Puppet Class: sslcert::ocsp::init

Defined in:
modules/sslcert/manifests/ocsp/init.pp

Overview

Class: sslcert::ocsp::init

Base class for the OCSP stapler scripts.

Parameters

cache_group

Allows configuring the group that owns /var/cache/ocsp Defaults to root

Examples

include sslcert::ocsp::init

Parameters:

  • cache_group (String) (defaults to: 'root')


15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
# File 'modules/sslcert/manifests/ocsp/init.pp', line 15

class sslcert::ocsp::init(
    String $cache_group = 'root',
) {
    require sslcert

    # generic script for fetching the OCSP file for a given cert
    file { '/usr/local/sbin/update-ocsp':
        ensure => present,
        mode   => '0555',
        owner  => 'root',
        group  => 'root',
        source => 'puppet:///modules/sslcert/update-ocsp.py',
    }

    file { '/usr/local/sbin/update-ocsp-all':
        ensure => present,
        mode   => '0555',
        owner  => 'root',
        group  => 'root',
        source => 'puppet:///modules/sslcert/update-ocsp-all',
    }

    file { '/etc/update-ocsp.d':
        ensure => 'directory',
        owner  => 'root',
        group  => 'root',
        mode   => '0555',
    }

    file { '/etc/update-ocsp.d/hooks':
        ensure => 'directory',
        owner  => 'root',
        group  => 'root',
        mode   => '0555',
    }

    file { '/var/cache/ocsp':
        ensure => 'directory',
        owner  => 'root',
        group  => $cache_group,
        mode   => '0775',
    }

    # Twice a day, 12h apart
    $cron_h12 = fqdn_rand(12, 'e663dd38dd6d3384')
    cron { 'update-ocsp-all':
        command => '/usr/local/sbin/update-ocsp-all 2>&1 | logger -t update-ocsp-all',
        minute  => fqdn_rand(60, '1adf3dd699e51805'),
        hour    => [ $cron_h12, $cron_h12 + 12 ],
        require => [
            File['/usr/local/sbin/update-ocsp-all'],
            File['/etc/update-ocsp.d'],
        ],
    }

    rsyslog::conf { 'update-ocsp-all':
        source   => 'puppet:///modules/sslcert/update-ocsp-all.rsyslog.conf',
    }

    # Rotate /var/log/update-ocsp-all.log
    logrotate::conf { 'update-ocsp-all':
        ensure => present,
        source => 'puppet:///modules/sslcert/update-ocsp-all-logrotate',
    }
}