BBlack has uploaded a new change for review.
https://gerrit.wikimedia.org/r/197458
Change subject: Introduce a new sslcert module to replace certs.pp
......................................................................
Introduce a new sslcert module to replace certs.pp
This is a cleanup/move of certificates::base code,
to be removed in the following commit.
Change-Id: I4efebc8ee3a382b7afd6c83f4b114b398d1d0bd0
---
A modules/sslcert/files/apparmor/ssl_certs
A modules/sslcert/manifests/init.pp
2 files changed, 73 insertions(+), 0 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/58/197458/1
diff --git a/modules/sslcert/files/apparmor/ssl_certs
b/modules/sslcert/files/apparmor/ssl_certs
new file mode 100644
index 0000000..00a9815
--- /dev/null
+++ b/modules/sslcert/files/apparmor/ssl_certs
@@ -0,0 +1,24 @@
+# ------------------------------------------------------------------
+#
+# Copyright (C) 2002-2005 Novell/SUSE
+# Copyright (C) 2010-2011 Canonical Ltd.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of version 2 of the GNU General Public
+# License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+# THIS FILE IS MANAGED BY PUPPET
+
+ /etc/ssl/ r,
+ /etc/ssl/certs/ r,
+ /etc/ssl/certs/* r,
+ /usr/share/ca-certificates/ r,
+ /usr/share/ca-certificates/** r,
+ /usr/share/ssl/certs/ca-bundle.crt r,
+ /usr/local/share/ca-certificates/ r,
+ /usr/local/share/ca-certificates/** r,
+ /var/lib/ca-certificates/ r,
+ /var/lib/ca-certificates/** r,
+ /etc/ssl/localcerts/ r,
+ /etc/ssl/localcerts/** r,
diff --git a/modules/sslcert/manifests/init.pp
b/modules/sslcert/manifests/init.pp
new file mode 100644
index 0000000..d671fe9
--- /dev/null
+++ b/modules/sslcert/manifests/init.pp
@@ -0,0 +1,49 @@
+# == Class: sslcert
+#
+# Base class to manage X.509/TLS/SSL certificates.
+#
+# === Parameters
+#
+# === Examples
+#
+# include sslcert
+#
+
+class sslcert {
+ package { [ 'openssl', 'ssl-cert', 'ca-certificates' ]:
+ ensure => present,
+ }
+
+ exec { 'update-ca-certificates':
+ command => '/usr/sbin/update-ca-certificates',
+ refreshonly => true,
+ require => Package['ca-certificates'],
+ }
+
+ # server certificates go in here; /etc/ssl/certs is a misnomer and actually
+ # is just for CAs. See e.g. <https://bugs.debian.org/608719>
+ file { '/etc/ssl/localcerts':
+ ensure => directory,
+ owner => 'root',
+ group => 'ssl-cert',
+ mode => '0755',
+ require => Package['ssl-cert'],
+ }
+
+ # Limit AppArmor support to just Ubuntu, for now
+ if $::operatingsystem == 'Ubuntu' {
+ include apparmor
+
+ # modify the default ssl_certs abstraction to support
+ # /etc/ssl/localcerts, as defined above
+ file { '/etc/apparmor.d/abstractions/ssl_certs':
+ ensure => present,
+ owner => 'root',
+ group => 'root',
+ mode => '0444',
+ source => 'puppet:///modules/sslcert/apparmor/ssl_certs',
+ require => Package['apparmor'],
+ notify => Service['apparmor'],
+ }
+ }
+}
--
To view, visit https://gerrit.wikimedia.org/r/197458
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I4efebc8ee3a382b7afd6c83f4b114b398d1d0bd0
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: BBlack <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
