Puppet Class: sslcert::ocsp::init

Defined in:

modules/sslcert/manifests/ocsp/init.pp

Overview

SPDX-License-Identifier: Apache-2.0

Class: sslcert::ocsp::init

Base class for the OCSP stapler scripts.

Parameters

cache_group

Allows configuring the group that owns /var/cache/ocsp Defaults to root

Examples

include sslcert::ocsp::init

Parameters:

• cache_group (String) (defaults to: 'root')

# File 'modules/sslcert/manifests/ocsp/init.pp', line 16

class sslcert::ocsp::init(
    String $cache_group = 'root',
) {
    require sslcert

    # generic script for fetching the OCSP file for a given cert
    file { '/usr/local/sbin/update-ocsp':
        ensure => present,
        mode   => '0555',
        owner  => 'root',
        group  => 'root',
        source => 'puppet:///modules/sslcert/update-ocsp.py',
    }

    file { '/usr/local/sbin/update-ocsp-all':
        ensure => present,
        mode   => '0555',
        owner  => 'root',
        group  => 'root',
        source => 'puppet:///modules/sslcert/update-ocsp-all',
    }

    file { '/usr/local/sbin/update-ocsp-all.sh':
        ensure => present,
        mode   => '0555',
        owner  => 'root',
        group  => 'root',
        source => 'puppet:///modules/sslcert/update-ocsp-all.sh',
    }

    file { '/etc/update-ocsp.d':
        ensure => 'directory',
        owner  => 'root',
        group  => 'root',
        mode   => '0555',
    }

    file { '/etc/update-ocsp.d/hooks':
        ensure => 'directory',
        owner  => 'root',
        group  => 'root',
        mode   => '0555',
    }

    file { '/var/cache/ocsp':
        ensure => 'directory',
        owner  => 'root',
        group  => $cache_group,
        mode   => '0775',
    }

    # Twice a day, 12h apart
    $cron_h12 = fqdn_rand(12, 'e663dd38dd6d3384')
    $minute = fqdn_rand(60, '1adf3dd699e51805')

    systemd::timer::job { 'update-ocsp-all':
        ensure            => present,
        description       => 'Regular jobs to update all OCSP stapling files',
        user              => 'root',
        command           => '/usr/local/sbin/update-ocsp-all.sh',
        syslog_identifier => 'timer-update-ocsp-all',
        interval          => {
            'start'    => 'OnCalendar',
            'interval' => "*-*-* ${cron_h12}/12:${minute}:00"
        },
        require           => [
            File['/usr/local/sbin/update-ocsp-all.sh'],
            File['/usr/local/sbin/update-ocsp-all'],
            File['/etc/update-ocsp.d'],
        ],
    }

    rsyslog::conf { 'update-ocsp-all':
        source   => 'puppet:///modules/sslcert/update-ocsp-all.rsyslog.conf',
    }

    # Rotate /var/log/update-ocsp-all.log
    logrotate::conf { 'update-ocsp-all':
        ensure => present,
        source => 'puppet:///modules/sslcert/update-ocsp-all-logrotate',
    }
}