Add configuration for selfservice API
authorJan Dittberner <jandd@cacert.org>
Sat, 17 Aug 2019 10:22:00 +0000 (12:22 +0200)
committerJan Dittberner <jandd@cacert.org>
Sat, 17 Aug 2019 10:22:00 +0000 (12:22 +0200)
hieradata/nodes/email.yaml
sitemodules/profiles/manifests/cacert_selfservice_api.pp
sitemodules/profiles/templates/cacert_selfservice_api/config.yaml.epp [new file with mode: 0644]

index 5a396ce..0ef2e9f 100644 (file)
@@ -23,3 +23,145 @@ profiles::cacert_selfservice_api::clients:
     MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEAKRX/fSOOunEETpHqPKj8k1/zv1R
     0J/6SxMU+jix4InG1tFL6yiikQqZMY9Gu4yYgF/WhiLrgjPbaGvlln0/FA==
     -----END PUBLIC KEY-----
+profiles::cacert_selfservice_api::db_password: >
+    ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEw
+    DQYJKoZIhvcNAQEBBQAEggEAjOBz2QKZTSY8lyV3SWjjatpm4CdVHPr4kfmx
+    UwfclDNRZr2w2vZgFLOlImfwJCpGa0xJsEHtS+IEkIV8Mh7jfCmQ6bVWDGtt
+    q1mYRdFHtUX4P2/Yw0sSXuMa7IGKeV7xYL3KNxZljjNieNP//DoCKF1MNE0V
+    ik2xO6IRTd8vT2VAVOxSgarn9hs5aL7PpxmvTH0rp+Q5pgjUm4cHFjbW3ur5
+    q2XWwfydXPfnBsG17xHlrFJowMZM9fRyq7FuYsm+zIYkm1+AgzFEr6ogA4Fc
+    pTVghKACVzFMpd9v7u9FRvqbrUR+Q1GdckbwkvAJlkCkPLKah1LHoZW4jHlj
+    OWG1xTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDMdsp1Zc87SdO2yp+w
+    R9V1gDAZYPSwQJ/GbXBPy614dS5z++Q/8Go0Eve3bX+atTkYa4q3E5qrscAb
+    CtCL1kfU66I=]
+profiles::cacert_selfservice_api::db_username: >
+    ENC[PKCS7,MIIBeQYJKoZIhvcNAQcDoIIBajCCAWYCAQAxggEhMIIBHQIBADAFMAACAQEw
+    DQYJKoZIhvcNAQEBBQAEggEAOj5c9aTiQd+MKVJmAoSMp+9/9YtdFmRtCyyA
+    6BMb3YqvQT8D70VI3Ttq6AaF0S3xttJvwHdDUgYv4pEJ9V7dnQUZb/mGi7ZN
+    NM/R7VPN7sT/yS/z45TvGyz/VjSQuisCzj/cCg6ikXg2//BXj2h68BebiQz+
+    2NqJWrucTCjvK48eEu8QDKzigUyjGOpwkVD89RB2dHacSPbHqA5yTP1YLQdY
+    JiG8S/IAqMjVKzuQiPnqrfmLBqiFHoARF68UML1rS46Tt5bV4DcVriIjZiUN
+    Nt9bzOpBkyFkqAYFzXbYyQ3JeR4Mfb9i2wP+tIw5Hd2GaeoWBEJAdaqzsOb0
+    5NJX+DA8BgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCl0t3nd/FDwqktfYoZ
+    ReaagBBkwO8Mi7X2JTPI4jX5lDrS]
+profiles::cacert_selfservice_api::listen_address: :9443
+profiles::cacert_selfservice_api::server_certificate: |
+    -----BEGIN CERTIFICATE-----
+    MIIGRjCCBC6gAwIBAgIDAtlUMA0GCSqGSIb3DQEBCwUAMFQxFDASBgNVBAoTC0NB
+    Y2VydCBJbmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5vcmcxHDAaBgNV
+    BAMTE0NBY2VydCBDbGFzcyAzIFJvb3QwHhcNMTkwODE3MTAwMTA0WhcNMjEwODE2
+    MTAwMTA0WjBjMQswCQYDVQQGEwJBVTEMMAoGA1UECBMDTlNXMQ8wDQYDVQQHEwZT
+    eWRuZXkxFDASBgNVBAoTC0NBY2VydCBJbmMuMR8wHQYDVQQDExZlbWFpbC5pbmZy
+    YS5jYWNlcnQub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAzyu4
+    maECP9uBDeaqV9WDkEHj4YM67yMhenpdvabPV9b7bWXX0EeBmXiEd+8sHKR3cJqn
