Add cacert_selfservice to community
authorJan Dittberner <jandd@cacert.org>
Fri, 16 Aug 2019 21:16:05 +0000 (23:16 +0200)
committerJan Dittberner <jandd@cacert.org>
Fri, 16 Aug 2019 21:16:05 +0000 (23:16 +0200)
hieradata/nodes/community.yaml
sitemodules/profiles/manifests/cacert_selfservice.pp [new file with mode: 0644]
sitemodules/roles/manifests/community.pp

index 0031e80..7ed4420 100644 (file)
@@ -37,3 +37,123 @@ profiles::roundcube::master_password: >
     qukXDDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBA45dXYksd5BAhgFD7
     5NP+gDDvF8Cgnhpi/DhvI0fzwYJaLwelYhplqcWXJhml/58/yhYllUZVE/Cz
     smDHq+RA9UI=]
+profiles::cacert_selfservice::server_certificate: |
+    -----BEGIN CERTIFICATE-----
+    MIIGRjCCBC6gAwIBAgIDAtlOMA0GCSqGSIb3DQEBCwUAMFQxFDASBgNVBAoTC0NB
+    Y2VydCBJbmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5vcmcxHDAaBgNV
+    BAMTE0NBY2VydCBDbGFzcyAzIFJvb3QwHhcNMTkwODE2MjA1ODEzWhcNMjEwODE1
+    MjA1ODEzWjBjMQswCQYDVQQGEwJBVTEMMAoGA1UECBMDTlNXMQ8wDQYDVQQHEwZT
+    eWRuZXkxFDASBgNVBAoTC0NBY2VydCBJbmMuMR8wHQYDVQQDExZzZWxmc2Vydmlj
+    ZS5jYWNlcnQub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAsz/5
+    vDt+ZOwPvfQJiaZgN2VwIDF079gf5rVi0Isw7maNj1lcN3oNjyF2UneOkx9b5yw7
+    kHytifd/Hz5Exg7DJDrSc7eW1tmXGZWWtK2PX3G0gG3uWfqfxMSmB6gHRvj+YcSb
+    AXzlzcO+SQQ7GV2nZI1ZpfJ1jLuBjK8Hchr7zp9IWw/dWJtROBuyIOTiLHiVKehe
+    vHOnvDF9MPqoPJFoi+PoZCU8MwCqKLTc/d/RfsvIG1BwnoyiDzieeDsCPfssJciz
+    Kb3MC0V+zw0LxWS3RPZMsR/rTz3sEIUyy/NdADdA4rY/LAXI1dVxNsJgaU6jGfO6
+    aub21X6s4cHRsed07xBYHe5LJCV0ExAx23V0ihWM4R9mEFAyLrfuoO6oodiuopGE
+    jybeYEq0qLFjMpNZX5bnJ7X53Z9kb0kV2Ft+0jYFUmGvp27JnWN+dAcJ0T08+Uqs
+    zaiNS0fj4Wgd8WZYIkmVM+MzCGmKcjOvCgQFa+wZvvgRG69nsxl+Zr2e+8WUJoQi
+    Tvsp9z1YwidmN2U22HmX7xukvDVLWi0R7reSyjld3Wo9Qn/UCTkyYHpjPUdPhYQV
+    avOaturVpISXcANZi9XkMXO9k/osEywH2oeqy95bXT7w14Hla8Lg4Y5tISiKny9g
+    sZNeqx35v1CkDxofG/uHKI9EvVdJKyeHU9RXlXkCAwEAAaOCARAwggEMMAwGA1Ud
+    EwEB/wQCMAAwDgYDVR0PAQH/BAQDAgOoMDQGA1UdJQQtMCsGCCsGAQUFBwMCBggr
+    BgEFBQcDAQYJYIZIAYb4QgQBBgorBgEEAYI3CgMDMDMGCCsGAQUFBwEBBCcwJTAj
+    BggrBgEFBQcwAYYXaHR0cDovL29jc3AuY2FjZXJ0Lm9yZy8wOAYDVR0fBDEwLzAt
