From a6b8d5ba81b6d89081ff205e401750e2dceea5a2 Mon Sep 17 00:00:00 2001
From: Noah Botimer <botimer@umich.edu>
Date: Wed, 4 Sep 2024 12:45:11 -0400
Subject: [PATCH] Add machine_cert profile for client certificates for quod

This creates the file the same way as the apps_lib profile does, except
as a discrete profile. We then include it in role::quod_prod to enable
client certificates with reverse proxies there.
---
 manifests/profile/machine_cert.pp    | 35 ++++++++++++++++++++++++++++
 manifests/role/app_host/quod_prod.pp |  1 +
 2 files changed, 36 insertions(+)
 create mode 100644 manifests/profile/machine_cert.pp

diff --git a/manifests/profile/machine_cert.pp b/manifests/profile/machine_cert.pp
new file mode 100644
index 000000000..7b87b3cca
--- /dev/null
+++ b/manifests/profile/machine_cert.pp
@@ -0,0 +1,35 @@
+# Copyright (c) 2024 The Regents of the University of Michigan.
+# All Rights Reserved. Licensed according to the terms of the Revised
+# BSD License. See LICENSE.txt for details.
+
+# nebula::profile::machine_cert
+#
+# Manage a combined cert + key pem file to use as a client certificate.
+#
+# Take the puppet-issued certificate and combine into conventional Debian
+# directory (/etc/ssl/private), using machine name the filename base and .pem.
+#
+# @example
+#   include nebula::profile::machine_cert
+class nebula::profile::machine_cert () {
+  $certname = $trusted['certname'];
+  $client_cert = "/etc/ssl/private/${certname}.pem";
+
+  concat { $client_cert:
+    ensure => 'present',
+    mode   => '0600',
+    owner  => 'root',
+  }
+
+  concat::fragment { 'client cert':
+    target => $client_cert,
+    source => "/etc/puppetlabs/puppet/ssl/certs/${certname}.pem",
+    order  =>  1
+  }
+
+  concat::fragment { 'client key':
+    target => $client_cert,
+    source => "/etc/puppetlabs/puppet/ssl/private_keys/${certname}.pem",
+    order  =>  2
+  }
+}
diff --git a/manifests/role/app_host/quod_prod.pp b/manifests/role/app_host/quod_prod.pp
index cd6ac1a3c..7afe62bcb 100644
--- a/manifests/role/app_host/quod_prod.pp
+++ b/manifests/role/app_host/quod_prod.pp
@@ -14,6 +14,7 @@
   include nebula::profile::afs
   include nebula::profile::users
   include nebula::profile::tsm
+  include nebula::profile::machine_cert
   include nebula::profile::quod::prod::perl
   include nebula::profile::quod::prod::haproxy
   include nebula::profile::networking::firewall::http