From 0ad2f25d3197470b873d6b2395169c5e83b0cca8 Mon Sep 17 00:00:00 2001
From: Kenny Do <kedo@ocf.berkeley.edu>
Date: Mon, 6 Jan 2014 17:38:14 -0800
Subject: [PATCH] create private, certificate, and CA certificate files in
 munin.tls

---
 README.rst      |  1 +
 munin/map.jinja | 13 +++++++++++++
 munin/tls.sls   | 32 +++++++++++++++++++++++++++++++-
 pillar.example  | 14 ++++++++++++++
 4 files changed, 59 insertions(+), 1 deletion(-)

diff --git a/README.rst b/README.rst
index 8100e5e..b0e135d 100644
--- a/README.rst
+++ b/README.rst
@@ -14,6 +14,7 @@ States
     Generates a config file for the munin node based on pillar data.
 ``munin.tls``
     Installs the Perl package Net::SSLEay so munin can use TLS.
+    Also, if the private key, certificate, or CA certificate are specified (as in ``pillar.example``), then the appropriate files are created. Note that it is up to the user to correctly specify the location of these files in their master and node config files.
 
 Configuration
 =============
diff --git a/munin/map.jinja b/munin/map.jinja
index f5c9b33..2c42586 100644
--- a/munin/map.jinja
+++ b/munin/map.jinja
@@ -34,3 +34,16 @@
         'package': 'perl-Net-SSLeay',
     },
 }, merge=salt['pillar.get']('net_ssleay:lookup')) %}
+
+{% set munin_tls = salt['grains.filter_by']({
+    'Debian': {
+        'private_key': '/etc/munin/tls/key.pem',
+        'certificate': '/etc/munin/tls/crt.pem',
+        'ca_certificate': '/etc/munin/tls/cacert.pem',
+    },
+    'RedHat': {
+        'private_key': '/etc/munin/tls/key.pem',
+        'certificate': '/etc/munin/tls/crt.pem',
+        'ca_certificate': '/etc/munin/tls/cacert.pem',
+    },
+}, merge=salt['pillar.get']('munin_tls:lookup')) %}
diff --git a/munin/tls.sls b/munin/tls.sls
index c7890f4..c3a0cd1 100644
--- a/munin/tls.sls
+++ b/munin/tls.sls
@@ -1,5 +1,35 @@
-{% from "munin/map.jinja" import net_ssleay with context %}
+{% from "munin/map.jinja" import net_ssleay, munin_tls with context %}
 
 net_ssleay:
   pkg.installed:
     - name: {{ net_ssleay.package }}
+
+{%- if salt['pillar.get']('munin_tls:private_pem') %}
+munin_tls_private_key:
+  file.managed:
+    - name: {{ munin_tls.private_key }}
+    - user: munin
+    - group: munin
+    - mode: 600
+    - contents_pillar: munin_tls:private_pem
+{%- endif %}
+
+{%- if salt['pillar.get']('munin_tls:certificate_pem') %}
+munin_tls_certificate:
+  file.managed:
+    - name: {{ munin_tls.certificate }}
+    - user: munin
+    - group: munin
+    - mode: 600
+    - contents_pillar: munin_tls:certificate_pem
+{%- endif %}
+
+{%- if salt['pillar.get']('munin_tls:ca_certificate_pem') %}
+munin_tls_ca_certificate:
+  file.managed:
+    - name: {{ munin_tls.ca_certificate }}
+    - user: munin
+    - group: munin
+    - mode: 600
+    - contents_pillar: munin_tls:ca_certificate_pem
+{%- endif %}
diff --git a/pillar.example b/pillar.example
index b03d778..6b0b9c9 100644
--- a/pillar.example
+++ b/pillar.example
@@ -31,3 +31,17 @@ munin_node:
     - "^::1$"
   host: "*"
   port: 4949
+
+munin_tls:
+  private_pem: |
+    -----BEGIN RSA PRIVATE KEY-----
+    Inline key here
+    -----END RSA PRIVATE KEY-----
+  certificate_pem: |
+    -----BEGIN CERTIFICATE-----
+    Inline certificate key
+    -----END CERTIFICATE-----
+  ca_certificate_pem: |
+    -----BEGIN CERTIFICATE-----
+    Inline CA certificate key
+    -----END CERTIFICATE-----