From f00b867ddf290bb5630e985e2796f421a134cf25 Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sun, 8 Dec 2024 19:45:42 +1100
Subject: [PATCH 1/2] feat: add crypto_policies

- ensure DEFAULT is used for EL8
- ensure DEFAULT:SHA1 is used for EL9, until issues with crypto are resolved for EL9
---
 Puppetfile                               | 1 +
 hieradata/os/AlmaLinux/AlmaLinux8.yaml   | 2 ++
 hieradata/os/AlmaLinux/AlmaLinux9.yaml   | 2 ++
 hieradata/os/AlmaLinux/all_releases.yaml | 1 +
 4 files changed, 6 insertions(+)

diff --git a/Puppetfile b/Puppetfile
index da7b53a..65c883d 100644
--- a/Puppetfile
+++ b/Puppetfile
@@ -57,6 +57,7 @@ mod 'stm-file_capability', '6.0.0'
 mod 'h0tw1r3-gitea', '3.2.0'
 mod 'rehan-mkdir', '2.0.0'
 mod 'tailoredautomation-patroni', '2.0.0'
+mod 'ssm-crypto_policies', '0.3.3'
 
 mod 'bind',
   :git => 'https://git.service.au-syd1.consul/unkinben/puppet-bind.git',
diff --git a/hieradata/os/AlmaLinux/AlmaLinux8.yaml b/hieradata/os/AlmaLinux/AlmaLinux8.yaml
index 2b20df9..92cd68c 100644
--- a/hieradata/os/AlmaLinux/AlmaLinux8.yaml
+++ b/hieradata/os/AlmaLinux/AlmaLinux8.yaml
@@ -1,4 +1,6 @@
 # hieradata/os/AlmaLinux/AlmaLinux8.yaml
 ---
+crypto_policies::policy: 'DEFAULT:SHA1'
+
 profiles::packages::include:
   network-scripts: {}
diff --git a/hieradata/os/AlmaLinux/AlmaLinux9.yaml b/hieradata/os/AlmaLinux/AlmaLinux9.yaml
index 03c8c55..4098de0 100644
--- a/hieradata/os/AlmaLinux/AlmaLinux9.yaml
+++ b/hieradata/os/AlmaLinux/AlmaLinux9.yaml
@@ -1,2 +1,4 @@
 # hieradata/os/AlmaLinux/AlmaLinux9.yaml
 ---
+
+crypto_policies::policy: 'DEFAULT:SHA1'
diff --git a/hieradata/os/AlmaLinux/all_releases.yaml b/hieradata/os/AlmaLinux/all_releases.yaml
index 998e923..fef3281 100644
--- a/hieradata/os/AlmaLinux/all_releases.yaml
+++ b/hieradata/os/AlmaLinux/all_releases.yaml
@@ -7,6 +7,7 @@ profiles::puppet::agent::puppet_version: '7.34.0'
 
 hiera_include:
   - profiles::almalinux::base
+  - crypto_policies
 
 profiles::packages::include:
   lzo: {}
-- 
2.47.3


From 3a3cacca19757dd9f8340ceab4aefdae96c986b5 Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sun, 8 Dec 2024 19:50:31 +1100
Subject: [PATCH 2/2] fix: set el8 crypto_policy to default

- actually set the crypt policy to be default
---
 hieradata/os/AlmaLinux/AlmaLinux8.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hieradata/os/AlmaLinux/AlmaLinux8.yaml b/hieradata/os/AlmaLinux/AlmaLinux8.yaml
index e9d852d..808275c 100644
--- a/hieradata/os/AlmaLinux/AlmaLinux8.yaml
+++ b/hieradata/os/AlmaLinux/AlmaLinux8.yaml
@@ -1,6 +1,6 @@
 # hieradata/os/AlmaLinux/AlmaLinux8.yaml
 ---
-crypto_policies::policy: 'DEFAULT:SHA1'
+crypto_policies::policy: 'DEFAULT'
 
 profiles::packages::include:
   network-scripts: {}
-- 
2.47.3