+    i2RAnthNJdNYHf0cgJjyhDGAVU5RL1uZMaEbtTIX7jWPbXMp1OX2I8pDtgB5QLAm
+    Q5sKmXhgH+DCVhxaud5B/CCI6eGfMjxH4fi5+iqSWsopa8Eh6If6pgh1WcFiXu+U
+    QUa+2oSOwzG+AS16g1guNq+dqQKpGDx+qT4gg/QWrt5/bEhTlZOMUUPi9MoIV5lU
+    Lqdgkn6Df6DPisT7S7iYrEM3HBLsxxoCT934UP/TN7yaOjgXYLVO59YzltOCAPiK
+    nqheDAgHTFOqEQjxzY49fr4xHzf7eS4AaZzkM5x65lL7gmCXBKhOgGf5o1uiy90/
+    nP1A16QWJZbjFZs/ExwSOqDUMqp2rfxkjE8UCHy2WQeBsOYUrWeDqUMoAlPRDbnM
+    EYYY+cbddFiorBsT8Pps/qJzp6jYnFK38N+jRY8VkaDfN4L2LIkNv6lpiCt/7QNi
+    7+LzFfzaSNkThaF4Gp0feTbzLvuMhMuZevC1MynrYyvCCoSgRPl8WuFvY+Unb4Cy
+    gjTpf6GIyNmnDFkVrGNX6VEXIJrJA7OmlWN4aKlyeNKpUhKkjAAh+GA72PpD6Hmq
+    SxFNPKQrVzzToXebo4y48axz6lklSlK8uTgrBh8CAwEAAaOCARAwggEMMAwGA1Ud
+    EwEB/wQCMAAwDgYDVR0PAQH/BAQDAgOoMDQGA1UdJQQtMCsGCCsGAQUFBwMCBggr
+    BgEFBQcDAQYJYIZIAYb4QgQBBgorBgEEAYI3CgMDMDMGCCsGAQUFBwEBBCcwJTAj
+    BggrBgEFBQcwAYYXaHR0cDovL29jc3AuY2FjZXJ0Lm9yZy8wOAYDVR0fBDEwLzAt
+    oCugKYYnaHR0cDovL2NybC5jYWNlcnQub3JnL2NsYXNzMy1yZXZva2UuY3JsMEcG
+    A1UdEQRAMD6CFmVtYWlsLmluZnJhLmNhY2VydC5vcmegJAYIKwYBBQUHCAWgGAwW
+    ZW1haWwuaW5mcmEuY2FjZXJ0Lm9yZzANBgkqhkiG9w0BAQsFAAOCAgEAmKDmji08
+    koYvS66tqKHXD8ZVJuKDw1B7SqXhhDiBvkXULBK2MXzvBiwVDhHvVNY7hhhFbEvl
+    EZ9VQqU6VQdyqNMbGs8kvxGprK6cQ2D3LWxWDCspLgd7pRfQPtXH8kCX4+PYC4z6
+    9JI3SAAbs9e0ZcriBHgYFqwWPCD/h93qw6YVJ9O7w7sqfbvx8zu0nsWgHS+USSJT
+    McUZBqjIjuPf0iDMz5eCaFN71Lhv4rnXxQu8SAvXdeyDtLxbGoclkdk3LnTZZ3G6
+    dXIinczFXDlcvruz9cERMiMeS8hsUGG0mq0gwTccZk1/WojDzzPSQ2M3pGnb2fzR
+    2NmceySpeAEnPDveHaBqIXT36o2lASOWBXbrO7ARLydaVwTPfXiWUhH1kmsO6BcI
+    k1KcR6xG6K1yQOAa01DTVG/aYmt5lYs6iT0m9xSFpY1EGg7fSO9vYJqLVkoCIkkP
+    /uur65E8uM8bcA0aQHocWzqoVqKDkaUXFvQ4rLARwj3HyDer2vbAYc/NXCzixXQ5
+    bfXjau191GR+k1XNRNhDos6ZZ3mlNLAQ0koNLLzOeLw4IoN15ygfaPlE5OLyE7U4
+    mOORoFO3RvlIVJthDhXBrHdiDKPyWpkFIKLVZRQrAZ4vFTUV3wZsO8iD7gTLQKQC
+    b+iz+XNVJ4wqRfdrX3VBBCYy8SNxRNEpLtE=
+    -----END CERTIFICATE-----
+profiles::cacert_selfservice_api::server_private_key: >
+    ENC[PKCS7,MIIOPQYJKoZIhvcNAQcDoIIOLjCCDioCAQAxggEhMIIBHQIBADAFMAACAQEw
+    DQYJKoZIhvcNAQEBBQAEggEAo+kOuakLJWl4gVaTboTX9JodKuNNtKTTFQk2
+    bDFa3brAitjmvnoNsX27+Qi+JCQJ9fuqCI1pkdiWDP6iXB5XORFLXRCUBLCA
+    5ZNf2me3u8SYgxOH1yVo7AgDw8J6bYqQwcecTm0y0DkmZgEQBryZJVHe6CPD
+    7WqBwJreoYI6z/AMoeG9GAsa4CjziRvBTfbymXYtjO3prssRaCQ0rXHiD6JU
+    5a90YZm1U2/VwqwjWpTgYFD05hIHCtyD5PNlB8xd+S9sFRsRkRAFIUXkGIfI
+    6fjXHe7Jd5bTxMaKIaZmhuxqf4XEqf2qu0mMd9134XzhHJud5EmnH4HGjuIq
+    NRvCtDCCDP4GCSqGSIb3DQEHATAdBglghkgBZQMEASoEEAWjoyge8WbAplaP
+    30tTCheAggzQ1xj7c23DNmkfATMVVBXlMO29wiov/MncD8zumAY+Jp0g+2Y0
+    z7sN6TJdcFMWgEf1+6TPtZnIfWJ04TmpnYEaZd74J+xbUqKEakp56A2CdKdP
