From eb11ee84601f529f67931757bd0add14db23e10b Mon Sep 17 00:00:00 2001
From: Marius Rieder <marius.rieder@durchmesser.ch>
Date: Thu, 2 Oct 2014 13:32:52 +0200
Subject: [PATCH 1/2] Fix file mode handling.

---
 manifests/ca.pp     | 2 +-
 manifests/server.pp | 3 +--
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/manifests/ca.pp b/manifests/ca.pp
index 2cfdf9c9..e2087b6d 100644
--- a/manifests/ca.pp
+++ b/manifests/ca.pp
@@ -121,7 +121,7 @@
 
   exec { "fix_easyrsa_file_permissions_${name}":
     refreshonly => true,
-    command     => "/bin/chmod 755 /etc/openvpn/${name}/easy-rsa/*",
+    command     => "/bin/chmod 750 /etc/openvpn/${name}/easy-rsa/*",
   }
 
   file { "/etc/openvpn/${name}/easy-rsa/revoked":
diff --git a/manifests/server.pp b/manifests/server.pp
index 454dd71b..f9dd08db 100644
--- a/manifests/server.pp
+++ b/manifests/server.pp
@@ -391,7 +391,6 @@
   file { "/etc/openvpn/${name}":
     ensure  => directory,
     mode    => '0750',
-    recurse => true,
   }
 
   if $remote == undef {
@@ -448,7 +447,7 @@
   file { "/etc/openvpn/${name}.conf":
     owner   => root,
     group   => root,
-    mode    => '0444',
+    mode    => '0440',
     content => template('openvpn/server.erb');
   }
 

From f8defa6fcd74afbe59d3baa753dc5a1dacf52ef0 Mon Sep 17 00:00:00 2001
From: Marius Rieder <marius.rieder@durchmesser.ch>
Date: Thu, 2 Oct 2014 13:46:46 +0200
Subject: [PATCH 2/2] Fix spec too. Modes on /etc/openvpn/test_server should
 not be applied to easy-rsa/keys

---
 spec/defines/openvpn_server_spec.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/spec/defines/openvpn_server_spec.rb b/spec/defines/openvpn_server_spec.rb
index 68157454..8882e6ba 100644
--- a/spec/defines/openvpn_server_spec.rb
+++ b/spec/defines/openvpn_server_spec.rb
@@ -62,7 +62,7 @@
 
     # Files associated with a server config
     it { should contain_file('/etc/openvpn/test_server').
-         with(:ensure =>'directory', :mode =>'0750', :recurse =>true, :group =>'nogroup') }
+         with(:ensure =>'directory', :mode =>'0750', :group =>'nogroup') }
     it { should contain_file('/etc/openvpn/test_server/client-configs').
          with(:ensure =>'directory', :mode =>'0750', :recurse =>true, :group =>'nogroup') }
     it { should contain_file('/etc/openvpn/test_server/download-configs').