summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJan Dittberner <jandd@cacert.org>2019-08-17 11:25:15 +0200
committerJan Dittberner <jandd@cacert.org>2019-08-17 11:25:15 +0200
commit424ac3ede9aa39ef844cf5c3326698206ccca2b8 (patch)
treeb33b039fc0f45e8a53cd4a556c8bcac65b5e4ca5
parente5479901c713f2f6daf17424d8df9d1f5966e274 (diff)
downloadcacert-puppet-424ac3ede9aa39ef844cf5c3326698206ccca2b8.tar.gz
cacert-puppet-424ac3ede9aa39ef844cf5c3326698206ccca2b8.tar.xz
cacert-puppet-424ac3ede9aa39ef844cf5c3326698206ccca2b8.zip
Add configuration for the community self service
-rw-r--r--hieradata/nodes/community.yaml45
-rw-r--r--sitemodules/profiles/manifests/cacert_selfservice.pp50
-rw-r--r--sitemodules/profiles/templates/cacert_selfservice/config.yaml.epp32
3 files changed, 127 insertions, 0 deletions
diff --git a/hieradata/nodes/community.yaml b/hieradata/nodes/community.yaml
index 7ed4420..5c5d244 100644
--- a/hieradata/nodes/community.yaml
+++ b/hieradata/nodes/community.yaml
@@ -37,6 +37,51 @@ profiles::roundcube::master_password: >
qukXDDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBA45dXYksd5BAhgFD7
5NP+gDDvF8Cgnhpi/DhvI0fzwYJaLwelYhplqcWXJhml/58/yhYllUZVE/Cz
smDHq+RA9UI=]
+profiles::cacert_selfservice::admin_emails:
+ - jselzer@cacert.org
+ - jandd@cacert.org
+ - mario@cacert.org
+profiles::cacert_selfservice::api_endpoint_url: https://email.infra.cacert.org:9443/
+profiles::cacert_selfservice::api_client_id: cac3ad11-fa50-43f6-8ded-15f598b6ca2a
+profiles::cacert_selfservice::api_private_key: >
+ ENC[PKCS7,MIICXAYJKoZIhvcNAQcDoIICTTCCAkkCAQAxggEhMIIBHQIBADAFMAACAQEw
+ DQYJKoZIhvcNAQEBBQAEggEAwZixb5ZkBTfIjHnZjyg+bDOCsJZ46ATcle1j
+ imfj5hph1wBK4ZpjuzLew1IPTJ+iY4redgwNGi0TgHcOmT9l2i2jnjITDKJt
+ 7vfgLFKZJ8+whdEpejd8GVBXBgNe4vIt2YMMRnOGl7d9dS7+e4sm0lK56hSd
+ fbHuu7h0gbSK+ZPbJvyPPI+r90j/qRq8SXrnJ8nT49NswHuj5PmMBdYMslSO
+ PpnAoq+YyukeQ+HagWr3khcSZx+GYY14kBpBNiDZpG03NKzjZkT6fYugqHE0
+ B9HC22XSKrwQJwIIbSpVRJ3UF2pcx0aWjMQfuvdteJyD9XkmeNa6uiQGl05G
+ KJuqhDCCAR0GCSqGSIb3DQEHATAdBglghkgBZQMEASoEEOsT67vXcPF/Pbqc
+ j6x76aOAgfBjd1srdGK6PJUs5Inkop441ce2v3jij/1oo9fRswSTgAMGHSGg
+ 4zqbuZH2eR9hUXd/Mn8DmrAF4O285K7J6ei+9Eqkyf4xoIGV0VT9OiXDbJ6K
+ mUdm0gPYWdjYnN6FEIo2sLxBf6NDyRXFnjALnY6hfS8ePD4vRLHld3gDErdA
+ QwVQDewb+L5H3mrTNnM/2ex9M1ekRXK3z0lfn4q1H7UUZLS6Y5vmH4Tl7kTk
+ QeVCvUatI5fSzNaAi+N15nMo2X/ojgTn/CS9zklA5du1XgI1xzqsHyb7zirv
+ Bq5sNCy9CM2at4UMKVqsU7FpdIIxjFw=]
+profiles::cacert_selfservice::base_url: https://selfservice.cacert.org/
+profiles::cacert_selfservice::cookie_secret: >
+ ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEw
+ DQYJKoZIhvcNAQEBBQAEggEAws87m7QI+OIc1aQqrFzuq2qaJi0UJb8hJUU0
+ 7059Xe/MR77e/YBBCWCU4TSDxi0CEa7KJgmH9WDAyojFvva9iGzQsEBBeDkd
+ EX1F1uTzwEauShIF5iMQJmflr2lD087v+YbQ5P7YTQzdD85aOLO1uFVx3dsZ
+ z08lOQUB4fHTbPh9coBrnIA3+jF9IigSUmVQRruaBY/uQpMEfW5JbF4zhAd+
+ yALEq/pwtiP1V8JTLQhejZ6ScPaODxbNbjGZuIvK89hNsA7RvGmgTAUP68Gm
+ saNmSVAIGq8NMOvX1emDeTglhfBMIyUzD2dCnxSXgdwV0CUz7dDe1WbhN6Xv
+ D3ro8DBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBUiz2500OF5JHiJHLv
+ 73/jgDBxiCdS8M7jsfWNPgUqyUj4vAo1AY3PYRcf1kybNWY2vAG1cTKn3cno
+ XgkkwN7uAKY=]
+profiles::cacert_selfservice::csrf_key: >
+ ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEw
+ DQYJKoZIhvcNAQEBBQAEggEALHf3A6msWCeThRHKuqKNtyg5p7P6EjE2wOfr
+ vVI7kxN4X5ofCiF9z/PVBhmB/wCOB6gBL07QBBQLeyZN543SlFeS/Viwg1X+
+ 67lQoCvrudaUP3Wz2R0j5ckoOzliZ/pYuNjNGf5bhF63NDbe3+NDx+njcydJ
+ BVjhpXTSaA3z+7vXI9RTE9NVtJnJdgUqRgbrZfzJnx5tuIjEwzzZVmDlrbzU
+ zciE9pbPR35UU3IVXbGtn9rHpx0b+DtpZxyiIZZfUrL+yl9aQXK5KwTPGWlS
+ /B6B65uIDuH4eewbF+ZW+WJSyJOfWnhXExil0Y8S1sWDKngFDJWcRy2f/bB/
+ weHy1TBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCXtYYzHTphD5RZDn3h
+ pIk9gDA+bqX/eXgR2g+VuBko2JyWj/+r/x3C3te++GPnM+QvA2jRWFHPrP1z
+ s1RM+gtTR78=]
+profiles::cacert_selfservice::https_address: :8443
