certs: Rework state to allow assign certificates to hosts from roles.

  Now it's possible to assign a certificate to all nodes with any given role
  from within the certs pillar:

  | firmware.hochstift.freifunk.net:
  |   apply:
  |     roles:
  |       - frontend
  |
  |   cert: file

  This way it's possible to deploy certificates to multiple nodes like web
  frontend proxies in a simple way.

Signed-off-by: Maximilian Wilhelm <max@rfc2324.org>

certs/init.sls

@@ -46,11 +46,13 @@ c_rehash:
       - cmd: c_rehash
 
 
+{% set certs = {} %}
+
 # Are there any certificates defined or referenced in the node pillar?
-{% for cn in salt['pillar.get']('nodes:' ~ grains['id'] ~ ':certs', {})|sort %}
+{% set node_config = salt['pillar.get']('nodes:' ~ grains['id']) %}
+{% for cn, cert_config in node_config.get ('certs', {}).items () %}
   {% set pillar_name = None %}
 
-  {% set cert_config = salt['pillar.get']('nodes:' ~ grains['id'] ~ ':certs:' ~ cn) %}
   {# "cert" and "privkey" provided in node config? #}
   {% if 'cert' in cert_config and 'privkey' in cert_config %}
     {% set pillar_name = 'nodes:' ~ grains['id'] ~ ':certs:' ~ cn %}
@@ -61,6 +63,22 @@ c_rehash:
   {% endif %}
 
   {% if pillar_name != None %}
+    {% do certs.update ({ cn : pillar_name }) %}
+  {% endif %}
+{% endfor %}
+
+# Are there any cert defined or referenced for this node or roles of this node?
+{% set node_roles = node_config.get ('roles', []) %}
+{% for cn, cert_config in salt['pillar.get']('cert', {}).items () %}
+  {% for role in cert_config.get ('apply', {}).get ('roles', []) %}
+    {% if role in node_roles %}
+      {% do certs.update ({ cn : 'cert:' ~ cn }) %}
+    {% endif %}
+  {% endfor %}
+{% endfor %}
+
+# Install found certificates
+{% for cn, pillar_name in certs.items () %}
 /etc/ssl/certs/{{ cn }}.cert.pem:
   file.managed:
     {% if salt['pillar.get'](pillar_name ~ ':cert') == "file" %}
@@ -78,5 +96,4 @@ c_rehash:
     - user: root
     - group: root
     - mode: 400
-  {% endif %}
 {% endfor %}