+    oCugKYYnaHR0cDovL2NybC5jYWNlcnQub3JnL2NsYXNzMy1yZXZva2UuY3JsMEcG
+    A1UdEQRAMD6CFnNlbGZzZXJ2aWNlLmNhY2VydC5vcmegJAYIKwYBBQUHCAWgGAwW
+    c2VsZnNlcnZpY2UuY2FjZXJ0Lm9yZzANBgkqhkiG9w0BAQsFAAOCAgEAVwsr8XZz
+    WY9zUrTcZPzTYYqo+v0yzRRRj2UJoRWhFAGZzponiSzvtpJZHW0++Y2Jfvujwkmv
+    B0CN+xagXDAOCt0Zy+ckWvj9RYXnzw66Uu0o8nc5DCV3Af2y4E2nyKdMBbSO0f/H
+    aUu9Mb/lvoaLCZlR3PZPyHxEYIrKZzRl+VwVhf2lsKAoTlwS1HKp3qbxNDgFcak0
+    7sTmN4Fs2jjXH2MnEMHYEKXItLd7ypBSoc/8NUPBAvnV9L3ggMu/IqDf8N6P60o9
+    tH2SoqWt81ZwOjOSFwg7HDLDN3aih0qGaXnNhMC3sRgTXlVD35QwVmmoNe9H+CEd
+    Ay+pgqGshmAE4xI1gFC8JlFtmZagp8W6x1uIdOqgwjfovUPpy0HSbY5f6WW2BNLR
+    3lHGc9+YIDDC4LGg+H1xRk+4FoGjHdzZSZc95JUEBuOSU85RYErlpqi5Ifl7yf0b
+    P/m8GK7xoqWR/6bg41ynXXCKtYBRxqQw7+1OHmAt812oGvAWYw1NXwpRwME9DTYc
+    CSRZETTW4nddzd5ehVWs9o9NwMZVP3PmuL5WgjOIj3dbrye7YwklX+DaTu4KHk8o
+    1hcLWM378iF5mf9wCfsCq+S8LhVEhbRDj//RWlIkkFLWeTprR6Us8WJJrcLbUtW/
+    fegOl/aYOxOp+oDj9F1/P2dpKahBuwToueg=
+    -----END CERTIFICATE-----
+profiles::cacert_selfservice::server_private_key: >
+    ENC[PKCS7,MIIOPQYJKoZIhvcNAQcDoIIOLjCCDioCAQAxggEhMIIBHQIBADAFMAACAQEw
+    DQYJKoZIhvcNAQEBBQAEggEAt3on6CqHyfkSR12NDKy27ln9CNYSig4vnazz
+    1SU89n50FroloNyQNkryp9owAQhmlkdI8+XQxMfP+ujXNahj2mjQQPJullm/
+    i0/8Yr11b9e6CQ/S940Re6203Z+wJDOtOiiv7lckWeBojfvbh0jxU21wvgRM
+    WQy8qpyfReAeopxxjv7ibWR3/WdJIReIWgQnCtJv7Is5a+QqpYXbDb6G3AK0
+    sHFyY2ZYmWOROwCV7cIRr51Ta7NLIC2y0U+TDc5FLzCR0sauA8jtvSc58pT5
+    DFHBTsYdqlnlH0bsxqAffYuZdZfCB2gZhRFyshxprJt6Pp5DEsHlzmBgVu3d
+    8Pg0uzCCDP4GCSqGSIb3DQEHATAdBglghkgBZQMEASoEEJUGBdM86l45Q2aM
+    CTGHxoaAggzQkBGmiEON8uEXus4pljSwufuQuH7+XLQxlE91NTaXiJaDh3q2
+    iIfH+2/Z33GfOCsDrOkxtaHKrxAGatxvOQUKtfl8kCAkSNK2qrlRhfqyeJiR
+    8twoLYe/p7ijufLZBxR05KrwfJC5baWqA4f1psy2c4kStgTe6w4T7iJMhAHH
+    mQM7FfbZgKncmsPAdEAxGj0r0sf0iLCOkAQsoZQ52J5oKUE8/q1ywjMYnnEy
+    a15JyQpODCjUI9pTpuGwUr90bnFAh9/WWblEQROwSdjCM/tRnMYlB5LW7pGE
+    WfXIZ/pxax7KDd9x3LG6gtDLyKpOCPSrotkO5NmjPKbJBu1PWeKT2tRWRUXR
+    Ss5D1nvCipJUgijwAsXpiojCHBOgo9zjXe7PKoqT+H3sGJ0Fj8tO8L+tEs63
+    lVbYA2cIX4x8f8HGzIQoQu0bqPX+ZNO1kDxjR5gxYLfmWjXaoQtfaEB29mIr
+    KdpxjQ22cKw40CTE+Pd78g599aUHV0SNVnN7nW82vyZVl5nEiIQ0a8nO/A7Q
