sitemodules/profiles/manifests/cacert_selfservice_api.pp

   1 # Class: profiles::cacert_selfservice_api
   2 # =======================================
   3 #
   4 # This class defines the cacert_selfservice_api profile that installs the
   5 # CAcert community self service system API backend
   6 #
   7 # Parameters
   8 # ----------
   9 #
  10 # @param server_certificate             PEM encoded X.509 server certificate
  11 #
  12 # @param server_private_key             PEM encoded unencrypted RSA private key
  13 #
  14 # @param db_username                    MariaDB/MySQL user name
  15 #
  16 # @param db_password                    MariaDB/MySQL password
  17 #
  18 # @param db_name                        MariaDB/MySQL database name
  19 #
  20 # @param notification_recipient_address notification email recipient address
  21 #
  22 # @param notification_recipient_name    notification email recipient name
  23 #
  24 # @param notification_sender_address    notification email sender address
  25 #
  26 # @param mail_host                      hostname or IP address of the outgoing
  27 #                                       email server
  28 #
  29 # @param mail_port                      TCP port number of the outgoing email
  30 #                                       server
  31 #
  32 # @param client_identities              List of client identies consisting of an
  33 #                                       id and key field for each client
  34 #
  35 # Examples
  36 # --------
  37 #
  38 # @example
  39 #   class roles::myhost {
  40 #     include profiles::cacert_selfservice_api
  41 #   }
  42 #
  43 # Authors
  44 # -------
  45 #
  46 # Jan Dittberner <jandd@cacert.org>
  47 #
  48 # Copyright
  49 # ---------
  50 #
  51 # Copyright 2019 Jan Dittberner
  52 #
  53 class profiles::cacert_selfservice_api (
  54   String $server_certificate,
  55   String $server_private_key,
  56   String $listen_address = ":9443",
  57   String $db_username,
  58   String $db_password,
  59   String $db_name = 'cacertusers',
  60   String $notification_recipient_address = 'email-admin@cacert.org',
  61   String $notification_recipient_name = 'CAcert email administrators',
  62   String $notification_sender_address = 'returns@cacert.org',
  63   String $mail_host = 'localhost',
  64   Integer $mail_port = 25,
  65   Array[Hash[String, String]] $client_identities,
  66 ) {
  67   include profiles::cacert_debrepo
  68
  69   $service_name = 'cacert-selfservice-api'
  70   $config_directory = "/etc/${service_name}"
  71   $config_file = "${config_directory}/config.yaml"
  72   $server_certificate_file = "${config_directory}/certs/server.crt.pem"
  73   $server_key_file = "${config_directory}/private/server.key.pem"
  74   $log_directory = "/var/log/${service_name}"
  75
  76   package { $service_name:
  77     ensure  => latest,
  78     require => Apt::Source['cacert'],
  79   }
  80
  81   file { $log_directory:
  82     ensure  => directory,
  83     owner   => $service_name,
  84     group   => 'root',
  85     mode    => '0750',
  86     require => Package[$service_name],
  87   }
  88   file { "${config_directory}/certs":
  89     ensure  => directory,
  90     owner   => $service_name,
  91     group   => 'root',
  92     mode    => '0750',
  93     require => Package[$service_name],
  94   }
  95   file { "${config_directory}/private":
  96     ensure  => directory,
  97     owner   => $service_name,
  98     group   => 'root',
  99     mode    => '0700',
 100     require => Package[$service_name],
 101   }
 102   file { $server_certificate_file:
 103     ensure  => file,
 104     owner   => $service_name,
 105     group   => 'root',
 106     mode    => '0644',
 107     content => $server_certificate,
 108     require => File["${config_directory}/certs"],
 109     notify  => Service[$service_name],
 110   }
 111   file { $server_key_file:
 112     ensure  => file,
 113     owner   => $service_name,
 114     group   => 'root',
 115     mode    => '0600',
 116     content => $server_private_key,
 117     require => File["${config_directory}/private"],
 118     notify  => Service[$service_name],
 119   }
 120
 121   $api_clients = $client_identities.map |$identity| {
 122     {
 123       id        => $identity['id'],
 124       key_lines => split($identity['key'], "\n"),
 125     }
 126   }
 127
 128   file { $config_file:
 129     ensure  => present,
 130     owner   => $service_name,
 131     group   => 'root',
 132     mode    => '0600',
 133     content => epp('profiles/cacert_selfservice_api/config.yaml.epp', {
 134       server_certificate             => $server_certificate_file,
 135       server_key                     => $server_key_file,
 136       listen_address                 => $listen_address,
 137       db_username                    => $db_username,
 138       db_password                    => $db_password,
 139       db_name                        => $db_name,
 140       notification_sender            => $notification_sender_address,
 141       notification_recipient_address => $notification_recipient_address,
 142       notification_recipient_name    => $notification_recipient_name,
 143       mail_host                      => $mail_host,
 144       mail_port                      => $mail_port,
 145       clients                        => $api_clients,
 146       log_directory                  => $log_directory,
 147     }),
 148     require => Package[$service_name],
 149     notify  => Service[$service_name],
 150   }
 151
 152   service { $service_name:
 153     ensure  => running,
 154     enable  => true,
 155     require => Package[$service_name],
 156   }
 157 }