+    wf8oiWX5FD2zvU7irXuU6G9k7eCn9K71gNXDrlEw+roKIZskPo1jVhGNRg/U
+    Hv4WaticAlEv/txJJKCyQOSz4H8msmV13jKa7yLruM96Pm+AzxEk4NaV/DEB
+    FS2dvDIQYOXaQZfKMNKSgutnaKeUuyw0VeCMY4y5iRkHGIGJ91iy6KmSa2cS
+    R53o9CMpFcN9LUhMAvNdB8ZIv5qFapndIqjZXa+wSS1ixKoOa/1uXpPcGnDs
+    drx0N7NeN8J4/TqlkAFm2Ga2ehjxVGCrN37jH6Z3cr9qFF/1x40ujuSaCI9/
+    eC3gZNwowQOzqfINkZdXW/MLmAFeKm+2Bznh/syO2cb8n0TK0hncrf6sqA+k
+    JTCYvwqoTDHiWWkXJ7u5uGTdbIxl1H9LPgJpRqNK7G7BItV0Do20CG+uKEVx
+    gMlA743kdPjXZ4GbPPtSVbS5iEhfHo0IGVb8mQvNeye32NfT1QsgkNT9NNFK
+    U2aFiROwYJGYoJ5zcth9HXMLInjfOggdvZM0DLKz65p8Hob5F3sNhZrSyFEm
+    MEFYS8fsoNVdfmkBZ8JA8nHYOAaUMqmhhFDIn4g3Mnb7kGur+t97C1MzsqOI
+    lqz8Vdhm3gqL/UKZp2NoPIyH1cTUACtpOXz8nJY25QJdEyhzgkX7UnGCRRuz
+    Ev8dPZFRxNwuNO2N7ziDijePK9/VT9iK3CKb4gH8l/Zx51x62mUSGXEnNj6b
+    Wwnde/o3acqGUF6qvyzeBHelDoSEC336zzCRyut0bGJD3P5zgmNYJ9WUQfph
+    n2FdLv1Ddy9m0o1W+k0AUjKg+/Tfs/0Cw7Ma5EaykRvhP57HyteVCCwJIbhf
+    Tf+8A3hw7lGwtUcTaclLs9o6JOhMzepWsigr/M1p3Ec/yjhORMCph7uD24UV
+    cz2sd9BZhPUHi/NpBUt+KlxyRkwZzFfX8yKGzzp9kgO0EOcjKNq2tFfTY6xn
+    /7Wu6tCp2DPFV/SZUcvF5SYuh2RSNBotj/BcGnY5/V8FACHxHLI2WCKCBHPZ
+    5SMx2JXxzg975HO5v6RK8gKiF//znG5u1U3JuS6NhGq90/EbAhhvF+LoCb6E
+    dyWy1jWWOvrWAOa6nGxP+55wdQUGpgey2bADp9lhPKcAMyJz/VOt16tpmyOJ
+    565ykWISRIk3zb9pffTnlJGqC/zEDN2IBydQ5cl7b1wK5pZWLBnL4De/14T0
+    5TWcZOYXd+xBdZtBi83owAWYFts3MD1RCz40FZJRkbj7QPalkDDFR32XQQW3
+    oPuxpNPwwUGfv/m/w2sIVeTSD4r6iEnYQreJ9xGHU7shErFjSWbYVeB/6wL+
+    Ty4PCPz9JaqDQgECTy7gNBNyw6n3ucVrmIhnEbN6tk3c8ehgWspeDgI9LNfx
+    hk0fUJLUBEnm/TINGolSdAsQSe/fZcOfq5L26SvSzJFlurFmmkaM5nF9kk06
+    cvLqBdHOIEo1uHZYnlU+qETdsFcWo5ZrA8EN0j5s0XxK+yZuVgah3uPZ47XQ
+    VrYJhaXTfSz0ybjiQRcteuivs/+wii6cfAoM9KZJoRSfNFgBpDvbIIHaWxci
+    DIFhw1GzPnpB71eeGkjm2XPSf7u23iXTvTUYYVbsaU/z0DjUFz21Y+oKH4zy
+    oUw0u9qa02Kvhk2YbI3xVDiMTkdd1coNW2wsW0nup8e0iU5epBAC9GV9IE3y
+    BEhjsV0ojuh4sItlFOdL9/vWqu0rbYZo6ObTXkWUKb+rbVHpj+bX4QyofOoX
+    BTndKhhtc1k4hVetbiSEG+MnOWSBZQN7CRHJT4/i4s7N21IvHBR2aowR7xNy
+    FayoipaGffhmJ8IFlevIJytCfc0/2vlRZ3h0pib6K8UaVqNMqkdlMGpSmYfH
+    M+SzqDTQhP52Rrsw7TVI8luE+j3G56XkLIzIsFeCN0ImV+LkwZ4xC8kurWs6
+    HqioS5xeiZJupMs/YKek37sUuy/1ODL2t30JbHaPLRffvlb6H3eJoQ6qFVI2
+    YzjwLWGWotrMduOONpnabSk/466dDgMmew7wANuTqPuD37uf34tqNVrAcmLi
+    +Nh2Cl6fve/ESlptDMDDN6ThpXXIH0+OAOYBQlqFu5VTfJth4/g8k6LJBDRK
+    I4ulySlVeENgQKTXvzcUpOo27xfdm4X9O4xU6CqOvtvirSuYzIodrEY821/F
+    ZCBteES9JcHiBlwB3ku6BUJuIfUqWajafVHyc2iHdTylO3PfoogATomG44gX
+    zOWsY0hM4WMV7bv50cGBVVZT9xzFoWdKBg9zn6dflMS4DapdrRaCiZ24YnRA
+    RElTOthV4a4nX6dlbPHXnb2kVSvQD3sIMKGwI51nnESoU9hKXnaKnkMNkmVg
+    sUDri3G52aJ3Plqy62x62DMQoHEkNriolK5nX+kNw/Yg/wNje6rQ4SvEkjCf
+    8VNsC/flbh6T/dP2C4uXoC+AwxCGx5l97WQWwrJ8Xwiuj1f0a0O7dv55ZbJw
