summaryrefslogtreecommitdiff
path: root/sitemodules
diff options
context:
space:
mode:
authorJan Dittberner <jandd@cacert.org>2019-08-17 11:25:15 +0200
committerJan Dittberner <jandd@cacert.org>2019-08-17 11:25:15 +0200
commit424ac3ede9aa39ef844cf5c3326698206ccca2b8 (patch)
treeb33b039fc0f45e8a53cd4a556c8bcac65b5e4ca5 /sitemodules
parente5479901c713f2f6daf17424d8df9d1f5966e274 (diff)
downloadcacert-puppet-424ac3ede9aa39ef844cf5c3326698206ccca2b8.tar.gz
cacert-puppet-424ac3ede9aa39ef844cf5c3326698206ccca2b8.tar.xz
cacert-puppet-424ac3ede9aa39ef844cf5c3326698206ccca2b8.zip
Add configuration for the community self service
Diffstat (limited to 'sitemodules')
-rw-r--r--sitemodules/profiles/manifests/cacert_selfservice.pp50
-rw-r--r--sitemodules/profiles/templates/cacert_selfservice/config.yaml.epp32
2 files changed, 82 insertions, 0 deletions
diff --git a/sitemodules/profiles/manifests/cacert_selfservice.pp b/sitemodules/profiles/manifests/cacert_selfservice.pp
index 09b5bfc..8f0054a 100644
--- a/sitemodules/profiles/manifests/cacert_selfservice.pp
+++ b/sitemodules/profiles/manifests/cacert_selfservice.pp
@@ -7,10 +7,28 @@
# Parameters
# ----------
#
+# @param base_url base URL where the web interface can be found
+#
+# @param cookie_secret 32 bytes of secret key data for cookie encryption
+#
+# @param csrf_key 32 bytes of secret key data for CSRF protection
+# token encryption
+#
# @param server_certificate PEM encoded X.509 server certificate
#
# @param server_private_key PEM encoded unencrypted RSA private key
#
+# @param listen_address Listening socket address
+#
+# @param admin_emails Array containing admins with extended permissions
+#
+# @param api_client_id API client identifier
+#
+# @param api_private_key PEM encoded ECDSA private key for signing API
+# requests
+#
+# @param api_endpoint_url backend API endpoint URL
+#
# Examples
# --------
#
@@ -30,8 +48,16 @@
# Copyright 2019 Jan Dittberner
#
class profiles::cacert_selfservice (
+ String $base_url = "https://selfservice.cacert.org",
+ String $cookie_secret,
+ String $csrf_key,
String $server_certificate,
String $server_private_key,
+ String $listen_address = ":8443",
+ Array[String] $admin_emails,
+ String $api_client_id,
+ String $api_private_key,
+ String $api_url = "https://email.infra.cacert.org:8443/",
) {
include profiles::cacert_debrepo
@@ -120,6 +146,30 @@ class profiles::cacert_selfservice (
notify => Service[$service_name],
}
+ file { $config_file:
+ ensure => present,
+ owner => $service_name,
+ group => 'root',
+ mode => '0600',
+ content => epp('profiles/cacert_selfservice/config.yaml.epp', {
+ base_url => $base_url,
+ cookie_secret => $cookie_secret,
+ csrf_key => $csrf_key,
+ server_certificate => $server_certificate_file,
+ server_key => $server_key_file,
+ client_cas => $client_ca_file,
+ listen_address => $listen_address,
+ admin_emails => $admin_emails,
+ api_cas => $api_ca_file,
+ api_client_id => $api_client_id,
+ api_signature_key_lines => split($api_private_key, "\n"),
+ api_endpoint_url => $api_endpoint_url,
+ log_directory => $log_directory,
+ }),
+ require => Package[$service_name],
+ notify => Service[$service_name],
+ }
+
service { $service_name:
ensure => running,
enable => true,
diff --git a/sitemodules/profiles/templates/cacert_selfservice/config.yaml.epp b/sitemodules/profiles/templates/cacert_selfservice/config.yaml.epp
new file mode 100644
index 0000000..59c9b82
--- /dev/null
+++ b/sitemodules/profiles/templates/cacert_selfservice/config.yaml.epp
@@ -0,0 +1,32 @@
+<%- | String $base_url,
+ String $cookie_secret,
+ String $csrf_key,
+ String $server_certificate,
+ String $server_key,
+ String $client_cas,
+ String $listen_address,
+ Array[String] $admin_emails,
+ Array[String] $api_signature_key_lines,
+ String $api_client_id,
+ String $api_cas,
+ String $api_endpoint_url,
+ String $log_directory
+| -%>
+---
+client_ca_certificates: <%= $client_cas %>
+server_certificate: <%= $server_certificate %>
+server_key: <%= $server_key %>
+cookie_secret: <%= $cookie_secret %>
+csrf_key: <%= $csrf_key %>
+base_url: <%= $base_url %>
+https_address: <%= $listen_address %>
+admin_emails:
+<%- $admin_emails.each |$admin_email| { %>
+- <%= $admin_email %>
+<%- } %>
+api_private_key: |
+<% $api_signature_key_lines.each |$key_line| { %> <%= $key_line %><% } %>
+api_client_id: <%= $api_client_id %>
+api_ca_certificates: <%= $api_cas %>
+api_endpoint_url: <%= $api_endpoint_url %>
+access_log: <%= $log_directory %>/access.log