summaryrefslogtreecommitdiff
path: root/sitemodules
diff options
context:
space:
mode:
Diffstat (limited to 'sitemodules')
-rw-r--r--sitemodules/profiles/files/base/cacert_class3_2021.crt36
-rw-r--r--sitemodules/profiles/files/icinga2_external_commands/check_ocsp2
-rw-r--r--sitemodules/profiles/manifests/base.pp21
-rw-r--r--sitemodules/profiles/manifests/cacert_boardvoting.pp82
-rw-r--r--sitemodules/profiles/manifests/cacert_selfservice.pp4
-rw-r--r--sitemodules/profiles/manifests/icinga2_master.pp2
-rw-r--r--sitemodules/profiles/manifests/mantisbt.pp79
-rw-r--r--sitemodules/profiles/manifests/moinmoin.pp79
-rw-r--r--sitemodules/profiles/manifests/roundcube.pp66
-rw-r--r--sitemodules/profiles/manifests/subversion_server.pp143
-rw-r--r--sitemodules/profiles/manifests/wordpress.pp79
-rw-r--r--sitemodules/profiles/manifests/x509cert_common.pp40
-rw-r--r--sitemodules/profiles/templates/cacert_boardvoting/config.yaml.epp11
-rw-r--r--sitemodules/profiles/templates/mantisbt/mantis-ssl.conf.epp35
-rw-r--r--sitemodules/profiles/templates/moinmoin/wiki.conf.epp69
-rw-r--r--sitemodules/profiles/templates/subversion_server/svn_anonymous.epp8
-rw-r--r--sitemodules/profiles/templates/subversion_server/svn_password_auth.epp13
-rw-r--r--sitemodules/profiles/templates/wordpress/wordpress-ssl.conf.epp36
-rw-r--r--sitemodules/roles/manifests/blog.pp3
-rw-r--r--sitemodules/roles/manifests/bugs.pp1
-rw-r--r--sitemodules/roles/manifests/infra03.pp26
-rw-r--r--sitemodules/roles/manifests/svnserver.pp3
-rw-r--r--sitemodules/roles/manifests/wiki.pp3
23 files changed, 718 insertions, 123 deletions
diff --git a/sitemodules/profiles/files/base/cacert_class3_2021.crt b/sitemodules/profiles/files/base/cacert_class3_2021.crt
new file mode 100644
index 0000000..3b2925e
--- /dev/null
+++ b/sitemodules/profiles/files/base/cacert_class3_2021.crt
@@ -0,0 +1,36 @@
+-----BEGIN CERTIFICATE-----
+MIIGPTCCBCWgAwIBAgIDFOIoMA0GCSqGSIb3DQEBDQUAMHkxEDAOBgNVBAoTB1Jv
+b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ
+Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y
+dEBjYWNlcnQub3JnMB4XDTIxMDQxOTEyMTgzMFoXDTMxMDQxNzEyMTgzMFowVDEU
+MBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0
+Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDCCAiIwDQYJKoZIhvcN
+AQEBBQADggIPADCCAgoCggIBAKtJNRFIfNImflOUz0Op3SjXQiqL84d4GVh8D57a
+iX3h++tykA10oZZkq5+gJJlz2uJVdscXe/UErEa4w75/ZI0QbCTzYZzA8pD6Ueb1
+aQFjww9W4kpCz+JEjCUoqMV5CX1GuYrz6fM0KQhF5Byfy5QEHIGoFLOYZcRD7E6C
+jQnRvapbjZLQ7N6QxX8KwuPr5jFaXnQ+lzNZ6MMDPWAzv/fRb0fEze5ig1JuLgia
+pNkVGJGmhZJHsK5I6223IeyFGmhyNav/8BBdwPSUp2rVO5J+TJAFfpPBLIukjmJ0
+FXFuC3ED6q8VOJrU0gVyb4z5K+taciX5OUbjchs+BMNkJyIQKopPWKcDrb60LhPt
+XapI19V91Cp7XPpGBFDkzA5CW4zt2/LP/JaT4NsRNlRiNDiPDGCbO5dWOK3z0luL
+oFvqTpa4fNfVoIZwQNORKbeiPK31jLvPGpKK5DR7wNhsX+kKwsOnIJpa3yxdUly6
+R9Wb7yQocDggL9V/KcCyQQNokszgnMyXS0XvOhAKq3A6mJVwrTWx6oUrpByAITGp
+rmB6gCZIALgBwJNjVSKRPFbnr9s6JfOPMVTqJouBWfmh0VMRxXudA/Z0EeBtsSw/
+LIaRmXGapneLNGDRFLQsrJ2vjBDTn8Rq+G8T/HNZ92ZCdB6K4/jc0m+YnMtHmJVA
+BfvpAgMBAAGjgfIwge8wDwYDVR0TAQH/BAUwAwEB/zBhBggrBgEFBQcBAQRVMFMw
+IwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLkNBY2VydC5vcmcvMCwGCCsGAQUFBzAC
+hiBodHRwOi8vd3d3LkNBY2VydC5vcmcvY2xhc3MzLmNydDBFBgNVHSAEPjA8MDoG
+CysGAQQBgZBKAgMBMCswKQYIKwYBBQUHAgEWHWh0dHA6Ly93d3cuQ0FjZXJ0Lm9y
+Zy9jcHMucGhwMDIGA1UdHwQrMCkwJ6AloCOGIWh0dHBzOi8vd3d3LmNhY2VydC5v
+cmcvY2xhc3MzLmNybDANBgkqhkiG9w0BAQ0FAAOCAgEAxh6td1y0KJvRyI1EEsC9
+dnYEgyEH+BGCf2vBlULAOBG1JXCNiwzB1Wz9HBoDfIv4BjGlnd5BKdSLm4TXPcE3
+hnGjH1thKR5dd3278K25FRkTFOY1gP+mGbQ3hZRB6IjDX+CyBqS7+ECpHTms7eo/
+mARN+Yz5R3lzUvXs3zSX+z534NzRg4i6iHNHWqakFcQNcA0PnksTB37vGD75pQGq
+eSmx51L6UzrIpn+274mhsaFNL85jhX+lKuk71MGjzwoThbuZ15xmkITnZtRQs6Hh
+LSIqJWjDILIrxLqYHehK71xYwrRNhFb3TrsWaEJskrhveM0Os/vvoLNkh/L3iEQ5
+/LnmLMCYJNRALF7I7gsduAJNJrgKGMYvHkt1bo8uIXO8wgNV7qoU4JoaB1ML30QU
+qGcFr0TI06FFdgK2fwy5hulPxm6wuxW0v+iAtXYx/mRkwQpYbcVQtrIDvx1CT1k5
+0cQxi+jIKjkcFWHw3kBoDnCos0/ukegPT7aQnk2AbL4c7nCkuAcEKw1BAlSETkfq
+i5btdlhh58MhewZv1LcL5zQyg8w1puclT3wXQvy8VwPGn0J/mGD4gLLZ9rGcHDUE
+CokxFoWk+u5MCcVqmGbsyG4q5suS3CNslsHURfM8bQK4oLvHR8LCHEBMRcdFBn87
+cSvOK6eB1kdGKLA8ymXxZp8=
+-----END CERTIFICATE-----
diff --git a/sitemodules/profiles/files/icinga2_external_commands/check_ocsp b/sitemodules/profiles/files/icinga2_external_commands/check_ocsp
index 6e3b94f..be3f0f0 100644
--- a/sitemodules/profiles/files/icinga2_external_commands/check_ocsp
+++ b/sitemodules/profiles/files/icinga2_external_commands/check_ocsp
@@ -72,7 +72,7 @@ then
# Debian setup
CAPATH=/etc/ssl/certs
CLASS1=${CAPATH}/root_X0F.pem
- CLASS3=${CAPATH}/class3_X0E.pem
+ CLASS3=${CAPATH}/cacert_class3_2021.pem
else
# unsupported
echo "$0: unsupported OS environment" 1>&2
diff --git a/sitemodules/profiles/manifests/base.pp b/sitemodules/profiles/manifests/base.pp