+    AkwQRf6NHkWorekw+84wY6IOAQ3nK/vFj2A/Th6iszdNxu3i4MrxmTw/YWw4
+    eDgqV4nKAq2wz1q8xH5p8kjwcY46w088kHJoHllyheLhRlvaLsfIWKdHeHEa
+    aImSDrcOE/jjqjR7e8VOiP8Vjyc1NaxWQvHrFQW/X+MfcWvQdJ2p/oEwCQDE
+    mUZPJcddWqI9AamHlA/CsKJ56jqwqz4bGJMlqMqfAbdV8xDlWr9tbDnWectn
+    a8LwX4FXe0iMCpR4umBDtlFo23N8g6FRt9WZyBTBSoZlZ2Xp/UFO8TqEG3Ol
+    gVH3i9R7Set6o36kdhIUKSvsXt8vvO91HmNUmk24nhzQRwxrkL40RxrZh67O
+    RqwBWVTSW3xBaSz1RnVAmN6FxRL+qLWt5O4RYK4I9YgxZW+PQzVdyVzpUZGm
+    Q/GP9TcZN3723AhFy2tbRfEr/eHhlaSEB6ZuFMGkQ7ROn5RNdbwqex6B/wg8
+    x+y1RFOkEILgPtyJR/z5allWhaLbjuj5Czq9DqICp/Oy+HTAd17ETtTpbI7L
+    HtASYiwnv+tmxJQ2WBiqz6cZ78M6W+Zz3UN2uSr6Gquq/Jq+Y+BhjPbV+6Cv
+    pttMCZj60nRC+vCsJnl/SAZiiZe+y3VfFJnktwWiinjgaUSIF/IXZmUdN8Vz
+    MTFPWzMrx/Hhgng8M+sGRwuqNbtYe+Ug4hmGVNNbnE55SN2+6eoZz3Y3WIFC
+    ovXxxhpBvf5IVEVvYHnTSEFI5F/XNZBKktMjqQf8DAFP89EfzRz98Gg0MEif
+    RIoVNidxZREmoQ9DaEyIH/1CAopLVgcu8zS1jU8MPWY/B37vgTvkiY0YobyS
+    aDlus2SMdULymGfg//L99rq0R6a9NhH7UxuXqeUWznHwGijnyybUfDAsfIwp
+    LXoxmpT9ufn1pvOE9TYsPJxyJcv7QZq2EVR3nL/4l2O2NxUzJWtykXrKbBia
+    oBFSDXhotMd0w6uh4eS13BWb6HqHjReD7w+6exPQ5uZIf1RBxAmSke2+tAg3
+    hCHf8i2uRwA6DnBNgm0ORmuI+RTh9tCM0nRcDpusLwPbFk3UHgvE0W7bxb3h
+    WchznGDUCgqKH9KWbC4RPFI7zCDjE0I1k1Fpc9T0qfGyjIA5Hc7KVWsl42v+
+    NVsFdzN3RZRfv67NQxhl8RoniXF1sWin5XcUN+tNbB7cvCPj8sj4bU8rrQao
+    +c1R01exRvMHA13ry3haQj3rKX8T+e6QgqAlOfdnst+UpE2DBtaDJwReQBjf
+    3wePiQ2CN+tvdK89qzdIr6CLnuzSFNP+ZLpJhiP1fKV85Dnoqe1TSqFCSAR1
+    RVBsC17ZXkM6px76IcrOqjgLJmwxfAa5VyylkXsOon6UJ3l1EDDGk2KrKyOT
+    iHugNXTY6azUF+G3ASWs4lBlEHn6FDYuXOCd18zGKnUYU0Ql/f0SdCTwg2Vl
+    8GErdo0GMqcz2FUBvlRy1Ydt1nM+AOHb2GbciaD876/VTebUlPGiCOhtYNop
+    qnH/BCrm60ulv8l9y69E/9gclWuzJxNJEAChxPpbzV+sSgbPK+BDEey18aGo
+    YqD+7VGmz1yPxOdgUANFgJeWIksafJFRTrNZWeDYJa9Iu1ZMLk31+O6gJ68Y
+    lZjHjGommjPd+hKL+TG72k2XDqPNDfE7JQMoDwa/rKQeSzvf/j4rep6N75pQ
+    huAu6YafNhB8IBwK4oljoITzHVxzpCAP/Pis44IKOkbj4/HWQmJH/IQXmMEl
+    /02OqZvJJOgkpUGYrsJud+ZAATIhpZwb8JfQMw6mes/6aPdGCZjMJaHPgFjU
+    h6Q0uA==]
index 904fe7d..8998131 100644 (file)
@@ -4,6 +4,34 @@
 # This class defines the cacert_selfservice_api profile that installs the
 # CAcert community self service system API backend
 #
+# Parameters
+# ----------
+#
+# @param server_certificate             PEM encoded X.509 server certificate
+#
+# @param server_private_key             PEM encoded unencrypted RSA private key
+#
+# @param db_username                    MariaDB/MySQL user name
+#
+# @param db_password                    MariaDB/MySQL password
+#
+# @param db_name                        MariaDB/MySQL database name
+#
+# @param notification_recipient_address notification email recipient address
