diff --git a/manifests/resource/mailhost.pp b/manifests/resource/mailhost.pp index fcf764ce9..1377ac351 100644 --- a/manifests/resource/mailhost.pp +++ b/manifests/resource/mailhost.pp @@ -72,9 +72,9 @@ # for authorization. # @param xclient # Whether to use xclient for smtp -# @param proxy_protocol +# @param proxy_protocol # Wheter to use proxy_protocol -# @param proxy_smtp_auth +# @param proxy_smtp_auth # Wheter to use proxy_smtp_auth # @param imap_auth # Sets permitted methods of authentication for IMAP clients. @@ -170,12 +170,20 @@ Optional[Array] $pop3_capabilities = undef, Optional[String] $smtp_auth = undef, Optional[Array] $smtp_capabilities = undef, - Optional[Variant[Array, String]] $raw_prepend = undef, - Optional[Variant[Array, String]] $raw_append = undef, - Optional[Hash] $mailhost_cfg_prepend = undef, - Optional[Hash] $mailhost_cfg_append = undef, String $proxy_pass_error_message = 'off', - Array $server_name = [$name] + Array $server_name = [$name], + Variant[Array[String], String] $raw_prepend = [], + Variant[Array[String], String] $raw_append = [], + Hash[String, Variant[ + String, + Array[String], + Hash[String, Variant[String, Array[String]]], + ]] $mailhost_cfg_prepend = {}, + Hash[String, Variant[ + String, + Array[String], + Hash[String, Variant[String, Array[String]]], + ]] $mailhost_cfg_append = {}, ) { if ! defined(Class['nginx']) { fail('You must include the nginx base class before using any defined resources') @@ -183,7 +191,8 @@ # Add IPv6 Logic Check - Nginx service will not start if ipv6 is enabled # and support does not exist for it in the kernel. - if ($ipv6_enable and !$facts['networking']['ip6']) { + $has_ipaddress6 = ($facts.get('networking.ip6') =~ Stdlib::IP::Address::V6) + if ($ipv6_enable and !$has_ipaddress6) { warning('nginx: IPv6 support is not enabled or configured properly') } @@ -197,6 +206,53 @@ $config_dir = "${nginx::conf_dir}/conf.mail.d" $config_file = "${config_dir}/${name}.conf" + # Pre-render some common parts + $mailhost_prepend = epp('nginx/prepend_append.epp', { + cfg_xpend => $mailhost_cfg_prepend, + raw_xpend => [$raw_prepend].flatten, + }) + $mailhost_append = epp('nginx/prepend_append.epp', { + cfg_xpend => $mailhost_cfg_append, + raw_xpend => [$raw_append].flatten, + }) + + $mailhost_ssl_settings = epp('nginx/mailhost/mailhost_ssl_settings.epp', { + ssl_cert => $ssl_cert, + ssl_ciphers => $ssl_ciphers, + ssl_client_cert => $ssl_client_cert, + ssl_crl => $ssl_crl, + ssl_dhparam => $ssl_dhparam, + ssl_ecdh_curve => $ssl_ecdh_curve, + ssl_key => $ssl_key, + ssl_password_file => $ssl_password_file, + ssl_prefer_server_ciphers => $ssl_prefer_server_ciphers, + ssl_protocols => $ssl_protocols, + ssl_session_cache => $ssl_session_cache, + ssl_session_ticket_key => $ssl_session_ticket_key, + ssl_session_tickets => $ssl_session_tickets, + ssl_session_timeout => $ssl_session_timeout, + ssl_trusted_cert => $ssl_trusted_cert, + ssl_verify_depth => $ssl_verify_depth, + }) + + $mailhost_common = epp('nginx/mailhost/mailhost_common.epp', { + auth_http => $auth_http, + auth_http_header => $auth_http_header, + imap_auth => $imap_auth, + imap_capabilities => $imap_capabilities, + imap_client_buffer => $imap_client_buffer, + pop3_auth => $pop3_auth, + pop3_capabilities => $pop3_capabilities, + protocol => $protocol, + proxy_pass_error_message => $proxy_pass_error_message, + proxy_protocol => $proxy_protocol, + proxy_smtp_auth => $proxy_smtp_auth, + server_name => $server_name, + smtp_auth => $smtp_auth, + smtp_capabilities => $smtp_capabilities, + xclient => $xclient, + }) + concat { $config_file: ensure => $ensure, owner => 'root', @@ -210,8 +266,23 @@ if $ssl_port == undef or $listen_port != $ssl_port { concat::fragment { "${name}-header": target => $config_file, - content => template('nginx/mailhost/mailhost.erb'), order => '001', + content => epp('nginx/mailhost/mailhost.epp', { + has_ipaddress6 => $has_ipaddress6, + ipv6_enable => $ipv6_enable, + ipv6_listen_ip => $ipv6_listen_ip, + ipv6_listen_options => $ipv6_listen_options, + ipv6_listen_port => $ipv6_listen_port, + listen_ip => $listen_ip, + listen_options => $listen_options, + listen_port => $listen_port, + mailhost_append => $mailhost_append, + mailhost_common => $mailhost_common, + mailhost_prepend => $mailhost_prepend, + mailhost_ssl_settings => $mailhost_ssl_settings, + nginx_version => $nginx::nginx_version, + starttls => $starttls, + }), } } @@ -219,8 +290,22 @@ if $ssl { concat::fragment { "${name}-ssl": target => $config_file, - content => template('nginx/mailhost/mailhost_ssl.erb'), order => '700', + content => epp('nginx/mailhost/mailhost_ssl.epp', { + has_ipaddress6 => $has_ipaddress6, + ipv6_enable => $ipv6_enable, + ipv6_listen_ip => $ipv6_listen_ip, + ipv6_listen_options => $ipv6_listen_options, + ipv6_listen_port => $ipv6_listen_port, + listen_ip => $listen_ip, + listen_options => $listen_options, + mailhost_append => $mailhost_append, + mailhost_common => $mailhost_common, + mailhost_prepend => $mailhost_prepend, + mailhost_ssl_settings => $mailhost_ssl_settings, + nginx_version => $nginx::nginx_version, + ssl_port => $ssl_port, + }), } } } diff --git a/spec/default_module_facts.yml b/spec/default_module_facts.yml index 6c7303fb0..8bce74ffd 100644 --- a/spec/default_module_facts.yml +++ b/spec/default_module_facts.yml @@ -1,2 +1,4 @@ --- ipaddress6: '::' +networking: + ip6: '::' diff --git a/spec/defines/resource_mailhost_spec.rb b/spec/defines/resource_mailhost_spec.rb index 8f9757a88..546414ed0 100644 --- a/spec/defines/resource_mailhost_spec.rb +++ b/spec/defines/resource_mailhost_spec.rb @@ -152,7 +152,19 @@ notmatch: %r{ ssl_session_timeout 5m;} }, { - title: 'should contain raw_prepend directives', + title: 'should contain raw_prepend directives (String)', + attr: 'raw_prepend', + value: 'test value;', + match: [' test value;'] + }, + { + title: 'should contain raw_append directives (String)', + attr: 'raw_append', + value: 'test value;', + match: [' test value;'] + }, + { + title: 'should contain raw_prepend directives (Array)', attr: 'raw_prepend', value: [ 'if (a) {', @@ -162,7 +174,7 @@ match: %r{^\s+if \(a\) \{\n\s++b;\n\s+\}} }, { - title: 'should contain raw_append directives', + title: 'should contain raw_append directives (Array)', attr: 'raw_append', value: [ 'if (a) {', @@ -174,23 +186,45 @@ { title: 'should contain ordered prepended directives', attr: 'mailhost_cfg_prepend', - value: { 'test1' => 'test value 1', 'test2' => ['test value 2a', 'test value 2b'], 'test3' => 'test value 3' }, + value: { + 'test1' => 'test value 1', + 'test2' => ['test value 2a', 'test value 