index 44e3db7..224e0c3 100644
--- a/sitemodules/profiles/manifests/base.pp
+++ b/sitemodules/profiles/manifests/base.pp
@@ -103,7 +103,7 @@ class profiles::base (
ensure => present,
}
- package { ['zsh', 'tmux', 'less']:
+ package { ['zsh', 'tmux', 'less', 'vim-nox']:
ensure => latest,
}
@@ -201,6 +201,18 @@ class profiles::base (
ensure => installed,
}
+ file { '/usr/local/share/ca-certificates/cacert_class3_2021.crt':
+ ensure => file,
+ owner => 'root',
+ group => 'root',
+ mode => '0644',
+ source => 'puppet:///modules/profiles/base/cacert_class3_2021.crt',
+ require => Package['ca-certificates'],
+ } ~>
+ exec { '/usr/sbin/update-ca-certificates':
+ require => Package['ca-certificates'],
+ }
+
if ($crl_job_enable) {
file { '/var/local/ssl':
ensure => directory,
@@ -225,7 +237,12 @@ class profiles::base (
content => epp(
'profiles/base/update-crls.epp',
{ 'services' => $crl_job_services }),
- require => [Package['ca-certificates'], Package['ca-cacert'], File['/var/local/ssl/crls']],
+ require => [
+ Package['ca-certificates'],
+ Package['ca-cacert'],
+ File['/var/local/ssl/crls'],
+ File['/usr/local/share/ca-certificates/cacert_class3_2021.crt']
+ ],
}
} else {
file { '/etc/cron.hourly/update-crls':
diff --git a/sitemodules/profiles/manifests/cacert_boardvoting.pp b/sitemodules/profiles/manifests/cacert_boardvoting.pp
index 65f1d28..8184455 100644
--- a/sitemodules/profiles/manifests/cacert_boardvoting.pp
+++ b/sitemodules/profiles/manifests/cacert_boardvoting.pp
@@ -16,6 +16,8 @@
# @param csrf_key 32 bytes of secret key data for CSRF
# protection token encryption
#
+# @param external_name externally visible host name of the service
+#
# @param mail_host hostname or IP address of the outgoing
# email server
#
@@ -29,10 +31,6 @@
# @param notification_sender_address email address that is used as the sender
# of generated emails
#
-# @param server_certificate PEM encoded X.509 server certificate
-#
-# @param server_private_key PEM encoded unencrypted RSA private key
-#
# @param vote_notice_mail_address email address that should receive
# notification when votes on a motion are
# made
@@ -53,68 +51,66 @@
# Copyright
# ---------
#
-# Copyright 2018-2019 Jan Dittberner
+# Copyright 2018-2021 Jan Dittberner
#
class profiles::cacert_boardvoting (
- String $base_url = "https://motion.cacert.org",
String $cookie_secret,
String $csrf_key,
+ String $base_url = 'https://motion.cacert.org',
+ String $external_name = 'motion.cacert.org',
String $mail_host = 'localhost',
Integer $mail_port = 25,
String $notice_mail_address = 'cacert-board@lists.cacert.org',
String $notification_sender_address = 'returns@cacert.org',
- String $server_certificate,
- String $server_private_key,
String $vote_notice_mail_address = 'cacert-board-votes@lists.cacert.org',
) {
include profiles::cacert_debrepo
+ include profiles::x509cert_common
+
+ $server_cert = "/etc/ssl/public/${external_name}.chain.pem"
+ $server_key = "/etc/ssl/private/${external_name}.key.pem"
+ $client_ca_certificates = "/etc/ssl/public/${external_name}_client_cas.pem"
+
package { 'cacert-boardvoting':
ensure => latest,
require => Apt::Source['cacert'],
- } ->
- file { '/srv/cacert-boardvoting/config.yaml':
+ }
+ -> file { '/srv/cacert-boardvoting/config.yaml':
ensure => file,
owner => 'cacert-boardvoting',
group => 'root',
mode => '0600',
content => epp('profiles/cacert_boardvoting/config.yaml.epp', {
- base_url => $base_url,
- cookie_secret => $cookie_secret,
- csrf_key => $csrf_key,
- mail_host => $mail_host,
- mail_port => $mail_port,
- motion_address => $notice_mail_address,
- sender_address => $notification_sender_address,
- vote_address => $vote_notice_mail_address,
+ base_url => $base_url,
+ cookie_secret => $cookie_secret,
+ csrf_key => $csrf_key,
+ mail_host => $mail_host,
+ mail_port => $mail_port,
+ motion_address => $notice_mail_address,
+ sender_address => $notification_sender_address,
+ vote_address => $vote_notice_mail_address,
+ server_cert => $server_cert,
+ server_key => $server_key,
+ client_ca_certs => $client_ca_certificates,
}),
notify => Service['cacert-boardvoting'],
}
- file { '/srv/cacert-boardvoting/data/cacert_class3.pem':
- ensure => file,
- owner => 'cacert-boardvoting',
- group => 'root',
- mode => '0644',
- source => 'puppet:///modules/profiles/base/cacert_class3_X0E.crt',
- notify => Service['cacert-boardvoting'],
- }
- file { '/srv/cacert-boardvoting/data/server.crt':
- ensure => file,
- owner => 'cacert-boardvoting',
- group => 'root',
- mode => '0644',
- content => $server_certificate,
- notify => Service['cacert-boardvoting'],
- }
- file { '/srv/cacert-boardvoting/data/server.key':
- ensure => file,
- owner => 'cacert-boardvoting',
