diff options
author | Jan Dittberner <jandd@cacert.org> | 2019-08-02 20:19:14 +0200 |
---|---|---|
committer | Jan Dittberner <jandd@cacert.org> | 2019-08-02 21:11:01 +0200 |
commit | f69a10d21a05d2857a7335ebf14562c99d3814a4 (patch) | |
tree | c32eb31359d46700ab79684423569daab19787b9 /sitemodules/profiles | |
parent | a62daa7235acef7d6a8d7a71a8e378b357a044fe (diff) | |
download | cacert-puppet-f69a10d21a05d2857a7335ebf14562c99d3814a4.tar.gz cacert-puppet-f69a10d21a05d2857a7335ebf14562c99d3814a4.tar.xz cacert-puppet-f69a10d21a05d2857a7335ebf14562c99d3814a4.zip |
Setup cacert-boardvoting configuration on motion
- write config file
- add certificate and private key for TLS
- add trusted certificate
- start cacert-boardvoting service
Diffstat (limited to 'sitemodules/profiles')
-rw-r--r-- | sitemodules/profiles/manifests/cacert_boardvoting.pp | 91 | ||||
-rw-r--r-- | sitemodules/profiles/templates/cacert_boardvoting/config.yaml.epp | 24 |
2 files changed, 113 insertions, 2 deletions
diff --git a/sitemodules/profiles/manifests/cacert_boardvoting.pp b/sitemodules/profiles/manifests/cacert_boardvoting.pp index 6b57864..e44e03a 100644 --- a/sitemodules/profiles/manifests/cacert_boardvoting.pp +++ b/sitemodules/profiles/manifests/cacert_boardvoting.pp @@ -7,7 +7,35 @@ # Parameters # ---------- # -# This class has no parameters +# @param base_url base URL where the web interface can be +# found +# +# @param cookie_secret 32 bytes of secret key data for cookie +# encryption +# +# @param csrf_key 32 bytes of secret key data for CSRF +# protection token encryption +# +# @param mail_host hostname or IP address of the outgoing +# email server +# +# @param mail_port TCP port number of the outgoing email +# server +# +# @param notice_mail_address email address that should receive notices +# about new motions and motion status +# changes +# +# @param notification_sender_address email address that is used as the sender +# of generated emails +# +# @param server_certificate PEM encoded X.509 server certificate +# +# @param server_private_key PEM encoded unencrypted RSA private key +# +# @param vote_notice_mail_address email address that should receive +# notification when votes on a motion are +# made # # Examples # -------- @@ -27,7 +55,18 @@ # # Copyright 2018-2019 Jan Dittberner # -class profiles::cacert_boardvoting () { +class profiles::cacert_boardvoting ( + String $base_url = "https://motions.cacert.org", + String $cookie_secret, + String $csrf_key, + String $mail_host = 'localhost', + Integer $mail_port = 25, + String $notice_mail_address = 'cacert-board@lists.cacert.org', + String $notification_sender_address = 'returns@cacert.org', + String $server_certificate, + String $server_private_key, + String $vote_notice_mail_address = 'cacert-board-votes@lists.cacert.org', +) { include apt apt::key { 'cacert': id => '4C4F8164EFE3DAFEC82F22FC82D61CAA4E904466', @@ -38,5 +77,53 @@ class profiles::cacert_boardvoting () { location => 'http://webstatic.infra.cacert.org', repos => 'main', release => "${::lsbdistcodename}-cacert", + } -> + package { 'cacert-boardvoting': + ensure => latest, + } -> + file { '/srv/cacert-boardvoting/config.yaml': + ensure => file, + owner => 'cacert-boardvoting', + group => 'root', + mode => '0600', + content => epp('profiles/cacert_boardvoting/config.yaml.epp', { + base_url => $base_url, + cookie_secret => $cookie_secret, + csrf_key => $csrf_key, + mail_host => $mail_host, + mail_port => $mail_port, + motion_address => $notice_mail_address, + sender_address => $notification_sender_address, + vote_address => $vote_notice_mail_address, + }), + notify => Service['cacert-boardvoting'], + } + file { '/srv/cacert-boardvoting/data/cacert_class3.pem': + ensure => file, + owner => 'cacert-boardvoting', + group => 'root', + mode => '0644', + source => 'http://www.cacert.org/certs/class3_X0E.crt', + notify => Service['cacert-boardvoting'], + } + file { '/srv/cacert-boardvoting/data/server.crt': + ensure => file, + owner => 'cacert-boardvoting', + group => 'root', + mode => '0644', + content => $server_certificate, + notify => Service['cacert-boardvoting'], + } + file { '/srv/cacert-boardvoting/data/server.key': + ensure => file, + owner => 'cacert-boardvoting', + group => 'root', + mode => '0600', + content => $server_private_key, + notify => Service['cacert-boardvoting'], + } + service { 'cacert-boardvoting': + ensure => running, + enable => true, } } diff --git a/sitemodules/profiles/templates/cacert_boardvoting/config.yaml.epp b/sitemodules/profiles/templates/cacert_boardvoting/config.yaml.epp new file mode 100644 index 0000000..653edb6 --- /dev/null +++ b/sitemodules/profiles/templates/cacert_boardvoting/config.yaml.epp @@ -0,0 +1,24 @@ +<%- | String $base_url, + String $cookie_secret, + String $csrf_key, + String $mail_host, + Integer $mail_port, + String $motion_address, + String $sender_address, + String $vote_address +| -%> +--- +notice_mail_address: <%= $motion_address %> +vote_notice_mail_address: <%= $vote_address %> +notification_sender_address: <%= $sender_address %> +database_file: /srv/cacert-boardvoting/data/database.sqlite +client_ca_certificates: /srv/cacert-boardvoting/data/cacert_class3.pem +server_certificate: /srv/cacert-boardvoting/data/server.crt +server_key: /srv/cacert-boardvoting/data/server.key +https_address: <%= $facts[networking][ip] %>:8443 +cookie_secret: <%= $cookie_secret %> +csrf_key: <%= $csrf_key %> +base_url: <%= $base_url %> +mail_server: + host: <%= $mail_host %> + port: <%= $mail_port %> |