summaryrefslogtreecommitdiff
path: root/sitemodules/profiles/manifests/roundcube.pp
diff options
context:
space:
mode:
Diffstat (limited to 'sitemodules/profiles/manifests/roundcube.pp')
-rw-r--r--sitemodules/profiles/manifests/roundcube.pp63
1 files changed, 37 insertions, 26 deletions
diff --git a/sitemodules/profiles/manifests/roundcube.pp b/sitemodules/profiles/manifests/roundcube.pp
index a32b0ca..ffc1ea8 100644
--- a/sitemodules/profiles/manifests/roundcube.pp
+++ b/sitemodules/profiles/manifests/roundcube.pp
@@ -6,6 +6,8 @@
# Parameters
# ----------
#
+# @param additional_names Additional host names for the Apache VirtualHost
+#
# @param des_key Key to encrypt the the client cookies, must be
# exactly 24 characters long
#
@@ -24,10 +26,6 @@
#
# @param mail_debug php boolean string used to toggle mail debugging
#
-# @param server_certificate PEM encoded X.509 server certificate
-#
-# @param server_private_key PEM encoded unencrypted RSA private key
-#
# Examples
# --------
#
@@ -48,15 +46,15 @@
class profiles::roundcube (
String $des_key,
String $master_password,
- String $server_certificate,
- String $server_private_key,
String $email_host = 'email.cacert.org',
String $email_host_ip = '10.0.0.19',
String $mail_domain = 'cacert.org',
String $mail_debug = 'false',
- String $external_name = 'community.cacert.org',
+ String $external_name = 'webmail.cacert.org',
+ Array[String] $additional_names = ['community.cacert.org'],
) {
include profiles::cacert_debrepo
+ include profiles::x509cert_common
package { 'mariadb-server':
ensure => latest,
@@ -194,6 +192,8 @@ class profiles::roundcube (
require => Archive[$twofactor_gauthenticator_archive],
}
+ # These certificates should be removed when the switch to x509cert_common
+ # has been applied
file { '/etc/apache2/ssl':
ensure => directory,
owner => 'root',
@@ -218,22 +218,22 @@ class profiles::roundcube (
$apache_ssl_cert = "/etc/apache2/ssl/certs/${external_name}.crt.pem"
$apache_ssl_key = "/etc/apache2/ssl/private/${external_name}.key.pem"
- file { $apache_ssl_cert:
- ensure => file,
- owner => 'root',
- group => 'root',
- mode => '0644',
- content => $server_certificate,
- require => File['/etc/apache2/ssl/certs'],
- }
- file { $apache_ssl_key:
- ensure => file,
- owner => 'root',
- group => 'root',
- mode => '0640',
- content => $server_private_key,
- require => File['/etc/apache2/ssl/private'],
- }
+ #file { $apache_ssl_cert:
+ # ensure => file,
+ # owner => 'root',
+ # group => 'root',
+ # mode => '0644',
+ # content => $server_certificate,
+ # require => File['/etc/apache2/ssl/certs'],
+ #}
+ #file { $apache_ssl_key:
+ # ensure => file,
+ # owner => 'root',
+ # group => 'root',
+ # mode => '0640',
+ # content => $server_private_key,
+ # require => File['/etc/apache2/ssl/private'],
+ #}
class { 'apache':
default_vhost => false,
@@ -271,15 +271,25 @@ class profiles::roundcube (
error_log => true,
protocols => ['h2', 'http/1.1'],
serveradmin => 'webmail-admin@cacert.org',
+ serveraliases => $additional_names,
ssl => true,
- ssl_cert => $apache_ssl_cert,
- ssl_key => $apache_ssl_key,
+ ssl_cert => "/etc/ssl/public/${external_name}.chain.pem",
+ ssl_key => "/etc/ssl/private/${external_name}.key.pem",
ssl_ca => $cacert_cert_bundle,
ssl_verify_client => 'optional',
ssl_verify_depth => 2,
ssl_options => ['+StdEnvVars'],
ssl_protocol => 'all -SSLv3 -TLSv1 -TLSv1.1',
- ssl_cipher => 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384',
+ ssl_cipher => join([
+ 'ECDHE-ECDSA-AES128-GCM-SHA256',
+ 'ECDHE-RSA-AES128-GCM-SHA256',
+ 'ECDHE-ECDSA-AES256-GCM-SHA384',
+ 'ECDHE-RSA-AES256-GCM-SHA384',
+ 'ECDHE-ECDSA-CHACHA20-POLY1305',
+ 'ECDHE-RSA-CHACHA20-POLY1305',
+ 'DHE-RSA-AES128-GCM-SHA256',
+ 'DHE-RSA-AES256-GCM-SHA384',
+ ], ':'),
ssl_honorcipherorder => 'on',
ssl_stapling => true,
directories => [
@@ -292,6 +302,7 @@ class profiles::roundcube (
redirect_dest => [
'https://selfservice.cacert.org/password-reset', 'https://selfservice.cacert.org/staff'],
redirect_status => ['permanent', 'permanent'],
+ # rewrites can be removed when DNS is changed
rewrites => [
{
rewrite_cond => ['%{REQUEST_URI} ^/board/motions.php', '%{QUERY_STRING} motion=(.*)$'],