extract nssdb creation into separate class

manifests/candlepin.pp

@@ -48,6 +48,7 @@
   $client_key = "${::certs::pki_dir}/private/${java_client_cert_name}.key"
 
   if $deploy {
+    include ::certs::ssltools::nssdb
 
     file { $password_file:
       ensure  => file,

manifests/qpid.pp

@@ -29,12 +29,12 @@
   }
 
   if $deploy {
+    include ::certs::ssltools::nssdb
+    $nss_db_password_file = $::certs::ssltools::nssdb::nss_db_password_file
 
-    $nss_db_password_file   = "${::certs::nss_db_dir}/nss_db_password-file"
     $client_cert            = "${::certs::pki_dir}/certs/${qpid_cert_name}.crt"
     $client_key             = "${::certs::pki_dir}/private/${qpid_cert_name}.key"
     $pfx_path               = "${::certs::pki_dir}/${qpid_cert_name}.pfx"
-    $nssdb_files            = ["${::certs::nss_db_dir}/cert8.db", "${::certs::nss_db_dir}/key3.db", "${::certs::nss_db_dir}/secmod.db"]
 
     Package['qpid-cpp-server'] ->
     certs::keypair { 'qpid':
@@ -46,39 +46,13 @@
       key_mode   => '0440',
       cert_file  => $client_cert,
     } ~>
-    file { $::certs::nss_db_dir:
-      ensure => directory,
-      owner  => 'root',
-      group  => $::certs::qpidd_group,
-      mode   => '0755',
-    } ~>
-    exec { 'generate-nss-password':
-      command => "openssl rand -base64 24 > ${nss_db_password_file}",
-      path    => '/usr/bin',
-      creates => $nss_db_password_file,
-    } ->
-    file { $nss_db_password_file:
-      ensure => file,
-      owner  => 'root',
-      group  => $::certs::qpidd_group,
-      mode   => '0640',
-    } ~>
-    exec { 'create-nss-db':
-      command => "certutil -N -d '${::certs::nss_db_dir}' -f '${nss_db_password_file}'",
-      path    => '/usr/bin',
-      creates => $nssdb_files,
-    } ~>
+    Class['::certs::ssltools::nssdb'] ~>
     certs::ssltools::certutil { 'ca':
       nss_db_dir  => $::certs::nss_db_dir,
       client_cert => $::certs::ca_cert,
       trustargs   => 'TCu,Cu,Tuw',
       refreshonly => true,
     } ~>
-    file { $nssdb_files:
-      owner => 'root',
-      group => $::certs::qpidd_group,
-      mode  => '0640',
-    } ~>
     certs::ssltools::certutil { 'broker':
       nss_db_dir  => $::certs::nss_db_dir,
       client_cert => $client_cert,
@@ -98,5 +72,4 @@
     Pubkey[$::certs::ca_cert] ~> Certs::Ssltools::Certutil['ca']
     Pubkey[$client_cert] ~> Certs::Ssltools::Certutil['broker']
   }
-
 }

manifests/ssltools/certutil.pp

@@ -1,6 +1,8 @@
 # type to append cert to nssdb
 define certs::ssltools::certutil($nss_db_dir, $client_cert, $cert_name=$title, $refreshonly = true, $trustargs = ',,') {
-  Exec['create-nss-db'] ->
+  include ::certs::ssltools::nssdb
+
+  Class['::certs::ssltools::nssdb'] ->
   exec { "delete ${cert_name}":
     path        => ['/bin', '/usr/bin'],
     command     => "certutil -D -d ${nss_db_dir} -n '${cert_name}'",

manifests/ssltools/nssdb.pp

@@ -0,0 +1,42 @@
+# Sets up nssdb
+class certs::ssltools::nssdb (
+  $nss_db_dir = $::certs::nss_db_dir,
+  $qpidd_group = $::certs::qpidd_group
+)  {
+  Exec { logoutput => 'on_failure' }
+
+  $nss_db_password_file   = "${nss_db_dir}/nss_db_password-file"
+  $nssdb_files            = ["${nss_db_dir}/cert8.db", "${nss_db_dir}/key3.db", "${nss_db_dir}/secmod.db"]
+
+  file { $nss_db_dir:
+    ensure => directory,
+    owner  => 'root',
+    group  => $qpidd_group,
+    mode   => '0755',
+  } ->
+  exec { 'generate-nss-password':
+    command => "openssl rand -base64 24 > ${nss_db_password_file}",
+    path    => '/usr/bin',
+    umask   => '027',
+    group   => $qpidd_group,
+    creates => $nss_db_password_file,
+  } ->
+  file { $nss_db_password_file:
+    ensure => file,
+    owner  => 'root',
+    group  => $qpidd_group,
+    mode   => '0640',
+  } ->
+  exec { 'create-nss-db':
+    command => "certutil -N -d '${nss_db_dir}' -f '${nss_db_password_file}'",
+    path    => '/usr/bin',
+    umask   => '027',
+    group   => $qpidd_group,
+    creates => $nssdb_files,
+  } ->
+  file { $nssdb_files:
+    owner => 'root',
+    group => $qpidd_group,
+    mode  => '0640',
+  }
+}