P:puppet::puppetdb: Fix hardcoded TLS cert paths in nginx config

Author: supertassu

modules/profile/manifests/puppet/puppetdb.pp

@@ -25,6 +25,19 @@
     default    => '/var/lib/puppetdb',
   }
 
+  $ssl_cert_path = debian::codename() ? {
+    'bullseye' => '/etc/puppetlabs/puppetdb/ssl/public.pem',
+    default    => "/var/lib/puppet/ssl/certs/${facts['networking']['fqdn']}.pem",
+  }
+  $ssl_key_path = debian::codename() ? {
+    'bullseye' => '/etc/puppetlabs/puppetdb/ssl/private.pem',
+    default    => "/var/lib/puppet/ssl/private_keys/${facts['networking']['fqdn']}.pem",
+  }
+  $ssl_ca_path = debian::codename() ? {
+    'bullseye' => '/etc/puppetlabs/puppetdb/ssl/ca.pem',
+    default    => '/etc/puppet/puppetserver/ca/ca_crt.pem',
+  }
+
   file { "${config_path}/cert-allowlist":
     ensure  => file,
     mode    => '0444',

modules/profile/templates/puppet/puppetdb/site.nginx.erb

@@ -15,9 +15,9 @@ server {
     proxy_redirect off;
     proxy_buffering off;
 
-    proxy_ssl_certificate /etc/puppetlabs/puppetdb/ssl/public.pem;
-    proxy_ssl_certificate_key /etc/puppetlabs/puppetdb/ssl/private.pem;
-    proxy_ssl_trusted_certificate /etc/puppetlabs/puppetdb/ssl/ca.pem;
+    proxy_ssl_certificate <%= @ssl_cert_path %>;
+    proxy_ssl_certificate_key <%= @ssl_key_path %>;
+    proxy_ssl_trusted_certificate <%= @ssl_ca_path %>;
     proxy_ssl_verify on;
     proxy_ssl_protocols TLSv1.3;
   }
@@ -27,9 +27,9 @@ server {
     proxy_redirect off;
     proxy_buffering off;
 
-    proxy_ssl_certificate /etc/puppetlabs/puppetdb/ssl/public.pem;
-    proxy_ssl_certificate_key /etc/puppetlabs/puppetdb/ssl/private.pem;
-    proxy_ssl_trusted_certificate /etc/puppetlabs/puppetdb/ssl/ca.pem;
+    proxy_ssl_certificate <%= @ssl_cert_path %>;
+    proxy_ssl_certificate_key <%= @ssl_key_path %>;
+    proxy_ssl_trusted_certificate <%= @ssl_ca_path %>;
     proxy_ssl_verify on;
     proxy_ssl_protocols TLSv1.3;
   }