Mercurial > repos > other > Puppet

changeset 8:16e9e26337be

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Lock down ownership and permissions on certificates
author IBBoard <dev@ibboard.co.uk>
date Wed, 08 Oct 2014 19:45:54 +0000
parents 3523e4c2604c
children ca6ce30c0bfc
files modules/website/manifests/https.pp modules/website/manifests/https/redir.pp
diffstat 2 files changed, 11 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/modules/website/manifests/https.pp	Wed Oct 08 19:45:21 2014 +0000
+++ b/modules/website/manifests/https.pp	Wed Oct 08 19:45:54 2014 +0000
@@ -69,6 +69,11 @@
   if $ssl_cert == undef {
     $sslcert = "${website::certdir}/${shortdomain}.crt"
     $sslkey = "${website::certdir}/${shortdomain}.key"
+    File {
+      mode => '0400',
+      owner => 'root',
+      group => 'root',
+    }
     file { $sslcert:
       source => "puppet:///private/pki/custom/${shortdomain}.crt",
       before => Apache::Vhost[$name],
--- a/modules/website/manifests/https/redir.pp	Wed Oct 08 19:45:21 2014 +0000
+++ b/modules/website/manifests/https/redir.pp	Wed Oct 08 19:45:54 2014 +0000
@@ -37,6 +37,11 @@
   if $ssl_cert == undef {
     $sslcert = "${website::certdir}/${shortdomain}.crt"
     $sslkey = "${website::certdir}/${shortdomain}.key"
+    File {
+      mode => '0400',
+      owner => 'root',
+      group => 'root',
+    }
     if ! defined(File[$sslcert]) {
       file { $sslcert:
         source => "puppet:///private/pki/custom/${shortdomain}.crt",
@@ -46,7 +51,7 @@
       }
     }
     if ! defined(File["/etc/pki/custom/$ssl_chain"]) {
-      file { $ssslkey:
+      file { $sslkey:
         source => "puppet:///private/pki/custom/${shortdomain}.key",
         before => Apache::Vhost[$name],
         notify => Service['httpd'],