certificates, as well as the tools required for managing other installed
# CA certificates.
#
# @param package_ensure
# The ensure parameter to pass to the package resource.
#
# @param package_name
# The name of the package(s) to be installed.
#
# @param cert_dir_group
# The installed trusted certificate's POSIX group permissions. This uses
# the same syntax as Puppet's native file resource's "group" parameter.
#
# @param cert_dir_mode
# The installed trusted certificate's POSIX filesystem permissions. This uses
# the same syntax as Puppet's native file resource's "mode" parameter.
#
# @param ca_file_group
# The installed CA certificate's POSIX group permissions. This uses
# the same syntax as Puppet's native file resource's "group" parameter.
#
# @param ca_file_mode
# The installed CA certificate's POSIX filesystem permissions. This uses
# the same syntax as Puppet's native file resource's "mode" parameter.
#
# @param ca_file_extension
# File extenstion for the certificate.
#
# @param always_update_certs
# Run the appropriate update CA certificates command for your operating
# system on every Puppet run whether it is needed or not.
#
# @param purge_unmanaged_CAs
# When set to true (default: false), user installed CA
# certificates (in the appropriate directories) not managed by this
# module will be purged.
#
# @param ca_certs
# A hash of CA certificates that should be installed as part of the class
# declaration.
#
class ca_cert (
String[1] $update_cmd,
Stdlib::Absolutepath $trusted_cert_dir,
Optional[Stdlib::Absolutepath] $distrusted_cert_dir = undef,
Optional[Stdlib::Absolutepath] $ca_certificates_conf = undef,
Boolean $install_package = true,
Stdlib::Ensure::Package $package_ensure = 'installed',
String[1] $package_name = 'ca-certificates',
String[1] $cert_dir_group = 'root',
Stdlib::Filemode $cert_dir_mode = '0755',
String[1] $ca_file_group = 'root',
Stdlib::Filemode $ca_file_mode = '0644',
String[1] $ca_file_extension = 'crt',
Boolean $always_update_certs = false,
Boolean $purge_unmanaged_CAs = false, # lint:ignore:variable_contains_upcase lint:ignore:variable_is_lowercase
Hash $ca_certs = {},
) {
file { 'trusted_certs':
ensure => directory,
path => $trusted_cert_dir,
owner => 'root',
group => $cert_dir_group,
mode => $cert_dir_mode,
purge => $purge_unmanaged_CAs, # lint:ignore:variable_contains_upcase lint:ignore:variable_is_lowercase
recurse => $purge_unmanaged_CAs, # lint:ignore:variable_contains_upcase lint:ignore:variable_is_lowercase
notify => Exec['ca_cert_update'],
}
if $install_package {
stdlib::ensure_packages($package_name, { ensure => $package_ensure })
if $package_ensure != 'absent' {
Package[$package_name] -> Ca_cert::Ca <| |>
}
}
$ca_certs.each |$ca, $data| {
ca_cert::ca { $ca:
* => $data,
}
}
exec { 'ca_cert_update':
command => $update_cmd,
logoutput => 'on_failure',
refreshonly => !$always_update_certs,
path => ['/usr/sbin', '/usr/bin', '/bin'],
}
}