Add configuration for the community self service
authorJan Dittberner <jandd@cacert.org>
Sat, 17 Aug 2019 09:25:15 +0000 (11:25 +0200)
committerJan Dittberner <jandd@cacert.org>
Sat, 17 Aug 2019 09:25:15 +0000 (11:25 +0200)
hieradata/nodes/community.yaml
sitemodules/profiles/manifests/cacert_selfservice.pp
sitemodules/profiles/templates/cacert_selfservice/config.yaml.epp [new file with mode: 0644]

index 7ed4420..5c5d244 100644 (file)
@@ -37,6 +37,51 @@ profiles::roundcube::master_password: >
     qukXDDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBA45dXYksd5BAhgFD7
     5NP+gDDvF8Cgnhpi/DhvI0fzwYJaLwelYhplqcWXJhml/58/yhYllUZVE/Cz
     smDHq+RA9UI=]
+profiles::cacert_selfservice::admin_emails:
+  - jselzer@cacert.org
+  - jandd@cacert.org
+  - mario@cacert.org
+profiles::cacert_selfservice::api_endpoint_url: https://email.infra.cacert.org:9443/
+profiles::cacert_selfservice::api_client_id: cac3ad11-fa50-43f6-8ded-15f598b6ca2a
+profiles::cacert_selfservice::api_private_key: >
+    ENC[PKCS7,MIICXAYJKoZIhvcNAQcDoIICTTCCAkkCAQAxggEhMIIBHQIBADAFMAACAQEw
+    DQYJKoZIhvcNAQEBBQAEggEAwZixb5ZkBTfIjHnZjyg+bDOCsJZ46ATcle1j
+    imfj5hph1wBK4ZpjuzLew1IPTJ+iY4redgwNGi0TgHcOmT9l2i2jnjITDKJt
+    7vfgLFKZJ8+whdEpejd8GVBXBgNe4vIt2YMMRnOGl7d9dS7+e4sm0lK56hSd
+    fbHuu7h0gbSK+ZPbJvyPPI+r90j/qRq8SXrnJ8nT49NswHuj5PmMBdYMslSO
+    PpnAoq+YyukeQ+HagWr3khcSZx+GYY14kBpBNiDZpG03NKzjZkT6fYugqHE0
+    B9HC22XSKrwQJwIIbSpVRJ3UF2pcx0aWjMQfuvdteJyD9XkmeNa6uiQGl05G
+    KJuqhDCCAR0GCSqGSIb3DQEHATAdBglghkgBZQMEASoEEOsT67vXcPF/Pbqc
+    j6x76aOAgfBjd1srdGK6PJUs5Inkop441ce2v3jij/1oo9fRswSTgAMGHSGg
+    4zqbuZH2eR9hUXd/Mn8DmrAF4O285K7J6ei+9Eqkyf4xoIGV0VT9OiXDbJ6K
+    mUdm0gPYWdjYnN6FEIo2sLxBf6NDyRXFnjALnY6hfS8ePD4vRLHld3gDErdA
+    QwVQDewb+L5H3mrTNnM/2ex9M1ekRXK3z0lfn4q1H7UUZLS6Y5vmH4Tl7kTk
+    QeVCvUatI5fSzNaAi+N15nMo2X/ojgTn/CS9zklA5du1XgI1xzqsHyb7zirv
+    Bq5sNCy9CM2at4UMKVqsU7FpdIIxjFw=]
+profiles::cacert_selfservice::base_url: https://selfservice.cacert.org/
+profiles::cacert_selfservice::cookie_secret: >
+    ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEw
+    DQYJKoZIhvcNAQEBBQAEggEAws87m7QI+OIc1aQqrFzuq2qaJi0UJb8hJUU0
+    7059Xe/MR77e/YBBCWCU4TSDxi0CEa7KJgmH9WDAyojFvva9iGzQsEBBeDkd
+    EX1F1uTzwEauShIF5iMQJmflr2lD087v+YbQ5P7YTQzdD85aOLO1uFVx3dsZ
+    z08lOQUB4fHTbPh9coBrnIA3+jF9IigSUmVQRruaBY/uQpMEfW5JbF4zhAd+
+    yALEq/pwtiP1V8JTLQhejZ6ScPaODxbNbjGZuIvK89hNsA7RvGmgTAUP68Gm
+    saNmSVAIGq8NMOvX1emDeTglhfBMIyUzD2dCnxSXgdwV0CUz7dDe1WbhN6Xv
+    D3ro8DBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBUiz2500OF5JHiJHLv
+    73/jgDBxiCdS8M7jsfWNPgUqyUj4vAo1AY3PYRcf1kybNWY2vAG1cTKn3cno
+    XgkkwN7uAKY=]
+profiles::cacert_selfservice::csrf_key: >
+    ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEw
+    DQYJKoZIhvcNAQEBBQAEggEALHf3A6msWCeThRHKuqKNtyg5p7P6EjE2wOfr
+    vVI7kxN4X5ofCiF9z/PVBhmB/wCOB6gBL07QBBQLeyZN543SlFeS/Viwg1X+
+    67lQoCvrudaUP3Wz2R0j5ckoOzliZ/pYuNjNGf5bhF63NDbe3+NDx+njcydJ
+    BVjhpXTSaA3z+7vXI9RTE9NVtJnJdgUqRgbrZfzJnx5tuIjEwzzZVmDlrbzU
+    zciE9pbPR35UU3IVXbGtn9rHpx0b+DtpZxyiIZZfUrL+yl9aQXK5KwTPGWlS
+    /B6B65uIDuH4eewbF+ZW+WJSyJOfWnhXExil0Y8S1sWDKngFDJWcRy2f/bB/
+    weHy1TBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCXtYYzHTphD5RZDn3h
+    pIk9gDA+bqX/eXgR2g+VuBko2JyWj/+r/x3C3te++GPnM+QvA2jRWFHPrP1z
+    s1RM+gtTR78=]
+profiles::cacert_selfservice::https_address: :8443
 profiles::cacert_selfservice::server_certificate: |
     -----BEGIN CERTIFICATE-----
     MIIGRjCCBC6gAwIBAgIDAtlOMA0GCSqGSIb3DQEBCwUAMFQxFDASBgNVBAoTC0NB
index 09b5bfc..8f0054a 100644 (file)
@@ -7,10 +7,28 @@
 # Parameters
 # ----------
 #
+# @param base_url            base URL where the web interface can be found
+#
+# @param cookie_secret       32 bytes of secret key data for cookie encryption
+#
+# @param csrf_key            32 bytes of secret key data for CSRF protection
+#                            token encryption
+#
 # @param server_certificate  PEM encoded X.509 server certificate
 #
 # @param server_private_key  PEM encoded unencrypted RSA private key
 #
+# @param listen_address      Listening socket address
+#
+# @param admin_emails        Array containing admins with extended permissions
+#
+# @param api_client_id       API client identifier
+#
+# @param api_private_key     PEM encoded ECDSA private key for signing API
+#                            requests
+#
+# @param api_endpoint_url    backend API endpoint URL
+#
 # Examples
 # --------
 #
 # Copyright 2019 Jan Dittberner
 #
 class profiles::cacert_selfservice (
+  String $base_url = "https://selfservice.cacert.org",
+  String $cookie_secret,
+  String $csrf_key,
   String $server_certificate,
   String $server_private_key,
+  String $listen_address = ":8443",
+  Array[String] $admin_emails,
+  String $api_client_id,
+  String $api_private_key,
+  String $api_url = "https://email.infra.cacert.org:8443/",
 ) {
   include profiles::cacert_debrepo
 