2b'], + 'test3' => { + 'subkey 3a' => 'subvalue 3a', + 'subkey 3b' => ['subvalue 3b1', 'subvalue 3b2'], + }, + 'test4' => 'test value 4', + }, match: [ ' test1 test value 1;', ' test2 test value 2a;', ' test2 test value 2b;', - ' test3 test value 3;' + ' test3 subkey 3a subvalue 3a;', + ' test3 subkey 3b subvalue 3b1;', + ' test3 subkey 3b subvalue 3b2;', + ' test4 test value 4;', ] }, { title: 'should contain ordered appended directives', attr: 'mailhost_cfg_append', - value: { 'test1' => 'test value 1', 'test2' => ['test value 2a', 'test value 2b'], 'test3' => 'test value 3' }, + value: { + 'test1' => 'test value 1', + 'test2' => ['test value 2a', 'test value 2b'], + 'test3' => { + 'subkey 3a' => 'subvalue 3a', + 'subkey 3b' => ['subvalue 3b1', 'subvalue 3b2'], + }, + 'test4' => 'test value 4', + }, match: [ ' test1 test value 1;', ' test2 test value 2a;', ' test2 test value 2b;', - ' test3 test value 3;' + ' test3 subkey 3a subvalue 3a;', + ' test3 subkey 3b subvalue 3b1;', + ' test3 subkey 3b subvalue 3b2;', + ' test4 test value 4;', ] } ].each do |param| diff --git a/templates/mailhost/mailhost.epp b/templates/mailhost/mailhost.epp new file mode 100644 index 000000000..4cc732a21 --- /dev/null +++ b/templates/mailhost/mailhost.epp @@ -0,0 +1,49 @@ +<%- | + Boolean $has_ipaddress6, + Boolean $ipv6_enable, + Variant[Array[String], String] $ipv6_listen_ip + String $ipv6_listen_options, + Stdlib::Port $ipv6_listen_port, + Variant[Array[String], String] $listen_ip, + Optional[String] $listen_options, + Stdlib::Port $listen_port, + String $mailhost_append, + String[1] $mailhost_common, + String $mailhost_prepend, + String[1] $mailhost_ssl_settings, + String[1] $nginx_version, + Enum['on', 'off', 'only'] $starttls, +| -%> +# MANAGED BY PUPPET +server { +<%= $mailhost_prepend -%> +<%- if $listen_ip =~ Array { -%> + <%- $listen_ip.each |$ip| { -%> + listen <%= $ip %>:<%= $listen_port %><% if $listen_options { %> <%= $listen_options %><% } %>; + <%- } -%> +<%- } else { -%> + listen <%= $listen_ip %>:<%= $listen_port %><% if $listen_options { %> <%= $listen_options %><% } %>; +<%- } -%> +<%# check to see if ipv6 support exists in the kernel before applying -%> +<%# FIXME this logic is duplicated all over the place -%> +<%- if $ipv6_enable and $has_ipaddress6 { -%> + <%- if $ipv6_listen_ip =~ Array { -%> + <%- $ipv6_listen_ip.each |$ipv6| { -%> + listen [<%= $ipv6 %>]:<%= $ipv6_listen_port %> <% if $ipv6_listen_options { %><%= $ipv6_listen_options %><% } %>; + <%- } -%> + <%- } else { -%> + listen [<%= $ipv6_listen_ip %>]:<%= $ipv6_listen_port %> <% if $ipv6_listen_options { %><%= $ipv6_listen_options %><% } %>; + <%- } -%> +<%- } -%> +<%= $mailhost_common -%> + +<%- if versioncmp($nginx_version, '1.15.0') < 0 { -%> + ssl off; +<% } %> + starttls <%= $starttls %>; + +<% if $starttls == 'on' or $starttls == 'only' { %> +<%= $mailhost_ssl_settings -%> +<%- } -%> +<%= $mailhost_append -%> +} diff --git a/templates/mailhost/mailhost.erb b/templates/mailhost/mailhost.erb deleted file mode 100644 index 468a64be4..000000000 --- a/templates/mailhost/mailhost.erb +++ /dev/null @@ -1,67 +0,0 @@ -# MANAGED BY PUPPET -server { -<% if @mailhost_cfg_prepend -%> - <%- @mailhost_cfg_prepend.sort_by{ |k,v| k}.each do |key,value| -%> - <%- if value.is_a?