summaryrefslogtreecommitdiff
path: root/sitemodules/profiles/manifests/cacert_selfservice.pp
diff options
context:
space:
mode:
Diffstat (limited to 'sitemodules/profiles/manifests/cacert_selfservice.pp')
-rw-r--r--sitemodules/profiles/manifests/cacert_selfservice.pp128
1 files changed, 128 insertions, 0 deletions
diff --git a/sitemodules/profiles/manifests/cacert_selfservice.pp b/sitemodules/profiles/manifests/cacert_selfservice.pp
new file mode 100644
index 0000000..1d0e5d0
--- /dev/null
+++ b/sitemodules/profiles/manifests/cacert_selfservice.pp
@@ -0,0 +1,128 @@
+# Class: profiles::cacert_selfservice
+# ===================================
+#
+# This class defines the cacert_selfservice profile that configures the CAcert
+# community self service system web interface.
+#
+# Parameters
+# ----------
+#
+# @param server_certificate PEM encoded X.509 server certificate
+#
+# @param server_private_key PEM encoded unencrypted RSA private key
+#
+# Examples
+# --------
+#
+# @example
+# class roles::myhost {
+# include profiles::cacert_selfservice
+# }
+#
+# Authors
+# -------
+#
+# Jan Dittberner <jandd@cacert.org>
+#
+# Copyright
+# ---------
+#
+# Copyright 2019 Jan Dittberner
+#
+class profiles::cacert_selfservice (
+ String $server_certificate,
+ String $server_private_key,
+) {
+ include profiles::cacert_debrepo
+
+ $service_name = 'cacert-selfservice'
+ $config_directory = "/etc/${service_directory}"
+ $config_file = "${config_directory}/config.yaml"
+ $server_certificate_file = "${config_directory}/certs/server.crt.pem"
+ $server_key_file = "${config_directory}/private/server.key.pem"
+ $log_directory = "/var/log/${service_name}"
+
+ $api_ca_file = "${config_directory}/certs/api_cas.pem"
+ $client_ca_file = "${config_directory}/certs/client_cas.pem"
+
+ package { $service_name:
+ ensure => latest,
+ require => Apt::Source['cacert'],
+ }
+
+ file { $log_directory:
+ ensure => directory,
+ owner => $service_name,
+ group => 'root',
+ mode => '0750',
+ require => Package[$service_name],
+ }
+ file { "${config_directory}/certs":
+ ensure => directory,
+ owner => $service_name,
+ group => 'root',
+ mode => '0750',
+ require => Package[$service_name],
+ }
+ file { "${config_directory}/private":
+ ensure => directory,
+ owner => $service_name,
+ group => 'root',
+ mode => '0700',
+ require => Package[$service_name],
+ }
+ file { $server_certificate_file:
+ ensure => file,
+ owner => $service_name,
+ group => 'root',
+ mode => '0644',
+ content => $server_certificate,
+ require => File["${config_directory}/certs"],
+ notify => Service[$service_name],
+ }
+ file { $server_key_file:
+ ensure => file,
+ owner => $service_name,
+ group => 'root',
+ mode => '0600',
+ content => $server_private_key,
+ require => File["${config_directory}/private"],
+ notify => Service[$service_name],
+ }
+ concat { $client_ca_file:
+ ensure => present
+ owner => $service_name,
+ group => 'root',
+ mode => '0640',
+ require => File["${config_directory}/certs"],
+ notify => Service[$service_name],
+ }
+ concat::fragment { 'cacert-class3-client-ca':
+ tag => 'cacert-class3-client-ca',
+ order => 10,
+ target => $client_ca_file,
+ source => 'puppet:///modules/profiles/base/cacert_class3_X0E.crt',
+ }
+ concat::fragment { 'cacert-class1-client-ca':
+ tag => 'cacert-class1-client-ca',
+ order => 20,
+ target => $client_ca_file,
+ source => 'puppet:///modules/profiles/base/cacert_class1_X0F.crt',
+ }
+
+ file { $api_cas:
+ ensure => file,
+ owner => $service_name,
+ group => 'root',
+ mode => '0640',
+ source => 'puppet:///modules/profiles/base/cacert_class3_X0E.crt',
+ require => File["${config_directory}/certs"],
+ notify => Service[$service_name],
+ }
+
+ service { $service_name:
+ ensure => running,
+ enable => true,
+ require => Package[$service_name],
+ }
+}