@@ -120,6 +146,30 @@ class profiles::cacert_selfservice (
     notify  => Service[$service_name],
   }
 
+  file { $config_file:
+    ensure  => present,
+    owner   => $service_name,
+    group   => 'root',
+    mode    => '0600',
+    content => epp('profiles/cacert_selfservice/config.yaml.epp', {
+      base_url                => $base_url,
+      cookie_secret           => $cookie_secret,
+      csrf_key                => $csrf_key,
+      server_certificate      => $server_certificate_file,
+      server_key              => $server_key_file,
+      client_cas              => $client_ca_file,
+      listen_address          => $listen_address,
+      admin_emails            => $admin_emails,
+      api_cas                 => $api_ca_file,
+      api_client_id           => $api_client_id,
+      api_signature_key_lines => split($api_private_key, "\n"),
+      api_endpoint_url        => $api_endpoint_url,
+      log_directory           => $log_directory,
+    }),
+    require => Package[$service_name],
+    notify  => Service[$service_name],
+  }
+
   service { $service_name:
     ensure  => running,
     enable  => true,
diff --git a/sitemodules/profiles/templates/cacert_selfservice/config.yaml.epp b/sitemodules/profiles/templates/cacert_selfservice/config.yaml.epp
new file mode 100644 (file)
index 0000000..59c9b82
--- /dev/null
@@ -0,0 +1,32 @@
+<%- | String $base_url,
+      String $cookie_secret,
+      String $csrf_key,
+      String $server_certificate,
+      String $server_key,
+      String $client_cas,
+      String $listen_address,
+      Array[String] $admin_emails,
+      Array[String] $api_signature_key_lines,
+      String $api_client_id,
+      String $api_cas,
+      String $api_endpoint_url,
+      String $log_directory
+| -%>
+---
+client_ca_certificates: <%= $client_cas %>
+server_certificate: <%= $server_certificate %>
+server_key: <%= $server_key %>
+cookie_secret: <%= $cookie_secret %>
+csrf_key: <%= $csrf_key %>
+base_url: <%= $base_url %>
+https_address: <%= $listen_address %>
+admin_emails:
+<%- $admin_emails.each |$admin_email| { %>
+- <%= $admin_email %>
+<%- } %>
+api_private_key: |
+<% $api_signature_key_lines.each |$key_line| { %>  <%= $key_line %><% } %>
+api_client_id: <%= $api_client_id %>
+api_ca_certificates: <%= $api_cas %>
+api_endpoint_url: <%= $api_endpoint_url %>
+access_log: <%= $log_directory %>/access.log