Merge pull request #26 from EvaSDK/keys-in-pillar

Manage certificates from pillars
2015-09-03 06:07:17 -05:00 · 2015-09-03 06:07:17 -05:00 · 31879915e2
commit 31879915e2
parent f488c404eb 159c9e81ac
2 changed files with 65 additions and 11 deletions
--- a/pillar.example
+++ b/pillar.example
@ -27,20 +27,9 @@ postfix:
  config:
    smtpd_banner: $myhostname ESMTP $mail_name
    biff: 'no'
-
    append_dot_mydomain: 'no'
-
    readme_directory: 'no'
-
-    smtpd_tls_cert_file: /etc/ssl/certs/ssl-cert-snakeoil.pem
-    smtpd_tls_key_file: /etc/ssl/private/ssl-cert-snakeoil.key
-    smtpd_use_tls: 'yes'
-    smtpd_tls_session_cache_database: btree:${data_directory}/smtpd_scache
-    smtp_tls_session_cache_database: btree:${data_directory}/smtp_scache
-
    myhostname: localhost
-    alias_maps: hash:/etc/aliases
-    alias_database: hash:/etc/aliases
    mydestination: localhost, localhost.localdomain
    relayhost: 
    mynetworks: 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
@ -48,3 +37,47 @@ postfix:
    recipient_delimiter: +
    inet_interfaces: all

+    # Alias
+    alias_maps: hash:/etc/aliases
+    alias_database: hash:/etc/aliases
+
+    # SMTP server
+    smtpd_tls_session_cache_database: btree:${data_directory}/smtpd_scache
+    smtpd_use_tls: 'yes'
+
+    # SMTP server certificate and key (from pillar data)
+    smtpd_tls_cert_file: /etc/postfix/ssl/server-cert.crt
+    smtpd_tls_key_file: /etc/postfix/ssl/server-cert.key
+
+    # SMTP client
+    smtp_tls_session_cache_database: btree:${data_directory}/smtp_scache
+    smtp_use_tls: 'yes'
+    smtp_tls_cert_file: /etc/postfix/ssl/example.com-relay-client-cert.crt
+    smtp_tls_key_file: /etc/postfix/ssl/example.com-relay-client-cert.key
+
+  certificates:
+    server-cert:
+      public_cert: |
+        -----BEGIN CERTIFICATE-----
+        (Your primary SSL certificate: smtp.example.com.crt)
+        -----END CERTIFICATE-----
+        -----BEGIN CERTIFICATE-----
+        (Your intermediate certificate: example-ca.crt)
+        -----END CERTIFICATE-----
+        -----BEGIN CERTIFICATE-----
+        (Your root certificate: trusted-root.crt)
+        -----END CERTIFICATE-----
+      private_key: |
+        -----BEGIN RSA PRIVATE KEY-----
+        (Your Private key)
+        -----END RSA PRIVATE KEY-----
+
+    example.com-relay-client-cert:
+      public_cert: |
+        -----BEGIN CERTIFICATE-----
+        (Your primary SSL certificate: smtp.example.com.crt)
+        -----END CERTIFICATE-----
+      private_key: |
+        -----BEGIN RSA PRIVATE KEY-----
+        (Your Private key)
+        -----END RSA PRIVATE KEY-----
--- a/postfix/config.sls
+++ b/postfix/config.sls
@ -33,3 +33,24 @@ include:
      - service: postfix
    - template: jinja
 {% endif %}
+
+{%- for domain in salt['pillar.get']('postfix:certificates', {}).keys() %}
+
+postfix_{{ domain }}_ssl_certificate:
+  file.managed:
+    - name: /etc/postfix/ssl/{{ domain }}.crt
+    - makedirs: True
+    - contents_pillar: postfix:certificates:{{ domain }}:public_cert
+    - watch_in:
+       - service: postfix
+
+postfix_{{ domain }}_ssl_key:
+  file.managed:
+    - name: /etc/postfix/ssl/{{ domain }}.key
+    - mode: 600
+    - makedirs: True
+    - contents_pillar: postfix:certificates:{{ domain }}:private_key
+    - watch_in:
+       - service: postfix
+
+{% endfor %}