summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--hieradata/nodes/community.yaml3
-rw-r--r--sitemodules/profiles/manifests/roundcube.pp64
-rw-r--r--sitemodules/profiles/manifests/x509cert_common.pp30
3 files changed, 33 insertions, 64 deletions
diff --git a/hieradata/nodes/community.yaml b/hieradata/nodes/community.yaml
index 5d6acf5..0ac02e1 100644
--- a/hieradata/nodes/community.yaml
+++ b/hieradata/nodes/community.yaml
@@ -344,3 +344,6 @@ profiles::x509cert_common::certificates:
cacerts:
- class3_2021
- class1_X0F
+ client_ca_certificates:
+ - class3_2021
+ - class1_X0F
diff --git a/sitemodules/profiles/manifests/roundcube.pp b/sitemodules/profiles/manifests/roundcube.pp
index c5e7988..ae7c031 100644
--- a/sitemodules/profiles/manifests/roundcube.pp
+++ b/sitemodules/profiles/manifests/roundcube.pp
@@ -73,6 +73,8 @@ class profiles::roundcube (
ensure => latest,
}
+ $cacert_cert_bundle = "/etc/ssl/public/${external_name}_client_cas.pem"
+
host { $email_host:
ensure => 'present',
ip => $email_host_ip,
@@ -80,25 +82,6 @@ class profiles::roundcube (
target => '/etc/hosts',
}
- $cacert_cert_bundle = '/etc/ssl/certs/cacert.org.pem'
-
- concat { $cacert_cert_bundle:
- ensure => present,
- owner => 'root',
- group => 'root',
- mode => '0644',
- }
- concat::fragment { 'bundle-cacert-class3-ca':
- order => 10,
- target => $cacert_cert_bundle,
- source => 'puppet:///modules/profiles/base/cacert_class3_2021.crt',
- }
- concat::fragment { 'bundle-cacert-class1-ca':
- order => 20,
- target => $cacert_cert_bundle,
- source => 'puppet:///modules/profiles/base/cacert_class1_X0F.crt',
- }
-
file { '/etc/roundcube/config.inc.php':
ensure => file,
owner => 'root',
@@ -192,48 +175,11 @@ class profiles::roundcube (
require => Archive[$twofactor_gauthenticator_archive],
}
- # These certificates should be removed when the switch to x509cert_common
- # has been applied
+ # This directory should be removed after the switch to x509cert_common has
+ # been applied
file { '/etc/apache2/ssl':
- ensure => directory,
- owner => 'root',
- group => 'root',
- mode => '0755',
+ ensure => absent,
}
- file { '/etc/apache2/ssl/certs':
- ensure => directory,
- owner => 'root',
- group => 'root',
- mode => '0755',
- require => File['/etc/apache2/ssl'],
- }
- file { '/etc/apache2/ssl/private':
- ensure => directory,
- owner => 'root',
- group => 'root',
- mode => '0750',
- require => File['/etc/apache2/ssl'],
- }
-
- $apache_ssl_cert = "/etc/apache2/ssl/certs/${external_name}.crt.pem"
- $apache_ssl_key = "/etc/apache2/ssl/private/${external_name}.key.pem"
-
- #file { $apache_ssl_cert:
- # ensure => file,
- # owner => 'root',
- # group => 'root',
- # mode => '0644',
- # content => $server_certificate,
- # require => File['/etc/apache2/ssl/certs'],
- #}
- #file { $apache_ssl_key:
- # ensure => file,
- # owner => 'root',
- # group => 'root',
- # mode => '0640',
- # content => $server_private_key,
- # require => File['/etc/apache2/ssl/private'],
- #}
class { 'apache':
default_vhost => false,
diff --git a/sitemodules/profiles/manifests/x509cert_common.pp b/sitemodules/profiles/manifests/x509cert_common.pp
index bdc1a33..d784b49 100644
--- a/sitemodules/profiles/manifests/x509cert_common.pp
+++ b/sitemodules/profiles/manifests/x509cert_common.pp
@@ -10,10 +10,12 @@
# @param certificates Hash data structure with certificate names as key and
# certificate information as value the individual
# entries are expected to have certificate, private_key
-# and cachain entries with PEM encoded data. Private
-# keys have to be encrypted using eyaml. The cachain
-# entry should contain an array of CA certificate
-# identifiers.
+# and cachain and client_ca_certificates entries with
+# PEM encoded data. Private keys have to be encrypted
+# using eyaml. The cachain entry should contain an array
+# of CA certificate identifiers. The
+# client_ca_certificates entry should contain an array
+# of CA certificate identifiers.
#
# Examples
# --------
@@ -31,7 +33,7 @@
# Copyright
# ---------
#
-# Copyright 2020 Jan Dittberner
+# Copyright 2020-2021 Jan Dittberner
class profiles::x509cert_common (
Hash[String, Data] $certificates,
) {
@@ -84,5 +86,23 @@ class profiles::x509cert_common (
source => "puppet:///modules/profiles/base/cacert_${ca_cert}.crt",
}
}
+
+ if 'client_ca_certificates' in $cert_info {
+ $client_ca_certificates = "/etc/ssl/public/${name}_client_cas.pem"
+ concat { $client_ca_certificates:
+ ensure => present,
+ owner => 'root',
+ group => 'root',
+ mode => '0644',
+ }
+ $cert_info['client_ca_certificates'].each |$index, $ca_cert| {
+ $order = 10 + $index
+ concat::fragment { "${name}-client-${ca_cert}":
+ order => $order,
+ target => $client_ca_certificates,
+ source => "puppet:///modules/profiles/base/cacert_${ca_cert}.crt",
+ }
+ }
+ }
}
}