Add configuration for the community self service

author: Jan Dittberner <jandd@cacert.org> 2019-08-17 11:25:15 +0200
committer: Jan Dittberner <jandd@cacert.org> 2019-08-17 11:25:15 +0200
commit: 424ac3ede9aa39ef844cf5c3326698206ccca2b8 (patch)
tree: b33b039fc0f45e8a53cd4a556c8bcac65b5e4ca5 /sitemodules
parent: e5479901c713f2f6daf17424d8df9d1f5966e274 (diff)
download: cacert-puppet-424ac3ede9aa39ef844cf5c3326698206ccca2b8.tar.gz
cacert-puppet-424ac3ede9aa39ef844cf5c3326698206ccca2b8.tar.xz
cacert-puppet-424ac3ede9aa39ef844cf5c3326698206ccca2b8.zip
2 files changed, 82 insertions, 0 deletions
diff --git a/sitemodules/profiles/manifests/cacert_selfservice.pp b/sitemodules/profiles/manifests/cacert_selfservice.pp
index 09b5bfc..8f0054a 100644
--- a/sitemodules/profiles/manifests/cacert_selfservice.pp
+++ b/sitemodules/profiles/manifests/cacert_selfservice.pp
@@ -7,10 +7,28 @@
 # Parameters
 # ----------
 #
+# @param base_url            base URL where the web interface can be found
+#
+# @param cookie_secret       32 bytes of secret key data for cookie encryption
+#
+# @param csrf_key            32 bytes of secret key data for CSRF protection
+#                            token encryption
+#
 # @param server_certificate  PEM encoded X.509 server certificate
 #
 # @param server_private_key  PEM encoded unencrypted RSA private key
 #
+# @param listen_address      Listening socket address
+#
+# @param admin_emails        Array containing admins with extended permissions
+#
+# @param api_client_id       API client identifier
+#
+# @param api_private_key     PEM encoded ECDSA private key for signing API
+#                            requests
+#
+# @param api_endpoint_url    backend API endpoint URL
+#
 # Examples
 # --------
 #
@@ -30,8 +48,16 @@
 # Copyright 2019 Jan Dittberner
 #
 class profiles::cacert_selfservice (
+  String $base_url = "https://selfservice.cacert.org",
+  String $cookie_secret,
+  String $csrf_key,
   String $server_certificate,
   String $server_private_key,
+  String $listen_address = ":8443",
+  Array[String] $admin_emails,
+  String $api_client_id,
+  String $api_private_key,
+  String $api_url = "https://email.infra.cacert.org:8443/",
 ) {
   include profiles::cacert_debrepo
 
@@ -120,6 +146,30 @@ class profiles::cacert_selfservice (
     notify  => Service[$service_name],
   }
 
+  file { $config_file:
+    ensure  => present,
+    owner   => $service_name,
+    group   => 'root',
+    mode    => '0600',
+    content => epp('profiles/cacert_selfservice/config.yaml.epp', {
+      base_url                => $base_url,
+      cookie_secret           => $cookie_secret,
+      csrf_key                => $csrf_key,
+      server_certificate      => $server_certificate_file,
+      server_key              => $server_key_file,
+      client_cas              => $client_ca_file,
+      listen_address          => $listen_address,
+      admin_emails            => $admin_emails,
+      api_cas                 => $api_ca_file,
+      api_client_id           => $api_client_id,
+      api_signature_key_lines => split($api_private_key, "\n"),
+      api_endpoint_url        => $api_endpoint_url,
+      log_directory           => $log_directory,
+    }),
+    require => Package[$service_name],
+    notify  => Service[$service_name],
+  }
+
   service { $service_name:
     ensure  => running,
     enable  => true,
diff --git a/sitemodules/profiles/templates/cacert_selfservice/config.yaml.epp b/sitemodules/profiles/templates/cacert_selfservice/config.yaml.epp
new file mode 100644
index 0000000..59c9b82
--- /dev/null
+++ b/sitemodules/profiles/templates/cacert_selfservice/config.yaml.epp
@@ -0,0 +1,32 @@
+<%- | String $base_url,
+      String $cookie_secret,
+      String $csrf_key,
+      String $server_certificate,
+      String $server_key,
+      String $client_cas,
+      String $listen_address,
+      Array[String] $admin_emails,
+      Array[String] $api_signature_key_lines,
+      String $api_client_id,
+      String $api_cas,
+      String $api_endpoint_url,
+      String $log_directory
+| -%>
+---
+client_ca_certificates: <%= $client_cas %>
+server_certificate: <%= $server_certificate %>
+server_key: <%= $server_key %>
+cookie_secret: <%= $cookie_secret %>
+csrf_key: <%= $csrf_key %>
+base_url: <%= $base_url %>
+https_address: <%= $listen_address %>
+admin_emails:
+<%- $admin_emails.each |$admin_email| { %>
+- <%= $admin_email %>
+<%- } %>
+api_private_key: |
+<% $api_signature_key_lines.each |$key_line| { %>  <%= $key_line %><% } %>
+api_client_id: <%= $api_client_id %>
+api_ca_certificates: <%= $api_cas %>
+api_endpoint_url: <%= $api_endpoint_url %>
+access_log: <%= $log_directory %>/access.log
author	Jan Dittberner <jandd@cacert.org>	2019-08-17 11:25:15 +0200
committer	Jan Dittberner <jandd@cacert.org>	2019-08-17 11:25:15 +0200
commit	424ac3ede9aa39ef844cf5c3326698206ccca2b8 (patch)
tree	b33b039fc0f45e8a53cd4a556c8bcac65b5e4ca5 /sitemodules
parent	e5479901c713f2f6daf17424d8df9d1f5966e274 (diff)
download	cacert-puppet-424ac3ede9aa39ef844cf5c3326698206ccca2b8.tar.gz cacert-puppet-424ac3ede9aa39ef844cf5c3326698206ccca2b8.tar.xz cacert-puppet-424ac3ede9aa39ef844cf5c3326698206ccca2b8.zip