- group => 'root',
- mode => '0600',
- content => $server_private_key,
- notify => Service['cacert-boardvoting'],
+
+ # Ensure that the cacert-boardvoting use can access its private key
+ @user { 'cacert-boardvoting': }
+
+ User <| title == cacert-boardvoting |> { groups +> 'ssl-cert' }
+
+ # Remove certificates from old locations
+ file { [
+ '/srv/cacert-boardvoting/data/cacert_class3.pem',
+ '/srv/cacert-boardvoting/data/server.crt',
+ '/srv/cacert-boardvoting/data/server.key']:
+ ensure => absent,
}
service { 'cacert-boardvoting':
- ensure => running,
- enable => true,
+ ensure => running,
+ enable => true,
+ subscribe => [File[$server_key], Concat[$server_cert], Concat[$client_ca_certificates]],
}
}
diff --git a/sitemodules/profiles/manifests/cacert_selfservice.pp b/sitemodules/profiles/manifests/cacert_selfservice.pp
index 3165c02..8767977 100644
--- a/sitemodules/profiles/manifests/cacert_selfservice.pp
+++ b/sitemodules/profiles/manifests/cacert_selfservice.pp
@@ -134,7 +134,7 @@ class profiles::cacert_selfservice (
tag => 'cacert-class3-client-ca',
order => 10,
target => $client_ca_file,
- source => 'puppet:///modules/profiles/base/cacert_class3_X0E.crt',
+ source => 'puppet:///modules/profiles/base/cacert_class3_2021.crt',
}
concat::fragment { 'cacert-class1-client-ca':
tag => 'cacert-class1-client-ca',
@@ -148,7 +148,7 @@ class profiles::cacert_selfservice (
owner => $service_name,
group => 'root',
mode => '0640',
- source => 'puppet:///modules/profiles/base/cacert_class3_X0E.crt',
+ source => 'puppet:///modules/profiles/base/cacert_class3_2021.crt',
require => File["${config_directory}/certs"],
notify => Service[$service_name],
}
diff --git a/sitemodules/profiles/manifests/icinga2_master.pp b/sitemodules/profiles/manifests/icinga2_master.pp
index 31ac05d..3ecdcb0 100644
--- a/sitemodules/profiles/manifests/icinga2_master.pp
+++ b/sitemodules/profiles/manifests/icinga2_master.pp
@@ -256,7 +256,7 @@ class profiles::icinga2_master (
},
'-c' => {
'value' => '$ocsp_class$',
- 'description' => 'certificate class to check (class1 or class3)',
+ 'description' => 'certificate class to check, either class1 or class3',
},
},
target => '/etc/icinga2/zones.d/global-templates/ocsp-command.conf',
diff --git a/sitemodules/profiles/manifests/mantisbt.pp b/sitemodules/profiles/manifests/mantisbt.pp
new file mode 100644
index 0000000..45e2038
--- /dev/null
+++ b/sitemodules/profiles/manifests/mantisbt.pp
@@ -0,0 +1,79 @@
+# Class: profiles::mantisbt
+# =========================
+#
+# This class is work in progress to manage the Mantis bugtracker.
+#
+# The class only takes care of proper certificate setup for now only.
+#
+# Parameters
+# ----------
+#
+# @param external_name External host name used for the Apache VirtualHost
+#
+# Examples
+# --------
+#
+# @example
+# class roles::myhost {
+# include profiles::mantisbt
+# }
+#
+# Authors
+# -------
+#
+# Jan Dittberner <jandd@cacert.org>
+#
+# Copyright
+# ---------
+#
+# Copyright 2021 Jan Dittberner
+#
+class profiles::mantisbt (
+ String $external_name = 'bugs.cacert.org',
+) {
+ include profiles::x509cert_common
+
+ $server_cert = "/etc/ssl/public/${external_name}.crt.pem"
+ $server_key = "/etc/ssl/private/${external_name}.key.pem"
+ $server_chain = "/etc/ssl/public/${external_name}.chain.pem"
+ $client_ca_certificates = "/etc/ssl/public/${external_name}_client_cas.pem"
+
+ # Remove certificates from old locations
+ file { [
+ '/etc/ssl/public/bugs.c.o.crt',
+ '/etc/ssl/public/CAcert.crt',
+ '/etc/ssl/private/bugs.c.o.key']:
+ ensure => absent,
+ }
+ file { '/etc/apache2/sites-available/mantis-ssl.conf':
+ ensure => file,
+ owner => 'root',
+ group => 'root',
+ mode => '0644',
+ content => epp('profiles/mantisbt/mantis-ssl.conf.epp', {
+ server_name => $external_name,
+ server_cert => $server_cert,
+ server_key => $server_key,
+ server_chain => $server_chain,
+ client_ca_certificates => $client_ca_certificates,
+ }),
+ notify => Service['apache2'],
+ }
+ file { '/etc/apache2/sites-enabled/mantis-ssl.conf':
+ ensure => link,
+ owner => 'root',
+ group => 'root',
+ target => '/etc/apache2/sites-available/mantis-ssl.conf',
+ notify => Service['apache2'],
+ }
+ service { 'apache2':
+ ensure => running,
+ enable => true,
+ subscribe => [
+ File[$server_cert],
+ File[$server_key],
+ Concat[$server_chain],
+ Concat[$client_ca_certificates],
+ ],
+ }
+}
diff --git a/sitemodules/profiles/manifests/moinmoin.pp b/sitemodules/profiles/manifests/moinmoin.pp
new file mode 100644
index 0000000..ecbece2
--- /dev/null
+++ b/sitemodules/profiles/manifests/moinmoin.pp
@@ -0,0 +1,79 @@
+# Class: profiles::moinmoin
+# =========================
+#
+# This class is work in progress to manage the MoinMoin wiki engine.
