diff options
author | Jan Dittberner <jandd@cacert.org> | 2019-08-17 11:25:15 +0200 |
---|---|---|
committer | Jan Dittberner <jandd@cacert.org> | 2019-08-17 11:25:15 +0200 |
commit | 424ac3ede9aa39ef844cf5c3326698206ccca2b8 (patch) | |
tree | b33b039fc0f45e8a53cd4a556c8bcac65b5e4ca5 /sitemodules | |
parent | e5479901c713f2f6daf17424d8df9d1f5966e274 (diff) | |
download | cacert-puppet-424ac3ede9aa39ef844cf5c3326698206ccca2b8.tar.gz cacert-puppet-424ac3ede9aa39ef844cf5c3326698206ccca2b8.tar.xz cacert-puppet-424ac3ede9aa39ef844cf5c3326698206ccca2b8.zip |
Add configuration for the community self service
Diffstat (limited to 'sitemodules')
-rw-r--r-- | sitemodules/profiles/manifests/cacert_selfservice.pp | 50 | ||||
-rw-r--r-- | sitemodules/profiles/templates/cacert_selfservice/config.yaml.epp | 32 |
2 files changed, 82 insertions, 0 deletions
diff --git a/sitemodules/profiles/manifests/cacert_selfservice.pp b/sitemodules/profiles/manifests/cacert_selfservice.pp index 09b5bfc..8f0054a 100644 --- a/sitemodules/profiles/manifests/cacert_selfservice.pp +++ b/sitemodules/profiles/manifests/cacert_selfservice.pp @@ -7,10 +7,28 @@ # Parameters # ---------- # +# @param base_url base URL where the web interface can be found +# +# @param cookie_secret 32 bytes of secret key data for cookie encryption +# +# @param csrf_key 32 bytes of secret key data for CSRF protection +# token encryption +# # @param server_certificate PEM encoded X.509 server certificate # # @param server_private_key PEM encoded unencrypted RSA private key # +# @param listen_address Listening socket address +# +# @param admin_emails Array containing admins with extended permissions +# +# @param api_client_id API client identifier +# +# @param api_private_key PEM encoded ECDSA private key for signing API +# requests +# +# @param api_endpoint_url backend API endpoint URL +# # Examples # -------- # @@ -30,8 +48,16 @@ # Copyright 2019 Jan Dittberner # class profiles::cacert_selfservice ( + String $base_url = "https://selfservice.cacert.org", + String $cookie_secret, + String $csrf_key, String $server_certificate, String $server_private_key, + String $listen_address = ":8443", + Array[String] $admin_emails, + String $api_client_id, + String $api_private_key, + String $api_url = "https://email.infra.cacert.org:8443/", ) { include profiles::cacert_debrepo @@ -120,6 +146,30 @@ class profiles::cacert_selfservice ( notify => Service[$service_name], } + file { $config_file: + ensure => present, + owner => $service_name, + group => 'root', + mode => '0600', + content => epp('profiles/cacert_selfservice/config.yaml.epp', { + base_url => $base_url, + cookie_secret => $cookie_secret, + csrf_key => $csrf_key, + server_certificate => $server_certificate_file, + server_key => $server_key_file, + client_cas => $client_ca_file, + listen_address => $listen_address, + admin_emails => $admin_emails, + api_cas => $api_ca_file, + api_client_id => $api_client_id, + api_signature_key_lines => split($api_private_key, "\n"), + api_endpoint_url => $api_endpoint_url, + log_directory => $log_directory, + }), + require => Package[$service_name], + notify => Service[$service_name], + } + service { $service_name: ensure => running, enable => true, diff --git a/sitemodules/profiles/templates/cacert_selfservice/config.yaml.epp b/sitemodules/profiles/templates/cacert_selfservice/config.yaml.epp new file mode 100644 index 0000000..59c9b82 --- /dev/null +++ b/sitemodules/profiles/templates/cacert_selfservice/config.yaml.epp @@ -0,0 +1,32 @@ +<%- | String $base_url, + String $cookie_secret, + String $csrf_key, + String $server_certificate, + String $server_key, + String $client_cas, + String $listen_address, + Array[String] $admin_emails, + Array[String] $api_signature_key_lines, + String $api_client_id, + String $api_cas, + String $api_endpoint_url, + String $log_directory +| -%> +--- +client_ca_certificates: <%= $client_cas %> +server_certificate: <%= $server_certificate %> +server_key: <%= $server_key %> +cookie_secret: <%= $cookie_secret %> +csrf_key: <%= $csrf_key %> +base_url: <%= $base_url %> +https_address: <%= $listen_address %> +admin_emails: +<%- $admin_emails.each |$admin_email| { %> +- <%= $admin_email %> +<%- } %> +api_private_key: | +<% $api_signature_key_lines.each |$key_line| { %> <%= $key_line %><% } %> +api_client_id: <%= $api_client_id %> +api_ca_certificates: <%= $api_cas %> +api_endpoint_url: <%= $api_endpoint_url %> +access_log: <%= $log_directory %>/access.log |