1d78addd24
The ssl-cert group which normally owns files under /etc/ssl is created by a dependency of the apache module, but we need to create files there before that service is started. Break the cycle by just relying on the root group instead. Also update permission modes on these files to reflect sensible systems administration practices (read/write by root, readable by everyone except for the key file which is inaccessible for others). Change-Id: Ia76a344e5b4d3d7acdf0980ed7f951f8d5199052
74 lines
2.3 KiB
Puppet
74 lines
2.3 KiB
Puppet
# Copyright (c) 2014 Hewlett-Packard Development Company, L.P.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
# == Class: storyboard::cert
|
|
#
|
|
# This module sets up the SSL certificate for storyboard, sourcing the content of the
|
|
# certificates either from a file or from a string. If included,
|
|
# it will be automatically detected within storyboard::application and the
|
|
# application will be hosted over https rather than http.
|
|
#
|
|
class storyboard::cert (
|
|
$ssl_cert_content = undef,
|
|
$ssl_cert = '/etc/ssl/certs/ssl-cert-snakeoil.pem',
|
|
|
|
$ssl_key_content = undef,
|
|
$ssl_key = '/etc/ssl/private/ssl-cert-snakeoil.key',
|
|
|
|
$ssl_ca_content = undef,
|
|
$ssl_ca = undef, # '/etc/ssl/certs/ca.pem'
|
|
) {
|
|
|
|
if $ssl_cert_content != undef {
|
|
file { $ssl_cert:
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0644',
|
|
content => $ssl_cert_content,
|
|
before => Class['storyboard::application'],
|
|
notify => Class['storyboard::application'],
|
|
}
|
|
}
|
|
|
|
if $ssl_key_content != undef {
|
|
file { $ssl_key:
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0600',
|
|
content => $ssl_key_content,
|
|
before => Class['storyboard::application'],
|
|
notify => Class['storyboard::application'],
|
|
}
|
|
}
|
|
|
|
# CA file needs special treatment, since we want the path variable
|
|
# to be undef in some cases.
|
|
if $ssl_ca == undef and $ssl_ca_content != undef {
|
|
$resolved_ssl_ca = '/etc/ssl/certs/storyboard.ca.pem'
|
|
} else {
|
|
$resolved_ssl_ca = $ssl_ca
|
|
}
|
|
|
|
if $ssl_ca_content != undef {
|
|
file { $resolved_ssl_ca:
|
|
owner => 'root',
|
|
group => 'root',
|
|
mode => '0644',
|
|
content => $ssl_ca_content,
|
|
before => Class['storyboard::application'],
|
|
notify => Class['storyboard::application'],
|
|
}
|
|
}
|
|
}
|