+#
+# The class only takes care of proper certificate setup and Apache VirtualHost
+# configuration for now only.
+#
+# Parameters
+# ----------
+#
+# @param external_name External host name used for the Apache VirtualHost
+#
+# Examples
+# --------
+#
+# @example
+# class roles::myhost {
+# include profiles::moinmoin
+# }
+#
+# Authors
+# -------
+#
+# Jan Dittberner <jandd@cacert.org>
+#
+# Copyright
+# ---------
+#
+# Copyright 2021 Jan Dittberner
+#
+class profiles::moinmoin (
+ String $external_name = 'wiki.cacert.org',
+) {
+ include profiles::x509cert_common
+
+ $server_cert = "/etc/ssl/public/${external_name}.crt.pem"
+ $server_key = "/etc/ssl/private/${external_name}.key.pem"
+ $server_chain = "/etc/ssl/public/${external_name}.chain.pem"
+ $client_ca_certificates = "/etc/ssl/public/${external_name}_client_cas.pem"
+
+ # Remove certificates from old locations
+ file { [
+ '/etc/ssl/public/wiki.cacert.org.crt',
+ '/etc/ssl/private/wiki.cacert.org.key']:
+ ensure => absent,
+ }
+ file { '/etc/apache2/sites-available/wiki.conf':
+ ensure => file,
+ owner => 'root',
+ group => 'root',
+ mode => '0644',
+ content => epp('profiles/moinmoin/wiki.conf.epp', {
+ server_name => $external_name,
+ server_cert => $server_cert,
+ server_key => $server_key,
+ server_chain => $server_chain,
+ client_ca_certificates => $client_ca_certificates,
+ }),
+ notify => Service['apache2'],
+ }
+ file { '/etc/apache2/sites-enabled/wiki.conf':
+ ensure => link,
+ owner => 'root',
+ group => 'root',
+ target => '/etc/apache2/sites-available/wiki.conf',
+ notify => Service['apache2'],
+ }
+ service { 'apache2':
+ ensure => running,
+ enable => true,
+ subscribe => [
+ File[$server_cert],
+ File[$server_key],
+ Concat[$server_chain],
+ Concat[$client_ca_certificates],
+ ],
+ }
+}
diff --git a/sitemodules/profiles/manifests/roundcube.pp b/sitemodules/profiles/manifests/roundcube.pp
index ffc1ea8..1699c41 100644
--- a/sitemodules/profiles/manifests/roundcube.pp
+++ b/sitemodules/profiles/manifests/roundcube.pp
@@ -73,6 +73,8 @@ class profiles::roundcube (
ensure => latest,
}
+ $cacert_cert_bundle = "/etc/ssl/public/${external_name}_client_cas.pem"
+
host { $email_host:
ensure => 'present',
ip => $email_host_ip,
@@ -80,25 +82,6 @@ class profiles::roundcube (
target => '/etc/hosts',
}
- $cacert_cert_bundle = '/etc/ssl/certs/cacert.org.pem'
-
- concat { $cacert_cert_bundle:
- ensure => present,
- owner => 'root',
- group => 'root',
- mode => '0644',
- }
- concat::fragment { 'bundle-cacert-class3-ca':
- order => 10,
- target => $cacert_cert_bundle,
- source => 'puppet:///modules/profiles/base/cacert_class3_X0E.crt',
- }
- concat::fragment { 'bundle-cacert-class1-ca':
- order => 20,
- target => $cacert_cert_bundle,
- source => 'puppet:///modules/profiles/base/cacert_class1_X0F.crt',
- }
-
file { '/etc/roundcube/config.inc.php':
ensure => file,
owner => 'root',
@@ -192,48 +175,13 @@ class profiles::roundcube (
require => Archive[$twofactor_gauthenticator_archive],
}
- # These certificates should be removed when the switch to x509cert_common
- # has been applied
+ # This directory should be removed after the switch to x509cert_common has
+ # been applied
file { '/etc/apache2/ssl':
- ensure => directory,
- owner => 'root',
- group => 'root',
- mode => '0755',
+ ensure => absent,
+ recurse => true,
+ force => true,
}
- file { '/etc/apache2/ssl/certs':
- ensure => directory,
- owner => 'root',
- group => 'root',
- mode => '0755',
- require => File['/etc/apache2/ssl'],
- }
- file { '/etc/apache2/ssl/private':
- ensure => directory,
- owner => 'root',
- group => 'root',
- mode => '0750',
- require => File['/etc/apache2/ssl'],
- }
-
- $apache_ssl_cert = "/etc/apache2/ssl/certs/${external_name}.crt.pem"
- $apache_ssl_key = "/etc/apache2/ssl/private/${external_name}.key.pem"
-
- #file { $apache_ssl_cert:
- # ensure => file,
- # owner => 'root',
- # group => 'root',
- # mode => '0644',
- # content => $server_certificate,
- # require => File['/etc/apache2/ssl/certs'],
- #}
- #file { $apache_ssl_key:
- # ensure => file,
- # owner => 'root',
- # group => 'root',
- # mode => '0640',
- # content => $server_private_key,
- # require => File['/etc/apache2/ssl/private'],
- #}
class { 'apache':
default_vhost => false,
diff --git a/sitemodules/profiles/manifests/subversion_server.pp b/sitemodules/profiles/manifests/subversion_server.pp
new file mode 100644
index 0000000..e79d419
--- /dev/null
+++ b/sitemodules/profiles/manifests/subversion_server.pp
@@ -0,0 +1,143 @@
+# Class: profiles::subversion_server
+# ==================================
+#
+# This class installs and configures a subversion repository server.
