forked from voxpupuli/puppet-ca_cert
-
Notifications
You must be signed in to change notification settings - Fork 0
/
init.pp
129 lines (125 loc) · 4.39 KB
/
init.pp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
# @summary
# This module manages the shared system-wide truststore.
#
# @example Basic usage
# class { 'ca_cert': }
#
# @example Purge unmanaged user CAs
# class { 'ca_cert':
# purge_unmanaged_CAs => true,
# }
#
# @example Custom certificates handling
# class { 'ca_cert':
# update_cmd => '/usr/bin/c_rehash',
# trusted_cert_dir => '/var/ssl/certs,
# cert_dir_group => 'system',
# cert_dir_mode => '0755',
# ca_file_group => 'system',
# ca_file_mode => '0644',
# ca_file_extension => 'pem',
# }
#
# @param update_cmd
# Command to be used to update CA certificates.
# Default provided by Hiera for supported Operating Systems.
#
# @param trusted_cert_dir
# Absolute directory path to the folder containing trusted certificates.
# Default provided by Hiera for supported Operating Systems.
#
# @param distrusted_cert_dir
# Absolute directory path to the folder containing distrusted certificates.
# Default provided by Hiera for supported Operating Systems.
#
# @param ca_certificates_conf
# Some distros use a configuration file to mark distrusted certificates.
# Default provided by Hiera for supported Operating Systems.
#
# @param install_package
# Whether or not this module should install the ca_certificates package.
# The package contains the system default (typically Mozilla) CA
# certificates, as well as the tools required for managing other installed
# CA certificates.
#
# @param package_ensure
# The ensure parameter to pass to the package resource.
#
# @param package_name
# The name of the package(s) to be installed.
#
# @param cert_dir_group
# The installed trusted certificate's POSIX group permissions. This uses
# the same syntax as Puppet's native file resource's "group" parameter.
#
# @param cert_dir_mode
# The installed trusted certificate's POSIX filesystem permissions. This uses
# the same syntax as Puppet's native file resource's "mode" parameter.
#
# @param ca_file_group
# The installed CA certificate's POSIX group permissions. This uses
# the same syntax as Puppet's native file resource's "group" parameter.
#
# @param ca_file_mode
# The installed CA certificate's POSIX filesystem permissions. This uses
# the same syntax as Puppet's native file resource's "mode" parameter.
#
# @param ca_file_extension
# File extenstion for the certificate.
#
# @param always_update_certs
# Run the appropriate update CA certificates command for your operating
# system on every Puppet run whether it is needed or not.
#
# @param purge_unmanaged_CAs
# When set to true (default: false), user installed CA
# certificates (in the appropriate directories) not managed by this
# module will be purged.
#
# @param ca_certs
# A hash of CA certificates that should be installed as part of the class
# declaration.
#
class ca_cert (
String[1] $update_cmd,
Stdlib::Absolutepath $trusted_cert_dir,
Optional[Stdlib::Absolutepath] $distrusted_cert_dir = undef,
Optional[Stdlib::Absolutepath] $ca_certificates_conf = undef,
Boolean $install_package = true,
Stdlib::Ensure::Package $package_ensure = 'installed',
String[1] $package_name = 'ca-certificates',
String[1] $cert_dir_group = 'root',
Stdlib::Filemode $cert_dir_mode = '0755',
String[1] $ca_file_group = 'root',
Stdlib::Filemode $ca_file_mode = '0644',
String[1] $ca_file_extension = 'crt',
Boolean $always_update_certs = false,
Boolean $purge_unmanaged_CAs = false, # lint:ignore:variable_contains_upcase lint:ignore:variable_is_lowercase
Hash $ca_certs = {},
) {
file { 'trusted_certs':
ensure => directory,
path => $trusted_cert_dir,
owner => 'root',
group => $cert_dir_group,
mode => $cert_dir_mode,
purge => $purge_unmanaged_CAs, # lint:ignore:variable_contains_upcase lint:ignore:variable_is_lowercase
recurse => $purge_unmanaged_CAs, # lint:ignore:variable_contains_upcase lint:ignore:variable_is_lowercase
notify => Exec['ca_cert_update'],
}
if $install_package {
stdlib::ensure_packages($package_name, { ensure => $package_ensure })
if $package_ensure != 'absent' {
Package[$package_name] -> Ca_cert::Ca <| |>
}
}
if !empty($ca_certs) {
create_resources('ca_cert::ca', $ca_certs)
}
exec { 'ca_cert_update':
command => $update_cmd,
logoutput => 'on_failure',
refreshonly => !$always_update_certs,
path => ['/usr/sbin', '/usr/bin', '/bin'],
}
}