(Hash) -%> - <%- value.sort_by {|k,v| k}.each do |subkey,subvalue| -%> - <%- Array(subvalue).each do |asubvalue| -%> - <%= key %> <%= subkey %> <%= asubvalue %>; - <%- end -%> - <%- end -%> - <%- else -%> - <%- Array(value).each do |asubvalue| -%> - <%= key %> <%= asubvalue %>; - <%- end -%> - <%- end -%> - <%- end -%> -<% end -%> -<% Array(@raw_prepend).each do |line| -%> - <%= line %> -<% end -%> -<%- if @listen_ip.is_a?(Array) then -%> - <%- @listen_ip.each do |ip| -%> - listen <%= ip %>:<%= @listen_port %><% if @listen_options %> <%= @listen_options %><% end %>; - <%- end -%> -<%- else -%> - listen <%= @listen_ip %>:<%= @listen_port %><% if @listen_options %> <%= @listen_options %><% end %>; -<%- end -%> -<%# check to see if ipv6 support exists in the kernel before applying -%> -<%# FIXME this logic is duplicated all over the place -%> -<%- if @ipv6_enable && (defined? @ipaddress6) -%> - <%- if @ipv6_listen_ip.is_a?(Array) then -%> - <%- @ipv6_listen_ip.each do |ipv6| -%> - listen [<%= ipv6 %>]:<%= @ipv6_listen_port %> <% if @ipv6_listen_options %><%= @ipv6_listen_options %><% end %>; - <%- end -%> - <%- else -%> - listen [<%= @ipv6_listen_ip %>]:<%= @ipv6_listen_port %> <% if @ipv6_listen_options %><%= @ipv6_listen_options %><% end %>; - <%- end -%> -<%- end -%> -<%= scope.function_template(["nginx/mailhost/mailhost_common.erb"]) -%> - -<% if scope.call_function('versioncmp', [scope['nginx::nginx_version'], '1.15.0']) < 0 -%> - ssl off; -<% end -%> - starttls <%= @starttls %>; - -<% if @starttls == 'on' || @starttls == 'only' %> -<%= scope.function_template(["nginx/mailhost/mailhost_ssl_settings.erb"]) -%> -<%- end -%> -<% if @mailhost_cfg_append -%> - <%- @mailhost_cfg_append.sort_by{ |k,v| k}.each do |key,value| -%> - <%- if value.is_a?(Hash) -%> - <%- value.sort_by {|k,v| k}.each do |subkey,subvalue| -%> - <%- Array(subvalue).each do |asubvalue| -%> - <%= key %> <%= subkey %> <%= asubvalue %>; - <%- end -%> - <%- end -%> - <%- else -%> - <%- Array(value).each do |asubvalue| -%> - <%= key %> <%= asubvalue %>; - <%- end -%> - <%- end -%> - <%- end -%> -<% end -%> -<% Array(@raw_append).each do |line| -%> - <%= line %> -<% end -%> -} diff --git a/templates/mailhost/mailhost_common.epp b/templates/mailhost/mailhost_common.epp new file mode 100644 index 000000000..cd58a7133 --- /dev/null +++ b/templates/mailhost/mailhost_common.epp @@ -0,0 +1,61 @@ +<%- | + Optional[String] $auth_http, + Optional[String] $auth_http_header, + Optional[String] $imap_auth, + Optional[Array] $imap_capabilities, + Optional[String] $imap_client_buffer, + Optional[String] $pop3_auth, + Optional[Array] $pop3_capabilities, + Optional[Enum['imap', 'pop3', 'sieve', 'smtp']] + $protocol, + String $proxy_pass_error_message, + Enum['on', 'off'] $proxy_protocol, + Enum['on', 'off'] $proxy_smtp_auth, + Array $server_name, + Optional[String] $smtp_auth, + Optional[Array] $smtp_capabilities, + Enum['on', 'off'] $xclient, +| -%> + server_name <%= $server_name.join(" ") %>; +<%- if $protocol { -%> + protocol <%= $protocol %>; +<%- } -%> + xclient <%= $xclient %>; + proxy_protocol <%= $proxy_protocol %>; + proxy_smtp_auth <%= $proxy_smtp_auth %>; +<%- if $auth_http { -%> + auth_http <%= $auth_http %>; +<%- } -%> +<%- if $auth_http_header { -%> + auth_http_header <%= $auth_http_header %>; +<%- } -%> + + proxy_pass_error_message <%= $proxy_pass_error_message %>; + +<%- if $protocol == 'imap' { -%> +<%- if $imap_auth { -%> + imap_auth <%= $imap_auth %>; +<%- } -%> +<%- if $imap_capabilities { -%> + imap_capabilities <%= $imap_capabilities.join(" ") %>; +<%- } -%> +<%- if $imap_client_buffer { -%> + imap_client_buffer <%= $imap_client_buffer %>; +<%- } -%> +<%- } -%> +<%- if $protocol == 'pop3' { -%> +<%- if $pop3_auth { -%> + pop3_auth <%= $pop3_auth %>; +<%- } -%> +<%- if $pop3_capabilities { -%> + pop3_capabilities <%= $pop3_capabilities.join(" ") %>; +<%- } -%> +<%- } -%> +<%- if $protocol == 'smtp' { -%> +<%- if $smtp_auth { -%> + smtp_auth <%= $smtp_auth %>; +<%- } -%> +<%- if $smtp_capabilities { -%> + smtp_capabilities <%= $smtp_capabilities.join(" ") %>; +<%- } -%> +<%- } -%> diff --git a/templates/mailhost/mailhost_common.erb b/templates/mailhost/mailhost_common.erb deleted file mode 100644 index 0de1b45d0..000000000 --- a/templates/mailhost/mailhost_common.erb +++ /dev/null @@ -1,43 +0,0 @@ - server_name <%= @server_name.join(" ") %>; -<% if defined? @protocol -%> - protocol <%= @protocol %>; -<% end -%> - xclient <%= @xclient %>; - proxy_protocol <%= @proxy_protocol %>; - proxy_smtp_auth <%= @proxy_smtp_auth %>; -<% if defined? @auth_http -%> - auth_http <%= @auth_http %>; -<% end -%> -<%- if @auth_http_header -%> - auth_http_header <%= @auth_http_header %>; -<%- end -%> - - proxy_pass_error_message <%= @proxy_pass_error_message %>; - -<% if @protocol == 'imap' %> -<% if defined? @imap_auth -%> - imap_auth <%= @imap_auth %>; -<% end -%> -<% if defined? @imap_capabilities -%> - imap_capabilities <%= @imap_capabilities.join(" ") %>; -<% end -%> -<% if defined? @imap_client_buffer -%> - imap_client_buffer <%= @imap_client_buffer %>; -<% end -%> -<%- end -%> -<% if @protocol == 'pop3' %> -<% if defined? @pop3_auth -%> - pop3_auth <%= @pop3_auth %>; -<% end -%> -<% if defined? @pop3_capabilities -%> - pop3_capabilities <%= @pop3_capabilities.join(" ") %>; -<% end -%> -<%- end -%> -<% if @protocol == 'smtp' %> -<% if defined? @smtp_auth -%> - smtp_auth <%= @smtp_auth %>; -<% end -%> -<% if defined? @smtp_capabilities -%> - smtp_capabilities <%= @smtp_capabilities.join(" ") %>; -<% end -%> -<%- end -%> diff --git a/templates/mailhost/mailhost_ssl.epp b/templates/mailhost/mailhost_ssl.epp new file mode 100644 index 000000000..6f0144a4e --- /dev/null +++ b/templates/mailhost/mailhost_ssl.epp @@ -0,0 +1,45 @@ +<%- | + Boolean $has_ipaddress6, + Boolean $ipv6_enable, + Variant[Array[String], String] $ipv6_listen_ip + String $ipv6_listen_options, + Stdlib::Port $ipv6_listen_port, + Variant[Array[String], String] $listen_ip, + String $mailhost_append, + String[1] $mailhost_common, + String $mailhost_prepend, + String[1] $mailhost_ssl_settings, + String[1] $nginx_version, + Optional[Stdlib::Port] $ssl_port, +| -%> +# MANAGED BY PUPPET +server { +<%= $mailhost_prepend -%> +<%- if $listen_ip =~ Array { -%> + <%- $listen_ip.each |$ip| { -%> + listen <%= $ip %>:<%= $ssl_port %><% if versioncmp($nginx_version, '1.15.0') >= 0 { %> ssl<% } %>; + <%- } -%> +<%- } else { -%> + listen <%= $listen_ip %>:<%= $ssl_port %><% if versioncmp($nginx_version, '1.15.0') >= 0 { %> ssl<% } %>; +<%- } -%> +<%# check to see if ipv6 support exists in the kernel before applying -%> +<%# FIXME