+#
+# Parameters
+# ----------
+#
+# @param external_name External host name used for the Apache VirtualHost
+#
+# @param no_cert_name Host name that allows access without a client
+# certificate
+#
+# @param cert_name Host name that requires a client certificate for access
+#
+# Examples
+# --------
+#
+# @example
+# class roles::myhost {
+# include profiles::subversion_server
+# }
+#
+# Authors
+# -------
+#
+# Jan Dittberner <jandd@cacert.org>
+#
+# Copyright
+# ---------
+#
+# Copyright 2021 Jan Dittberner
+class profiles::subversion_server (
+ String $external_name = 'svn.cacert.org',
+ String $no_cert_name = 'nocert.svn.cacert.org',
+ String $cert_name = 'cert.svn.cacert.org'
+) {
+ include profiles::x509cert_common
+
+ package { [ 'subversion', 'libapache2-mod-svn' ]:
+ ensure => latest,
+ }
+
+ $cacert_cert_bundle = "/etc/ssl/public/${external_name}_client_cas.pem"
+ $ssl_protocols = 'all -SSLv3 -TLSv1 -TLSv1.1'
+ $ssl_cipers = [
+ 'ECDHE-ECDSA-AES128-GCM-SHA256',
+ 'ECDHE-RSA-AES128-GCM-SHA256',
+ 'ECDHE-ECDSA-AES256-GCM-SHA384',
+ 'ECDHE-RSA-AES256-GCM-SHA384',
+ 'ECDHE-ECDSA-CHACHA20-POLY1305',
+ 'ECDHE-RSA-CHACHA20-POLY1305',
+ 'DHE-RSA-AES128-GCM-SHA256',
+ 'DHE-RSA-AES256-GCM-SHA384',
+ ]
+
+ class { 'apache':
+ default_vhost => false,
+ default_ssl_vhost => false,
+ mpm_module => 'worker',
+ server_signature => 'Off',
+ }
+
+ # This does not work on Debian 10
+ #class { 'apache::mod::dav_svn':
+ # authz_svn_enabled => true,
+ #}
+ #
+ # Workaround for https://tickets.puppetlabs.com/browse/MODULES-4182
+ apache::mod { 'dav_svn':
+ require => Apache::Mod['dav'],
+ }
+ apache::mod { 'authz_svn':
+ loadfile_name => 'dav_svn_authz_svn.load',
+ require => Apache::Mod['dav_svn'],
+ }
+ # End of workaround
+
+ class { 'apache::mod::ssl':
+ ssl_sessiontickets => false,
+ stapling_cache => 'shmcb:logs/ssl_stapling(32768)',
+ }
+ apache::vhost { "${external_name}-http":
+ vhost_name => '*',
+ servername => $external_name,
+ serveraliases => [$no_cert_name],
+ port => 80,
+ access_log => true,
+ access_log_format => 'combined',
+ error_log => true,
+ log_level => 'warn',
+ serveradmin => 'svn-admin@cacert.org',
+ docroot => false,
+ manage_docroot => false,
+ protocols => ['h2c', 'http/1.1'],
+ custom_fragment => epp('profiles/subversion_server/svn_anonymous.epp'),
+ }
+ apache::vhost { "${external_name}-https":
+ vhost_name => '*',
+ servername => $external_name,
+ serveraliases => [$cert_name],
+ port => 443,
+ access_log => true,
+ access_log_format => 'combined',
+ error_log => true,
+ protocols => ['h2', 'http/1.1'],
+ serveradmin => 'svn-admin@cacert.org',
+ ssl => true,
+ ssl_cert => "/etc/ssl/public/${external_name}.chain.pem",
+ ssl_key => "/etc/ssl/private/${external_name}.key.pem",
+ ssl_ca => $cacert_cert_bundle,
+ ssl_verify_client => 'require',
+ ssl_verify_depth => 3,
+ ssl_protocol => $ssl_protocols,
+ ssl_cipher => join($ssl_cipers, ':'),
+ ssl_honorcipherorder => 'on',
+ ssl_stapling => true,
+ ssl_user_name => 'SSL_CLIENT_S_DN_Email_0',
+ docroot => false,
+ manage_docroot => false,
+ custom_fragment => epp('profiles/subversion_server/svn_anonymous.epp'),
+ }
+ apache::vhost { "${no_cert_name}-https":
+ vhost_name => '*',
+ servername => $no_cert_name,
+ port => 443,
+ access_log => true,
+ access_log_format => 'combined',
+ error_log => true,
+ protocols => ['h2', 'http/1.1'],
+ serveradmin => 'svn-admin@cacert.org',
+ ssl => true,
+ ssl_cert => "/etc/ssl/public/${external_name}.chain.pem",
+ ssl_key => "/etc/ssl/private/${external_name}.key.pem",
+ ssl_protocol => $ssl_protocols,
+ ssl_cipher => join($ssl_cipers, ':'),
+ ssl_honorcipherorder => 'on',
+ ssl_stapling => true,
+ docroot => false,
+ manage_docroot => false,
+ custom_fragment => epp('profiles/subversion_server/svn_password_auth.epp'),
+ }
+}
diff --git a/sitemodules/profiles/manifests/wordpress.pp b/sitemodules/profiles/manifests/wordpress.pp
new file mode 100644
index 0000000..f38eee7
--- /dev/null
+++ b/sitemodules/profiles/manifests/wordpress.pp
@@ -0,0 +1,79 @@
+# Class: profiles::wordpress
+# ==========================
+#
+# This class is work in progress to manage the Wordpress blog CMS.
+#
+# The class only takes care of proper certificate setup for now only.
