Add configuration for selfservice API
[cacert-puppet.git] / sitemodules / profiles / manifests / cacert_selfservice_api.pp
1 # Class: profiles::cacert_selfservice_api
2 # =======================================
3 #
4 # This class defines the cacert_selfservice_api profile that installs the
5 # CAcert community self service system API backend
6 #
7 # Parameters
8 # ----------
9 #
10 # @param server_certificate PEM encoded X.509 server certificate
11 #
12 # @param server_private_key PEM encoded unencrypted RSA private key
13 #
14 # @param db_username MariaDB/MySQL user name
15 #
16 # @param db_password MariaDB/MySQL password
17 #
18 # @param db_name MariaDB/MySQL database name
19 #
20 # @param notification_recipient_address notification email recipient address
21 #
22 # @param notification_recipient_name notification email recipient name
23 #
24 # @param notification_sender_address notification email sender address
25 #
26 # @param mail_host hostname or IP address of the outgoing
27 # email server
28 #
29 # @param mail_port TCP port number of the outgoing email
30 # server
31 #
32 # @param client_identities List of client identies consisting of an
33 # id and key field for each client
34 #
35 # Examples
36 # --------
37 #
38 # @example
39 # class roles::myhost {
40 # include profiles::cacert_selfservice_api
41 # }
42 #
43 # Authors
44 # -------
45 #
46 # Jan Dittberner <jandd@cacert.org>
47 #
48 # Copyright
49 # ---------
50 #
51 # Copyright 2019 Jan Dittberner
52 #
53 class profiles::cacert_selfservice_api (
54 String $server_certificate,
55 String $server_private_key,
56 String $listen_address = ":9443",
57 String $db_username,
58 String $db_password,
59 String $db_name = 'cacertusers',
60 String $notification_recipient_address = 'email-admin@cacert.org',
61 String $notification_recipient_name = 'CAcert email administrators',
62 String $notification_sender_address = 'returns@cacert.org',
63 String $mail_host = 'localhost',
64 Integer $mail_port = 25,
65 Array[Hash[String][String] $client_identities,
66 ) {
67 include profiles::cacert_debrepo
68
69 $service_name = 'cacert-selfservice-api'
70 $config_directory = "/etc/${service_name}"
71 $config_file = "${config_directory}/config.yaml"
72 $server_certificate_file = "${config_directory}/certs/server.crt.pem"
73 $server_key_file = "${config_directory}/private/server.key.pem"
74 $log_directory = "/var/log/${service_name}"
75
76 package { $service_name:
77 ensure => latest,
78 require => Apt::Source['cacert'],
79 }
80
81 file { $log_directory:
82 ensure => directory,
83 owner => $service_name,
84 group => 'root',
85 mode => '0750',
86 require => Package[$service_name],
87 }
88 file { "${config_directory}/certs":
89 ensure => directory,
90 owner => $service_name,
91 group => 'root',
92 mode => '0750',
93 require => Package[$service_name],
94 }
95 file { "${config_directory}/private":
96 ensure => directory,
97 owner => $service_name,
98 group => 'root',
99 mode => '0700',
100 require => Package[$service_name],
101 }
102 file { $server_certificate_file:
103 ensure => file,
104 owner => $service_name,
105 group => 'root',
106 mode => '0644',
107 content => $server_certificate,
108 require => File["${config_directory}/certs"],
109 notify => Service[$service_name],
110 }
111 file { $server_key_file:
112 ensure => file,
113 owner => $service_name,
114 group => 'root',
115 mode => '0600',
116 content => $server_private_key,
117 require => File["${config_directory}/private"],
118 notify => Service[$service_name],
119 }
120
121 $api_clients = $client_identities.map |$identity| {
122 {
123 id => $identity['id'],
124 key_lines => split($identity['key'], "\n"),
125 }
126 }
127
128 file { $config_file:
129 ensure => present,
130 owner => $service_name,
131 group => 'root',
132 mode => '0600',
133 content => epp('profiles/cacert_selfservice_api/config.yaml.epp', {
134 server_certificate => $server_certificate_file,
135 server_key => $server_key_file,
136 listen_address => $listen_address,
137 db_username => $db_username,
138 db_password => $db_password,
139 db_name => $db_name,
140 notification_sender => $notification_sender_address,
141 notification_recipient_address => $notification_recipient_address,
142 notification_recipient_name => $notification_recipient_name,
143 mail_host => $mail_host,
144 mail_port => $mail_port,
145 clients => $api_clients,
146 log_directory => $log_directory,
147 }),
148 require => Package[$service_name],
149 notify => Service[$service_name],
150 }
151
152 service { $service_name:
153 ensure => running,
154 enable => true,
155 require => Package[$service_name],
156 }
157 }