this logic is duplicated all over the place -%> +<%- if $ipv6_enable and $has_ipaddress6 { -%> + <%- if $ipv6_listen_ip =~ Array { -%> + <%- $ipv6_listen_ip.each |$ipv6| { -%> + listen [<%= $ipv6 %>]:<%= $ssl_port %> <% if $ipv6_listen_options { %><%= $ipv6_listen_options %><% } %>; + <%- } -%> + <%- } else { -%> + listen [<%= $ipv6_listen_ip %>]:<%= $ssl_port %> <% if $ipv6_listen_options { %><%= $ipv6_listen_options %><% } %>; + <%- } -%> +<%- } -%> +<%= $mailhost_common -%> + +<%- if versioncmp($nginx_version, '1.15.0') < 0 { -%> + ssl on; +<% } %> + starttls off; + +<%= $mailhost_ssl_settings -%> +<%= $mailhost_append -%> +} diff --git a/templates/mailhost/mailhost_ssl.erb b/templates/mailhost/mailhost_ssl.erb deleted file mode 100644 index 9592c4bff..000000000 --- a/templates/mailhost/mailhost_ssl.erb +++ /dev/null @@ -1,65 +0,0 @@ -# MANAGED BY PUPPET -server { -<% if @mailhost_cfg_prepend -%> - <%- @mailhost_cfg_prepend.sort_by{ |k,v| k}.each do |key,value| -%> - <%- if value.is_a?(Hash) -%> - <%- value.sort_by {|k,v| k}.each do |subkey,subvalue| -%> - <%- Array(subvalue).each do |asubvalue| -%> - <%= key %> <%= subkey %> <%= asubvalue %>; - <%- end -%> - <%- end -%> - <%- else -%> - <%- Array(value).each do |asubvalue| -%> - <%= key %> <%= asubvalue %>; - <%- end -%> - <%- end -%> - <%- end -%> -<% end -%> -<% Array(@raw_prepend).each do |line| -%> - <%= line %> -<% end -%> -<%- if @listen_ip.is_a?(Array) then -%> - <%- @listen_ip.each do |ip| -%> - listen <%= ip %>:<%= @ssl_port %><% if scope.call_function('versioncmp', [scope['nginx::nginx_version'], '1.15.0']) >= 0 -%> ssl<% end -%>; - <%- end -%> -<%- else -%> - listen <%= @listen_ip %>:<%= @ssl_port %><% if scope.call_function('versioncmp', [scope['nginx::nginx_version'], '1.15.0']) >= 0 -%> ssl<% end -%>; -<%- end -%> -<%# check to see if ipv6 support exists in the kernel before applying -%> -<%# FIXME this logic is duplicated all over the place -%> -<%- if @ipv6_enable && (defined? @ipaddress6) -%> - <%- if @ipv6_listen_ip.is_a?(Array) then -%> - <%- @ipv6_listen_ip.each do |ipv6| -%> - listen [<%= ipv6 %>]:<%= @ssl_port %><% if @ipv6_listen_options %> <%= @ipv6_listen_options %><% end %>; - <%- end -%> - <%- else -%> - listen [<%= @ipv6_listen_ip %>]:<%= @ssl_port %><% if @ipv6_listen_options %> <%= @ipv6_listen_options %><% end %>; - <%- end -%> -<%- end -%> -<%= scope.function_template(["nginx/mailhost/mailhost_common.erb"]) -%> - -<% if scope.call_function('versioncmp', [scope['nginx::nginx_version'], '1.15.0']) < 0 -%> - ssl on; -<% end -%> - starttls off; - -<%= scope.function_template(["nginx/mailhost/mailhost_ssl_settings.erb"]) -%> -<% if @mailhost_cfg_append -%> - <%- @mailhost_cfg_append.sort_by{ |k,v| k}.each do |key,value| -%> - <%- if value.is_a?(Hash) -%> - <%- value.sort_by {|k,v| k}.each do |subkey,subvalue| -%> - <%- Array(subvalue).each do |asubvalue| -%> - <%= key %> <%= subkey %> <%= asubvalue %>; - <%- end -%> - <%- end -%> - <%- else -%> - <%- Array(value).each do |asubvalue| -%> - <%= key %> <%= asubvalue %>; - <%- end -%> - <%- end -%> - <%- end -%> -<% end -%> -<% Array(@raw_append).each do |line| -%> - <%= line %> -<% end -%> -} diff --git a/templates/mailhost/mailhost_ssl_settings.epp b/templates/mailhost/mailhost_ssl_settings.epp new file mode 100644 index 