+#
+# Parameters
+# ----------
+#
+# @param external_name External host name used for the Apache VirtualHost
+#
+# Examples
+# --------
+#
+# @example
+# class roles::myhost {
+# include profiles::wordpress
+# }
+#
+# Authors
+# -------
+#
+# Jan Dittberner <jandd@cacert.org>
+#
+# Copyright
+# ---------
+#
+# Copyright 2021 Jan Dittberner
+#
+class profiles::wordpress (
+ String $external_name = 'blog.cacert.org',
+) {
+ include profiles::x509cert_common
+
+ $server_cert = "/etc/ssl/public/${external_name}.crt.pem"
+ $server_key = "/etc/ssl/private/${external_name}.key.pem"
+ $server_chain = "/etc/ssl/public/${external_name}.chain.pem"
+ $client_ca_certificates = "/etc/ssl/public/${external_name}_client_cas.pem"
+
+ # Remove certificates from old locations
+ file { [
+ '/etc/ssl/public/blog.cacert.org.crt',
+ '/etc/ssl/public/CAcert.crt',
+ '/etc/ssl/private/blog.cacert.org.key']:
+ ensure => absent,
+ }
+ file { '/etc/apache2/sites-available/blog-ssl.conf':
+ ensure => file,
+ owner => 'root',
+ group => 'root',
+ mode => '0644',
+ content => epp('profiles/wordpress/wordpress-ssl.conf.epp', {
+ server_name => $external_name,
+ server_cert => $server_cert,
+ server_key => $server_key,
+ server_chain => $server_chain,
+ client_ca_certificates => $client_ca_certificates,
+ }),
+ notify => Service['apache2'],
+ }
+ file { '/etc/apache2/sites-enabled/blog-ssl.conf':
+ ensure => link,
+ owner => 'root',
+ group => 'root',
+ target => '/etc/apache2/sites-available/blog-ssl.conf',
+ notify => Service['apache2'],
+ }
+ service { 'apache2':
+ ensure => running,
+ enable => true,
+ subscribe => [
+ File[$server_cert],
+ File[$server_key],
+ Concat[$server_chain],
+ Concat[$client_ca_certificates],
+ ],
+ }
+}
diff --git a/sitemodules/profiles/manifests/x509cert_common.pp b/sitemodules/profiles/manifests/x509cert_common.pp
index bdc1a33..380b505 100644
--- a/sitemodules/profiles/manifests/x509cert_common.pp
+++ b/sitemodules/profiles/manifests/x509cert_common.pp
@@ -10,10 +10,16 @@
# @param certificates Hash data structure with certificate names as key and
# certificate information as value the individual
# entries are expected to have certificate, private_key
-# and cachain entries with PEM encoded data. Private
-# keys have to be encrypted using eyaml. The cachain
-# entry should contain an array of CA certificate
-# identifiers.
+# and cachain and client_ca_certificates entries with
+# PEM encoded data. Private keys have to be encrypted
+# using eyaml. The cachain entry should contain an array
+# of CA certificate identifiers. The
+# client_ca_certificates entry should contain an array
+# of CA certificate identifiers.
+# The optional key_owner, key_group and key_mode entries
+# can be used to override the defaults of 'root',
+# 'root', '0640' for the private key file ownership and
+# permissions.
#
# Examples
# --------
@@ -31,7 +37,7 @@
# Copyright
# ---------
#
-# Copyright 2020 Jan Dittberner
+# Copyright 2020-2021 Jan Dittberner
class profiles::x509cert_common (
Hash[String, Data] $certificates,
) {
@@ -51,9 +57,9 @@ class profiles::x509cert_common (
$certificates.each |String $name, Data $cert_info| {
file { "/etc/ssl/private/${name}.key.pem":
ensure => file,
- owner => 'root',
- group => 'root',
- mode => '0640',
+ owner => pick($cert_info['key_owner'], 'root'),
+ group => pick($cert_info['key_group'], 'root'),
+ mode => pick($cert_info['key_mode'], '0640'),
content => $cert_info['private_key'],
}
file { "/etc/ssl/public/${name}.crt.pem":
@@ -84,5 +90,23 @@ class profiles::x509cert_common (
source => "puppet:///modules/profiles/base/cacert_${ca_cert}.crt",
}
}
+
+ if 'client_ca_certificates' in $cert_info {
+ $client_ca_certificates = "/etc/ssl/public/${name}_client_cas.pem"
+ concat { $client_ca_certificates:
+ ensure => present,
+ owner => 'root',
+ group => 'root',
+ mode => '0644',
+ }
+ $cert_info['client_ca_certificates'].each |$index, $ca_cert| {
+ $order = 10 + $index
+ concat::fragment { "${name}-client-${ca_cert}":
+ order => $order,
+ target => $client_ca_certificates,
+ source => "puppet:///modules/profiles/base/cacert_${ca_cert}.crt",
+ }
+ }
+ }
}
}
diff --git a/sitemodules/profiles/templates/cacert_boardvoting/config.yaml.epp b/sitemodules/profiles/templates/cacert_boardvoting/config.yaml.epp
index 7de0c14..1e3309d 100644
--- a/sitemodules/profiles/templates/cacert_boardvoting/config.yaml.epp
+++ b/sitemodules/profiles/templates/cacert_boardvoting/config.yaml.epp
@@ -5,16 +5,19 @@
Integer $mail_port,
String $motion_address,
String $sender_address,
- String $vote_address
+ String $vote_address,
+ String $server_cert,
+ String $server_key,
+ String $client_ca_certs
| -%>
---
notice_mail_address: <%= $motion_address %>
vote_notice_mail_address: <%= $vote_address %>
notification_sender_address: <%= $sender_address %>
