summaryrefslogtreecommitdiff
path: root/sitemodules/profiles/manifests/cacert_selfservice.pp
blob: 1d0e5d05a6b798a8d7cf64dd160a1849fe089422 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
# Class: profiles::cacert_selfservice
# ===================================
#
# This class defines the cacert_selfservice profile that configures the CAcert
# community self service system web interface.
#
# Parameters
# ----------
#
# @param server_certificate  PEM encoded X.509 server certificate
#
# @param server_private_key  PEM encoded unencrypted RSA private key
#
# Examples
# --------
#
# @example
#   class roles::myhost {
#     include profiles::cacert_selfservice
#   }
#
# Authors
# -------
#
# Jan Dittberner <jandd@cacert.org>
#
# Copyright
# ---------
#
# Copyright 2019 Jan Dittberner
#
class profiles::cacert_selfservice (
  String $server_certificate,
  String $server_private_key,
) {
  include profiles::cacert_debrepo

  $service_name = 'cacert-selfservice'
  $config_directory = "/etc/${service_directory}"
  $config_file = "${config_directory}/config.yaml"
  $server_certificate_file = "${config_directory}/certs/server.crt.pem"
  $server_key_file = "${config_directory}/private/server.key.pem"
  $log_directory = "/var/log/${service_name}"

  $api_ca_file = "${config_directory}/certs/api_cas.pem"
  $client_ca_file = "${config_directory}/certs/client_cas.pem"

  package { $service_name:
    ensure  => latest,
    require => Apt::Source['cacert'],
  }

  file { $log_directory:
    ensure  => directory,
    owner   => $service_name,
    group   => 'root',
    mode    => '0750',
    require => Package[$service_name],
  }
  file { "${config_directory}/certs":
    ensure  => directory,
    owner   => $service_name,
    group   => 'root',
    mode    => '0750',
    require => Package[$service_name],
  }
  file { "${config_directory}/private":
    ensure  => directory,
    owner   => $service_name,
    group   => 'root',
    mode    => '0700',
    require => Package[$service_name],
  }
  file { $server_certificate_file:
    ensure  => file,
    owner   => $service_name,
    group   => 'root',
    mode    => '0644',
    content => $server_certificate,
    require => File["${config_directory}/certs"],
    notify  => Service[$service_name],
  }
  file { $server_key_file:
    ensure  => file,
    owner   => $service_name,
    group   => 'root',
    mode    => '0600',
    content => $server_private_key,
    require => File["${config_directory}/private"],
    notify  => Service[$service_name],
  }
  concat { $client_ca_file:
    ensure  => present
    owner   => $service_name,
    group   => 'root',
    mode    => '0640',
    require => File["${config_directory}/certs"],
    notify  => Service[$service_name],
  }
  concat::fragment { 'cacert-class3-client-ca':
    tag    => 'cacert-class3-client-ca',
    order  => 10,
    target => $client_ca_file,
    source => 'puppet:///modules/profiles/base/cacert_class3_X0E.crt',
  }
  concat::fragment { 'cacert-class1-client-ca':
    tag    => 'cacert-class1-client-ca',
    order  => 20,
    target => $client_ca_file,
    source => 'puppet:///modules/profiles/base/cacert_class1_X0F.crt',
  }

  file { $api_cas:
    ensure  => file,
    owner   => $service_name,
    group   => 'root',
    mode    => '0640',
    source => 'puppet:///modules/profiles/base/cacert_class3_X0E.crt',
    require => File["${config_directory}/certs"],
    notify  => Service[$service_name],
  }

  service { $service_name:
    ensure  => running,
    enable  => true,
    require => Package[$service_name],
  }
}