+#
+# @param notification_recipient_name    notification email recipient name
+#
+# @param notification_sender_address    notification email sender address
+#
+# @param mail_host                      hostname or IP address of the outgoing
+#                                       email server
+#
+# @param mail_port                      TCP port number of the outgoing email
+#                                       server
+#
+# @param client_identities              List of client identies consisting of an
+#                                       id and key field for each client
+#
 # Examples
 # --------
 #
 # Copyright 2019 Jan Dittberner
 #
 class profiles::cacert_selfservice_api (
+  String $server_certificate,
+  String $server_private_key,
+  String $listen_address = ":9443",
+  String $db_username,
+  String $db_password,
+  String $db_name = 'cacertusers',
+  String $notification_recipient_address = 'email-admin@cacert.org',
+  String $notification_recipient_name = 'CAcert email administrators',
+  String $notification_sender_address = 'returns@cacert.org',
+  String $mail_host = 'localhost',
+  Integer $mail_port = 25,
+  Array[Hash[String][String] $client_identities,
 ) {
   include profiles::cacert_debrepo
 
   $service_name = 'cacert-selfservice-api'
+  $config_directory = "/etc/${service_name}"
+  $config_file = "${config_directory}/config.yaml"
+  $server_certificate_file = "${config_directory}/certs/server.crt.pem"
+  $server_key_file = "${config_directory}/private/server.key.pem"
   $log_directory = "/var/log/${service_name}"
 
   package { $service_name:
@@ -41,6 +85,69 @@ class profiles::cacert_selfservice_api (
     mode    => '0750',
     require => Package[$service_name],
   }
+  file { "${config_directory}/certs":
+    ensure  => directory,
+    owner   => $service_name,
+    group   => 'root',
+    mode    => '0750',
+    require => Package[$service_name],
+  }
+  file { "${config_directory}/private":
+    ensure  => directory,
+    owner   => $service_name,
+    group   => 'root',
+    mode    => '0700',
+    require => Package[$service_name],
+  }
+  file { $server_certificate_file:
+    ensure  => file,
+    owner   => $service_name,
+    group   => 'root',
+    mode    => '0644',
+    content => $server_certificate,
+    require => File["${config_directory}/certs"],
+    notify  => Service[$service_name],
+  }
+  file { $server_key_file:
+    ensure  => file,
+    owner   => $service_name,
+    group   => 'root',
+    mode    => '0600',
+    content => $server_private_key,
+    require => File["${config_directory}/private"],
+    notify  => Service[$service_name],