database_file: /srv/cacert-boardvoting/data/database.sqlite
-client_ca_certificates: /srv/cacert-boardvoting/data/cacert_class3.pem
-server_certificate: /srv/cacert-boardvoting/data/server.crt
-server_key: /srv/cacert-boardvoting/data/server.key
+client_ca_certificates: <%= $client_ca_certs %>
+server_certificate: <%= $server_cert %>
+server_key: <%= $server_key %>
https_address: ":8443"
cookie_secret: <%= $cookie_secret %>
csrf_key: <%= $csrf_key %>
diff --git a/sitemodules/profiles/templates/mantisbt/mantis-ssl.conf.epp b/sitemodules/profiles/templates/mantisbt/mantis-ssl.conf.epp
new file mode 100644
index 0000000..ac83fa9
--- /dev/null
+++ b/sitemodules/profiles/templates/mantisbt/mantis-ssl.conf.epp
@@ -0,0 +1,35 @@
+<%- | String $server_name,
+ String $server_cert,
+ String $server_key,
+ String $server_chain,
+ String $client_ca_certificates,
+| -%>
+# THIS FILE IS MANAGED BY PUPPET, MANUAL CHANGES WILL BE OVERWRITTEN BY THE
+# NEXT PUPPET RUN
+<VirtualHost *:443>
+ ServerName <%= $server_name %>
+
+ SSLEngine on
+ SSLCertificateFile <%= $server_cert %>
+ SSLCertificateKeyFile <%= $server_key %>
+ SSLCertificateChainFile <%= $server_chain %>
+ SSLCACertificateFile <%= $client_ca_certificates %>
+
+ SSLProtocol ALL -SSLv2 -SSLv3 -TLSv1.1 -TLSv1
+ SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+ SSLHonorCipherOrder on
+ SSLOptions +StdEnvVars
+ SSLVerifyDepth 3
+ SSLVerifyClient optional
+
+ Include /etc/apache2/sites-available/mantis
+
+ # Use HTTP Strict Transport Security to force client to use secure
+ # connections only
+ Header always set Strict-Transport-Security "max-age=31536000"
+
+ <IfModule mod_rewrite.c>
+ RewriteEngine on
+ RewriteCond %{SSL:SSL_CLIENT_VERIFY} !=SUCCESS
+ </IfModule>
+</VirtualHost>
diff --git a/sitemodules/profiles/templates/moinmoin/wiki.conf.epp b/sitemodules/profiles/templates/moinmoin/wiki.conf.epp
new file mode 100644
index 0000000..16a41db
--- /dev/null
+++ b/sitemodules/profiles/templates/moinmoin/wiki.conf.epp
@@ -0,0 +1,69 @@
+<%- | String $server_name,
+ String $server_cert,
+ String $server_key,
+ String $server_chain,
+ String $client_ca_certificates,
+| -%>
+# THIS FILE IS MANAGED BY PUPPET, MANUAL CHANGES WILL BE OVERWRITTEN BY THE
+# NEXT PUPPET RUN
+
+WSGIDaemonProcess moin user=www-data group=www-data home=/srv/www/wiki processes=2 threads=20 umask=0007 display-name=wsgi-moin
+
+<VirtualHost *:80>
+ ServerName <%= $server_name %>
+ ServerAdmin wiki-admin@cacert.org
+
+ Alias /moin_static1910/cacert/css "/srv/www/wiki/htdocs/css"
+ Alias /moin_static1910/cacert/img "/srv/www/wiki/htdocs/img"
+ Alias /moin_static1910 "/srv/www/wiki/moin-1.9.10/share/moin/htdocs"
+ Alias /moin_static199/cacert/css "/srv/www/wiki/htdocs/css"
+ Alias /moin_static199/cacert/img "/srv/www/wiki/htdocs/img"
+ Alias /moin_static199 "/srv/www/wiki/moin-1.9.9/share/moin/htdocs"
+ Alias /robots.txt /srv/www/wiki/moin/share/moin/htdocs/robots.txt
+ Alias /favicon.ico /srv/www/wiki/htdocs/img/favicon.ico
+ Alias /BingSiteAuth.xml /srv/www/wiki/htdocs/verify/BingSiteAuth.xml
+
+ WSGIScriptAlias / /srv/www/wiki/moin.wsgi
+ WSGIProcessGroup moin
+ QS_SrvMaxConn 400
+
+ RedirectMatch permanent /wiki/(.*) /$1
+ DocumentRoot /srv/www/wiki/htdocs
+ CustomLog /var/log/apache2/<%= $server_name %>-access.log combined
+ ErrorLog /var/log/apache2/<%= $server_name %>-error.log
+</VirtualHost>
+
+<VirtualHost *:443>
+ ServerName <%= $server_name %>
+ ServerAdmin wiki-admin@cacert.org
+
+ SSLEngine on
+ SSLCertificateFile <%= $server_cert %>
+ SSLCertificateKeyFile <%= $server_key %>
+ SSLCertificateChainFile <%= $server_chain %>
+ SSLCACertificateFile <%= $client_ca_certificates %>
+
+ SSLProtocol ALL -SSLv2 -SSLv3 -TLSv1.1 -TLSv1
+ SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+ SSLHonorCipherOrder on
+ SSLOptions +StdEnvVars
+ SSLVerifyDepth 3
+
+ Header always set Strict-Transport-Security "max-age=31536000"
+
+ Alias /moin_static1910/cacert/css "/srv/www/wiki/htdocs/css"
+ Alias /moin_static1910/cacert/img "/srv/www/wiki/htdocs/img"
+ Alias /moin_static1910 "/srv/www/wiki/moin-1.9.10/share/moin/htdocs"
+ Alias /moin_static199/cacert/css "/srv/www/wiki/htdocs/css"
+ Alias /moin_static199/cacert/img "/srv/www/wiki/htdocs/img"
+ Alias /moin_static199 "/srv/www/wiki/moin-1.9.9/share/moin/htdocs"
+ Alias /robots.txt /srv/www/wiki/moin/share/moin/htdocs/robots.txt
+ Alias /favicon.ico /srv/www/wiki/htdocs/img/favicon.ico
+
+ WSGIScriptAlias / /srv/www/wiki/moin.wsgi
+ WSGIProcessGroup moin
+ RedirectMatch permanent /wiki/(.*) /$1
+ DocumentRoot /srv/www/wiki/htdocs
+ CustomLog /var/log/apache2/<%= $server_name %>-ssl-access.log combined
+ ErrorLog /var/log/apache2/<%= $server_name %>-ssl-error.log
+</VirtualHost>
diff --git a/sitemodules/profiles/templates/subversion_server/svn_anonymous.epp b/sitemodules/profiles/templates/subversion_server/svn_anonymous.epp
