Puppet Class: cfweb::pki

Defined in:
manifests/pki.pp

Overview

Parameters:

  • x509_c (String[2, 2])
  • x509_st (String[1])
  • x509_l (String[1])
  • x509_o (String[1])
  • x509_ou (String[1])
  • x509_email (String[1])
  • dhparam_bits (Integer[1024, 8192]) (defaults to: 2048)
  • rsa_key_name (String[1]) (defaults to: 'multi')
  • rsa_bits (Cfsystem::Rsabits) (defaults to: 2048)
  • ecc_key_name (String[1]) (defaults to: 'multiec')
  • ecc_curve (String[1]) (defaults to: 'prime256v1')
  • cert_hash (String[1]) (defaults to: 'sha256')
  • ssh_user (String) (defaults to: 'cfwebpki')
  • ssh_key_type (Cfsystem::Keytype) (defaults to: 'ed25519')
  • ssh_key_bits (Cfsystem::Rsabits) (defaults to: 2048)
  • tls_ticket_key_count (Integer[2]) (defaults to: 3)
  • tls_ticket_key_age (Integer[60, 1440]) (defaults to: 1440)
  • tls_ticket_cron (Hash) (defaults to: { hour => '*/3', minute => 1 })
  • cert_source (Optional[Variant[String[1], Enum['acme']]]) (defaults to: undef) 


6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
 
# File 'manifests/pki.pp', line 6

class cfweb::pki(
    String[2, 2] $x509_c,
    String[1] $x509_st,
    String[1] $x509_l,
    String[1] $x509_o,
    String[1] $x509_ou,
    String[1] $x509_email,

    Integer[1024, 8192] $dhparam_bits = 2048,

    String[1] $rsa_key_name = 'multi',
    Cfsystem::Rsabits $rsa_bits = 2048,
    String[1] $ecc_key_name = 'multiec',
    String[1] $ecc_curve = 'prime256v1',
    String[1] $cert_hash = 'sha256',

    String $ssh_user = 'cfwebpki',
    Cfsystem::Keytype
        $ssh_key_type = 'ed25519',
    Cfsystem::Rsabits
        $ssh_key_bits = 2048, # for rsa

    Integer[2] $tls_ticket_key_count = 3,
    Integer[60, 1440] $tls_ticket_key_age = 1440,
    Hash $tls_ticket_cron = {
        hour   => '*/3',
        minute => 1
    },

    Optional[Variant[String[1], Enum['acme']]]
        $cert_source = undef,
) {
    anchor { 'cfweb::pki:dyn_setup': }

    #---
    include stdlib
    include cfweb
    include cfweb::pki::user

    #---
    $enable = $cfweb::nginx::enable
    $openssl = '/usr/bin/openssl'
    $root_dir = "${cfweb::pki::user::home_dir}/shared"
    $dhparam = "${root_dir}/dh${dhparam_bits}.pem"
    $ticket_dir = "${root_dir}/tickets"
    $key_dir = "${root_dir}/keys"
    $cert_dir = "${root_dir}/certs"

    include cfweb::pki::dir

    #---
    cfsystem_info { 'cfwebpki':
        ensure => present,
        info   => {
            home => $cfweb::pki::user::home_dir,
            user => $ssh_user,
        }
    }

    #---
    ensure_resource('cfweb::pki::key', $rsa_key_name, {
        key_type  => 'rsa',
        rsa_bits  => $rsa_bits,
    })
    ensure_resource('cfweb::pki::key', $ecc_key_name, {
        key_type  => 'ecdsa',
        ecc_curve  => $ecc_curve,
    })
    ensure_resource('cfweb::pki::cert', 'default', {
        key_name => $rsa_key_name,
        x509_cn => 'www.example.com',
    })
    ensure_resource('cfweb::pki::cert', 'defaultec', {
        key_name => $ecc_key_name,
        x509_cn => 'www.example.com',
    })
}