init.sls 3.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119
  1. #
  2. # SSL Certificates
  3. #
  4. openssl:
  5. pkg.installed:
  6. - name: openssl
  7. ssl-cert:
  8. pkg.installed
  9. update_ca_certificates:
  10. cmd.wait:
  11. - name: /usr/sbin/update-ca-certificates
  12. - watch: []
  13. generate-dhparam:
  14. cmd.run:
  15. - name: openssl dhparam -out /etc/ssl/dhparam.pem 4096
  16. - creates: /etc/ssl/dhparam.pem
  17. # Install FFHO internal CA into Debian CA certificate mangling mechanism so
  18. # libraries (read: openssl) can use the CA cert when validating internal
  19. # service certificates. By installing the cert into the local ca-certificates
  20. # directory and calling update-ca-certificates two symlinks will be installed
  21. # into /etc/ssl/certs which will both point to the crt file:
  22. # * ffho-cacert.pem
  23. # * <cn-hash>.pem
  24. # The latter is use by openssl for validation.
  25. /usr/local/share/ca-certificates/ffho-cacert.crt:
  26. file.managed:
  27. - source: salt://certs/ffho-cacert.pem
  28. - user: root
  29. - group: root
  30. - mode: 644
  31. - watch_in:
  32. - cmd: update_ca_certificates
  33. /usr/local/share/ca-certificates/StartSSL_Class1_CA.crt:
  34. file.managed:
  35. - source: salt://certs/StartSSL_Class1_CA.pem
  36. - user: root
  37. - group: root
  38. - mode: 644
  39. - watch_in:
  40. - cmd: update_ca_certificates
  41. /usr/local/share/ca-certificates/StartSSL_Class2_CA.crt:
  42. file.managed:
  43. - source: salt://certs/StartSSL_Class2_CA.pem
  44. - user: root
  45. - group: root
  46. - mode: 644
  47. - watch_in:
  48. - cmd: update_ca_certificates
  49. {% set certs = {} %}
  50. # Are there any certificates defined or referenced in the node pillar?
  51. {% set node_config = salt['pillar.get']('nodes:' ~ grains['id']) %}
  52. {% for cn, cert_config in node_config.get ('certs', {}).items () %}
  53. {% set pillar_name = None %}
  54. {# "cert" and "privkey" provided in node config? #}
  55. {% if 'cert' in cert_config and 'privkey' in cert_config %}
  56. {% set pillar_name = 'nodes:' ~ grains['id'] ~ ':certs:' ~ cn %}
  57. {# <cn> only referenced in node config and cert/privkey stored in "cert" pillar? #}
  58. {% elif cert_config.get ('install', False) == True %}
  59. {% set pillar_name = 'cert:' ~ cn %}
  60. {% endif %}
  61. {% if pillar_name != None %}
  62. {% do certs.update ({ cn : pillar_name }) %}
  63. {% endif %}
  64. {% endfor %}
  65. # Are there any cert defined or referenced for this node or roles of this node?
  66. {% set node_roles = node_config.get ('roles', []) %}
  67. {% for cn, cert_config in salt['pillar.get']('cert', {}).items () %}
  68. {% for role in cert_config.get ('apply', {}).get ('roles', []) %}
  69. {% if role in node_roles %}
  70. {% do certs.update ({ cn : 'cert:' ~ cn }) %}
  71. {% endif %}
  72. {% endfor %}
  73. {% endfor %}
  74. # Install found certificates
  75. {% for cn, pillar_name in certs.items () %}
  76. /etc/ssl/certs/{{ cn }}.cert.pem:
  77. file.managed:
  78. {% if salt['pillar.get'](pillar_name ~ ':cert') == "file" %}
  79. - source: salt://certs/certs/{{ cn }}.cert.pem
  80. {% else %}
  81. - contents_pillar: {{ pillar_name }}:cert
  82. {% endif %}
  83. - user: root
  84. - group: root
  85. - mode: 644
  86. /etc/ssl/private/{{ cn }}.key.pem:
  87. file.managed:
  88. - contents_pillar: {{ pillar_name }}:privkey
  89. - user: root
  90. - group: ssl-cert
  91. - mode: 440
  92. - require:
  93. - pkg: ssl-cert
  94. {% endfor %}
  95. {% if 'frontend' in node_config.roles or 'nginx' in node_config %}
  96. certs-nginx-reload:
  97. cmd.wait:
  98. - name: service nginx reload
  99. - watch:
  100. - file: /etc/ssl/certs/*
  101. {% endif %}