tls for lighttpd

global/overlay/etc/puppet/cosmos-rules.yaml

@@ -23,6 +23,7 @@ p1.komreg.net:
    sunet_iaas_cloud:
    autoupdate:
    md_publisher:
+     keyname: p1.komreg.net_infra
    sunet::frontend::register_sites:
      sites:
        'qa.komreg.se':

global/overlay/etc/puppet/manifests/cosmos-site.pp

@@ -146,7 +146,11 @@ class md_signer($dest_host="localhost",$dest_dir="") {
    }
 }
 
-class md_publisher(Array $allow_clients = ['any'], String $dir = "/var/www/html") {
+class md_publisher(Array $allow_clients = ['any'], String $keyname = undef, String $dir = "/var/www/html") {
+   $_keyname = $keyname ? { 
+      undef   => $::fqdn,
+      default => $keyname
+   }
    sunet::rrsync {$dir:
       ro                => false,
       ssh_key           => safe_hiera('publisher_ssh_key',"NOT SET IN HIERA"),
@@ -154,6 +158,14 @@ class md_publisher(Array $allow_clients = ['any'], String $dir = "/var/www/html"
    } ->
    package {'lighttpd': ensure => latest } ->
    service {'lighttpd': ensure => running } ->
+   exec {'enable-ssl': 
+      cmd    => "/usr/sbin/lighttpd-enable-mod ssl",
+      onlyif => "test ! -h /etc/lighttpd/conf-enabled/*ssl*"
+   } ->
+   exec {'server.pem':
+      cmd    => "cat /etc/ssl/private/${_keyname}.key /etc/ssl/certs/${_keyname}.crt > /etc/lighttpd/server.pem",
+      onlyif => "test ! -f /etc/lighttpd/server.pem"
+   } ->
    apparmor::profile { 'usr.sbin.lighttpd': source => '/etc/apparmor-cosmos/usr.sbin.lighttpd' } ->
    sunet::misc::ufw_allow {'allow-lighttpd':
       from   => $allow_clients,