sitemodules/profiles/manifests/cacert_selfservice.pp

   1 # Class: profiles::cacert_selfservice
   2 # ===================================
   3 #
   4 # This class defines the cacert_selfservice profile that configures the CAcert
   5 # community self service system web interface.
   6 #
   7 # Parameters
   8 # ----------
   9 #
  10 # @param server_certificate  PEM encoded X.509 server certificate
  11 #
  12 # @param server_private_key  PEM encoded unencrypted RSA private key
  13 #
  14 # Examples
  15 # --------
  16 #
  17 # @example
  18 #   class roles::myhost {
  19 #     include profiles::cacert_selfservice
  20 #   }
  21 #
  22 # Authors
  23 # -------
  24 #
  25 # Jan Dittberner <jandd@cacert.org>
  26 #
  27 # Copyright
  28 # ---------
  29 #
  30 # Copyright 2019 Jan Dittberner
  31 #
  32 class profiles::cacert_selfservice (
  33   String $server_certificate,
  34   String $server_private_key,
  35 ) {
  36   include profiles::cacert_debrepo
  37
  38   $service_name = 'cacert-selfservice'
  39   $config_directory = "/etc/${service_directory}"
  40   $config_file = "${config_directory}/config.yaml"
  41   $server_certificate_file = "${config_directory}/certs/server.crt.pem"
  42   $server_key_file = "${config_directory}/private/server.key.pem"
  43   $log_directory = "/var/log/${service_name}"
  44
  45   $api_ca_file = "${config_directory}/certs/api_cas.pem"
  46   $client_ca_file = "${config_directory}/certs/client_cas.pem"
  47
  48   package { $service_name:
  49     ensure  => latest,
  50     require => Apt::Source['cacert'],
  51   }
  52
  53   file { $log_directory:
  54     ensure  => directory,
  55     owner   => $service_name,
  56     group   => 'root',
  57     mode    => '0750',
  58     require => Package[$service_name],
  59   }
  60   file { "${config_directory}/certs":
  61     ensure  => directory,
  62     owner   => $service_name,
  63     group   => 'root',
  64     mode    => '0750',
  65     require => Package[$service_name],
  66   }
  67   file { "${config_directory}/private":
  68     ensure  => directory,
  69     owner   => $service_name,
  70     group   => 'root',
  71     mode    => '0700',
  72     require => Package[$service_name],
  73   }
  74   file { $server_certificate_file:
  75     ensure  => file,
  76     owner   => $service_name,
  77     group   => 'root',
  78     mode    => '0644',
  79     content => $server_certificate,
  80     require => File["${config_directory}/certs"],
  81     notify  => Service[$service_name],
  82   }
  83   file { $server_key_file:
  84     ensure  => file,
  85     owner   => $service_name,
  86     group   => 'root',
  87     mode    => '0600',
  88     content => $server_private_key,
  89     require => File["${config_directory}/private"],
  90     notify  => Service[$service_name],
  91   }
  92   concat { $client_ca_file:
  93     ensure  => present
  94     owner   => $service_name,
  95     group   => 'root',
  96     mode    => '0640',
  97     require => File["${config_directory}/certs"],
  98     notify  => Service[$service_name],
  99   }
 100   concat::fragment { 'cacert-class3-client-ca':
 101     tag    => 'cacert-class3-client-ca',
 102     order  => 10,
 103     target => $client_ca_file,
 104     source => 'puppet:///modules/profiles/base/cacert_class3_X0E.crt',
 105   }
 106   concat::fragment { 'cacert-class1-client-ca':
 107     tag    => 'cacert-class1-client-ca',
 108     order  => 20,
 109     target => $client_ca_file,
 110     source => 'puppet:///modules/profiles/base/cacert_class1_X0F.crt',
 111   }
 112
 113   file { $api_cas:
 114     ensure  => file,
 115     owner   => $service_name,
 116     group   => 'root',
 117     mode    => '0640',
 118     source => 'puppet:///modules/profiles/base/cacert_class3_X0E.crt',
 119     require => File["${config_directory}/certs"],
 120     notify  => Service[$service_name],
 121   }
 122
 123   service { $service_name:
 124     ensure  => running,
 125     enable  => true,
 126     require => Package[$service_name],
 127   }
 128 }