000000000..af791710b --- /dev/null +++ b/templates/mailhost/mailhost_ssl_settings.epp @@ -0,0 +1,56 @@ +<%- | + Optional[String] $ssl_cert, + String $ssl_ciphers, + Optional[String] $ssl_client_cert, + Optional[String] $ssl_crl, + Optional[String] $ssl_dhparam, + Optional[String] $ssl_ecdh_curve, + Optional[String] $ssl_key, + Optional[String] $ssl_password_file, + Enum['on', 'off'] $ssl_prefer_server_ciphers, + String $ssl_protocols, + Optional[String] $ssl_session_cache, + Optional[String] $ssl_session_ticket_key, + Optional[String] $ssl_session_tickets, + String $ssl_session_timeout, + Optional[String] $ssl_trusted_cert, + Optional[Integer] $ssl_verify_depth, +| -%> + + ssl_certificate <%= $ssl_cert %>; + ssl_certificate_key <%= $ssl_key %>; + ssl_ciphers <%= $ssl_ciphers %>; +<%- if $ssl_client_cert { -%> + ssl_client_certificate <%= $ssl_client_cert %>; + ssl_verify_client on; +<%- } -%> +<%- if $ssl_verify_depth { -%> + ssl_verify_depth <%= $ssl_verify_depth %>; +<%- } -%> +<%- if $ssl_crl { -%> + ssl_crl <%= $ssl_crl %>; +<%- } -%> +<%- if $ssl_dhparam { -%> + ssl_dhparam <%= $ssl_dhparam %>; +<%- } -%> +<%- if $ssl_ecdh_curve { -%> + ssl_ecdh_curve <%= $ssl_ecdh_curve %>; +<%- } -%> +<%- if $ssl_password_file { -%> + ssl_password_file <%= $ssl_password_file %>; +<%- } -%> + ssl_prefer_server_ciphers <%= $ssl_prefer_server_ciphers %>; + ssl_protocols <%= $ssl_protocols %>; +<%- if $ssl_session_cache { -%> + ssl_session_cache <%= $ssl_session_cache %>; +<%- } -%> +<%- if $ssl_session_ticket_key { -%> + ssl_session_ticket_key <%= $ssl_session_ticket_key %>; +<%- } -%> +<%- if $ssl_session_tickets { -%> + ssl_session_tickets <%= $ssl_session_tickets %>; +<%- } -%> + ssl_session_timeout <%= $ssl_session_timeout %>; +<%- if $ssl_trusted_cert { -%> + ssl_trusted_certificate <%= $ssl_trusted_cert %>; +<%- } -%> diff --git a/templates/mailhost/mailhost_ssl_settings.erb b/templates/mailhost/mailhost_ssl_settings.erb deleted file mode 100644 index 551ed597f..000000000 --- a/templates/mailhost/mailhost_ssl_settings.erb +++ /dev/null @@ -1,38 +0,0 @@ - - ssl_certificate <%= @ssl_cert %>; - ssl_certificate_key <%= @ssl_key %>; - ssl_ciphers <%= @ssl_ciphers %>; -<% if defined? @ssl_client_cert -%> - ssl_client_certificate <%= @ssl_client_cert %>; - ssl_verify_client on; -<% end -%> -<%- if defined? @ssl_verify_depth -%> - ssl_verify_depth <%= @ssl_verify_depth %>; -<%- end -%> -<% if @ssl_crl -%> - ssl_crl <%= @ssl_crl %>; -<% end -%> -<% if defined? @ssl_dhparam -%> - ssl_dhparam <%= @ssl_dhparam %>; -<% end -%> -<%- if defined? @ssl_ecdh_curve -%> - ssl_ecdh_curve <%= @ssl_ecdh_curve %>; -<%- end -%> -<%- if defined? @ssl_password_file -%> - ssl_password_file <%= @ssl_password_file %>; -<%- end -%> - ssl_prefer_server_ciphers <%= @ssl_prefer_server_ciphers %>; - ssl_protocols <%= @ssl_protocols %>; -<% if defined? @ssl_session_cache -%> - ssl_session_cache <%= @ssl_session_cache %>; -<% end -%> -<%- if defined? @ssl_session_ticket_key -%> - ssl_session_ticket_key <%= @ssl_session_ticket_key %>; -<%- end -%> -<%- if defined? @ssl_session_tickets -%> - ssl_session_tickets <%= @ssl_session_tickets %>; -<%- end -%> - ssl_session_timeout <%= @ssl_session_timeout %>; -<%- if defined? @ssl_trusted_cert -%> - ssl_trusted_certificate <%= @ssl_trusted_cert %>; -<%- end -%>