new file mode 100644
index 0000000..4277001
--- /dev/null
+++ b/sitemodules/profiles/templates/subversion_server/svn_anonymous.epp
@@ -0,0 +1,8 @@
+<Location />
+ Dav svn
+ SVNPath "/srv/svnrepo"
+ Order deny,allow
+ Allow from all
+
+ AuthzSVNAccessFile "/srv/dav_svn.authz"
+</Location>
diff --git a/sitemodules/profiles/templates/subversion_server/svn_password_auth.epp b/sitemodules/profiles/templates/subversion_server/svn_password_auth.epp
new file mode 100644
index 0000000..d972bf0
--- /dev/null
+++ b/sitemodules/profiles/templates/subversion_server/svn_password_auth.epp
@@ -0,0 +1,13 @@
+<Location />
+ Dav svn
+ SVNPath "/srv/svnrepo"
+ Order deny,allow
+ Allow from all
+
+ AuthType basic
+ AuthName "CAcert.org Subversion repository"
+ AuthUserFile "/srv/dav_svn.passwd"
+
+ AuthzSVNAccessFile "/srv/dav_svn.authz"
+ Require valid-user
+</Location>
diff --git a/sitemodules/profiles/templates/wordpress/wordpress-ssl.conf.epp b/sitemodules/profiles/templates/wordpress/wordpress-ssl.conf.epp
new file mode 100644
index 0000000..7eeb31e
--- /dev/null
+++ b/sitemodules/profiles/templates/wordpress/wordpress-ssl.conf.epp
@@ -0,0 +1,36 @@
+<%- | String $server_name,
+ String $server_cert,
+ String $server_key,
+ String $server_chain,
+ String $client_ca_certificates,
+| -%>
+# THIS FILE IS MANAGED BY PUPPET, MANUAL CHANGES WILL BE OVERWRITTEN BY THE
+# NEXT PUPPET RUN
+<VirtualHost *:443>
+ ServerName <%= $server_name %>
+
+ SSLEngine on
+ SSLCertificateFile <%= $server_cert %>
+ SSLCertificateKeyFile <%= $server_key %>
+ SSLCertificateChainFile <%= $server_chain %>
+ SSLCACertificateFile <%= $client_ca_certificates %>
+
+ SSLProtocol ALL -SSLv2 -SSLv3 -TLSv1.1 -TLSv1
+ SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+ SSLHonorCipherOrder on
+ SSLOptions +StdEnvVars
+ SSLVerifyDepth 3
+ SSLVerifyClient optional
+
+ Include /etc/apache2/cacert/blog.inc.conf
+
+ RewriteEngine On
+ RewriteRule ^/[0-9]{4}/[0-9]{2}/([0-9]+)\.html$ ?p=$1 [R=302,L]
+ <Location /wp-login.php>
+ <IfModule mod_rewrite.c>
+ RewriteEngine on
+ RewriteCond %{HTTP_USER_AGENT} .*Safari.*
+ RewriteCond %{SSL:SSL_CLIENT_VERIFY} !=SUCCESS
+ </IfModule>
+ </Location>
+</VirtualHost>
diff --git a/sitemodules/roles/manifests/blog.pp b/sitemodules/roles/manifests/blog.pp
index 032976a..3e3635e 100644
--- a/sitemodules/roles/manifests/blog.pp
+++ b/sitemodules/roles/manifests/blog.pp
@@ -18,11 +18,12 @@
# Copyright
# ---------
#
-# Copyright 2020 Jan Dittberner
+# Copyright 2020-2021 Jan Dittberner
#
class roles::blog {
include profiles::base
include profiles::rsyslog
include profiles::purge_nrpe_agent
include profiles::icinga2_agent
+ include profiles::wordpress
}
diff --git a/sitemodules/roles/manifests/bugs.pp b/sitemodules/roles/manifests/bugs.pp
index 07c8a6a..49b06d8 100644
--- a/sitemodules/roles/manifests/bugs.pp
+++ b/sitemodules/roles/manifests/bugs.pp
@@ -25,4 +25,5 @@ class roles::bugs {
include profiles::rsyslog
include profiles::purge_nrpe_agent
include profiles::icinga2_agent
+ include profiles::mantisbt
}
diff --git a/sitemodules/roles/manifests/infra03.pp b/sitemodules/roles/manifests/infra03.pp
new file mode 100644
index 0000000..ac5dc72
--- /dev/null
+++ b/sitemodules/roles/manifests/infra03.pp
@@ -0,0 +1,26 @@
+# Class: roles::infra03
+# =====================
+#
+# This class defines the infra03 role for the infra03 infrastructure host. You
+# should assign this class using hiera or via an ENC.
+#
+# Examples
+# --------
+#
+# @example
+# class { 'roles::infra03': }
+#
+# Authors
+# -------
+#
+# Jan Dittberner <jandd@cacert.org>
+#
+# Copyright
+# ---------
+#
+# Copyright 2021 Jan Dittberner
+#
+class roles::infra03 {
+ include profiles::base
+ #include profiles::icinga2_satellite
+}
diff --git a/sitemodules/roles/manifests/svnserver.pp b/sitemodules/roles/manifests/svnserver.pp
index 2115c4c..acac195 100644
--- a/sitemodules/roles/manifests/svnserver.pp
+++ b/sitemodules/roles/manifests/svnserver.pp
@@ -18,11 +18,12 @@
# Copyright
# ---------
#
-# Copyright 2016-2019 Jan Dittberner
+# Copyright 2016-2021 Jan Dittberner
#
class roles::svnserver {
include profiles::base
include profiles::rsyslog
include profiles::purge_nrpe_agent
include profiles::icinga2_agent
+ include profiles::subversion_server
}
diff --git a/sitemodules/roles/manifests/wiki.pp b/sitemodules/roles/manifests/wiki.pp
index 3e251df..58eccce 100644
--- a/sitemodules/roles/manifests/wiki.pp
+++ b/sitemodules/roles/manifests/wiki.pp
@@ -18,11 +18,12 @@
# Copyright
# ---------
#
-# Copyright 2020 Jan Dittberner
+# Copyright 2020-2021 Jan Dittberner
#
class roles::wiki {
include profiles::base
include profiles::rsyslog
include profiles::purge_nrpe_agent
include profiles::icinga2_agent
+ include profiles::moinmoin
}