profiles::cacert_selfservice::server_certificate: |
-----BEGIN CERTIFICATE-----
MIIGRjCCBC6gAwIBAgIDAtlOMA0GCSqGSIb3DQEBCwUAMFQxFDASBgNVBAoTC0NB
diff --git a/sitemodules/profiles/manifests/cacert_selfservice.pp b/sitemodules/profiles/manifests/cacert_selfservice.pp
index 09b5bfc..8f0054a 100644
--- a/sitemodules/profiles/manifests/cacert_selfservice.pp
+++ b/sitemodules/profiles/manifests/cacert_selfservice.pp
@@ -7,10 +7,28 @@
# Parameters
# ----------
#
+# @param base_url base URL where the web interface can be found
+#
+# @param cookie_secret 32 bytes of secret key data for cookie encryption
+#
+# @param csrf_key 32 bytes of secret key data for CSRF protection
+# token encryption
+#
# @param server_certificate PEM encoded X.509 server certificate
#
# @param server_private_key PEM encoded unencrypted RSA private key
#
+# @param listen_address Listening socket address
+#
+# @param admin_emails Array containing admins with extended permissions
+#
+# @param api_client_id API client identifier
+#
+# @param api_private_key PEM encoded ECDSA private key for signing API
+# requests
+#
+# @param api_endpoint_url backend API endpoint URL
+#
# Examples
# --------
#
@@ -30,8 +48,16 @@
# Copyright 2019 Jan Dittberner
#
class profiles::cacert_selfservice (
+ String $base_url = "https://selfservice.cacert.org",
+ String $cookie_secret,
+ String $csrf_key,
String $server_certificate,
String $server_private_key,
+ String $listen_address = ":8443",
+ Array[String] $admin_emails,
+ String $api_client_id,
+ String $api_private_key,
+ String $api_url = "https://email.infra.cacert.org:8443/",
) {
include profiles::cacert_debrepo
@@ -120,6 +146,30 @@ class profiles::cacert_selfservice (
notify => Service[$service_name],
}
+ file { $config_file:
+ ensure => present,
+ owner => $service_name,
+ group => 'root',
+ mode => '0600',
+ content => epp('profiles/cacert_selfservice/config.yaml.epp', {
+ base_url => $base_url,
+ cookie_secret => $cookie_secret,
+ csrf_key => $csrf_key,
+ server_certificate => $server_certificate_file,
+ server_key => $server_key_file,
+ client_cas => $client_ca_file,
+ listen_address => $listen_address,
+ admin_emails => $admin_emails,
+ api_cas => $api_ca_file,
+ api_client_id => $api_client_id,
+ api_signature_key_lines => split($api_private_key, "\n"),
+ api_endpoint_url => $api_endpoint_url,
+ log_directory => $log_directory,
+ }),
+ require => Package[$service_name],
+ notify => Service[$service_name],
+ }
+
service { $service_name:
ensure => running,
enable => true,
diff --git a/sitemodules/profiles/templates/cacert_selfservice/config.yaml.epp b/sitemodules/profiles/templates/cacert_selfservice/config.yaml.epp
new file mode 100644
index 0000000..59c9b82
--- /dev/null
+++ b/sitemodules/profiles/templates/cacert_selfservice/config.yaml.epp
@@ -0,0 +1,32 @@
+<%- | String $base_url,
+ String $cookie_secret,
+ String $csrf_key,
+ String $server_certificate,
+ String $server_key,
+ String $client_cas,
+ String $listen_address,
+ Array[String] $admin_emails,
+ Array[String] $api_signature_key_lines,
+ String $api_client_id,
+ String $api_cas,
+ String $api_endpoint_url,
+ String $log_directory
+| -%>
+---
+client_ca_certificates: <%= $client_cas %>
+server_certificate: <%= $server_certificate %>
+server_key: <%= $server_key %>
+cookie_secret: <%= $cookie_secret %>
+csrf_key: <%= $csrf_key %>
+base_url: <%= $base_url %>
+https_address: <%= $listen_address %>
+admin_emails:
+<%- $admin_emails.each |$admin_email| { %>
+- <%= $admin_email %>
+<%- } %>
+api_private_key: |
+<% $api_signature_key_lines.each |$key_line| { %> <%= $key_line %><% } %>
+api_client_id: <%= $api_client_id %>
+api_ca_certificates: <%= $api_cas %>
+api_endpoint_url: <%= $api_endpoint_url %>
+access_log: <%= $log_directory %>/access.log