+  }
+
+  $api_clients = $client_identities.map |$identity| {
+    {
+      id        => $identity['id'],
+      key_lines => split($identity['key'], "\n"),
+    }
+  }
+
+  file { $config_file:
+    ensure  => present,
+    owner   => $service_name,
+    group   => 'root',
+    mode    => '0600',
+    content => epp('profiles/cacert_selfservice_api/config.yaml.epp', {
+      server_certificate             => $server_certificate_file,
+      server_key                     => $server_key_file,
+      listen_address                 => $listen_address,
+      db_username                    => $db_username,
+      db_password                    => $db_password,
+      db_name                        => $db_name,
+      notification_sender            => $notification_sender_address,
+      notification_recipient_address => $notification_recipient_address,
+      notification_recipient_name    => $notification_recipient_name,
+      mail_host                      => $mail_host,
+      mail_port                      => $mail_port,
+      clients                        => $api_clients,
+      log_directory                  => $log_directory,
+    }),
+    require => Package[$service_name],
+    notify  => Service[$service_name],
+  }
 
   service { $service_name:
     ensure  => running,
diff --git a/sitemodules/profiles/templates/cacert_selfservice_api/config.yaml.epp b/sitemodules/profiles/templates/cacert_selfservice_api/config.yaml.epp
new file mode 100644 (file)
index 0000000..b0552cf
--- /dev/null
@@ -0,0 +1,32 @@
+<%- | String $server_certificate,
+      String $server_key,
+      String $listen_address,
+      String $db_username,
+      String $db_password,
+      String $db_name,
+      String $notification_sender,
+      String $notification_recipient_address,
+      String $notification_recipient_name,
+      String $mail_host,
+      Integer $mail_port,
+      Array[Hash[String][String]] $clients,
+      String $log_directory
+| -%>
+---
+server_certificate: <%= $server_certificate %>
+server_key: <%= $server_key %>
+https_address: <%= $listen_address %>
+mysql_dsn: <%= $db_username %>:<%= $db_password %>@/<%= $db_name %>?parseTime=true
+access_log: <%= $log_directory %>/access.log
+notification_sender: <%= $notification_sender %>
+notification_recipient_address: <%= $notification_recipient_address %>
+notification_recipient_name: <%= $notification_recipient_name %>
+mail_server:
+  host: <%= $mail_host %>
+  port: <%= $mail_port %>
+clients:
+<%= $clients.each |$client| { -%>
+- id: <%= $client['client_id'] %>
+  key: |-
+<%= $client['key_lines'].each |$line| { %>    <%= $line %><% } %>
+<% } -%>