+    o1DnaSUykNENGxKQ7xShtV2Z9win2BkqBblkO86oIQuG8ExYvxnyEW1udL3o
+    D2vNrG7toLRAl9mTcP+YJbIgNX3pZIu6kY5WZA5cUEsKjG8Io9O2q8EExzUS
+    w55bpzDNWD7hd91m13vx3lIqlaWuOUvNVfT3WPPNYAhSOByWi/1c/wkE0sF9
+    PKp3yi8pkK/uh50mfR6ZLTg3gDVJNobqWUeq8zay/4Wo5uzPGwgTa28gQSyT
+    IXeAdmSXz9HQBKcvunEkwefgHSIvFHPDxQo+0kodVWNjqyYxCwiuCpaWsXbH
+    IO7FL/+afYA3nCSk7Ijpo4Q/cKi0rtGBedvbxbLwwXlGhBDmimc6OLSHfaNQ
+    +0sVk8BxFqxBDhEW9A0t4XyPJ3SVv8SC66ldLYHW71Uajyysp9lhOLFwWFfO
+    sXwTMvXDF7q1x47d5s3UM8W34djobVBHjlrF8TNHLvI7DwrIktzRvJ60Qmch
+    OIspFZHNdmMAD2EK/LVwcSVfP+bkBeez3pX53y8lDPqaJtEGwygRPhAYyKyg
+    V0lwZoqcmJihxTLJPreolkIBbiWRh6TVafFAykxPJAdQDgQimS2o4FZtRkZt
+    3A4vwK5zWhzDTezBzzTZAC9NuJA6VYWhiRrQ8NKrOhbz8D2lgPnuhJu71/vE
+    lfkAPCyQTIY8YYxDhL1XgnWsCCHleIAMHHpC+kGZ/vnu2nLIji2KR/ii1Fr1
+    JbXh9E9i2GhHp0eucxYBwS50sVwAFdouM5pDi8kfIzT2Dzmd6mArUBBawjgt
+    cHCc0yeL9YgXRNxo2tBf73biJRBsC/+rtguaxnacb6JCszUbfAwXO44AR9YV
+    vuCg4WKp1zQrWRtN9E2fj9QXHyKcXEgKvaoUOmREipeS2DTdwG56PtDfRG/N
+    UPdrZnCDhZTY5Yvqo106bfAj0SY/ULGTXe3paBwaOcLTKOGTkXUVpK2dcUdw
+    k2TuiexKcRPlTjDMX/BH4HYeTeBR+UjZdOKGc2oQ4wsL4IsPhqcfK0GKVBCf
+    eGJ+mGIbGCT2HcWb2igeXL+BRD6ykimO4DfspgfDgIUDB7FZFJuUoaDRjQ/I
+    J4hWG6fLn9PNKFZ2BhQ1mv2eJy3yNiQXLtpkCarS2mRmipGVgrCHgO5S/TdL
+    B9Otn9dHKY6cuXXhenH1vqXBsLCnPFeX/6ewhJ+MTWryE5cIhLbEZHq9RtbW
+    zxJXe0eadPJXWLd6OBPqr0V9M/XGpI5q9k7tHpVvBn467RbQrAk7zkYQcOOL
+    J1ZYDmzjELd662qLNLR36YIC0/lX6aw/6T1cOqgnoh7GUDpt/z8b9K99LXXx
+    +FRO5KXSORj++DA3MdJoB4XeSkKPXp5xqoVP36/657ynj/dvNLhHS2QvcKvM
+    Nnr3icyk0jAlWip/sE+mRYJJ7mz3yB/sNx6QZ1vtWIiEypNK+fGPmi8NbchY
+    XPS99rbAmL0Kk66Xrjd63PqqWVw981YC3r6COxYQJR1v2l6WolAgcDdOU36f
+    EY41ltzSdSBtmCa/0Y2OAYkk/J5KxpMjYxoW080b7WNWNpaud4tPb1kiS4OA
+    5NKSZpmyJwOogDsVrYyQrvybU7x+eybyGh7zU9JOhI81yt93O7kpeRjEbcTb
+    hRwUA9JN0JAAxxJVBuM29/SY9pBwprkgVFPME0m1Jfti9m7mf6rfxCOgMTLS
+    zpPRyLUjRYLx95W6AlUpCi9CTZhlSXZB6rtJGRfm8vz44nZXbtaE/qhAA7h/
+    bf0OL9GVmROHm2w9nxeFtVGKBcmgDGECFgeBZfT+ImrAdSmed4GO0BqjzooJ
+    EZuet7nnm40kz+wyZrJAzUyyXUjkVj01r6yLlX1dogul8aeGWe44iXaswiXv
+    ZFfOh3ewMa93kdjJQI1WTc3LmpNUoMJD4QwPOIs6H8Vsyzu9DKefmvEWBBa1
+    CxX+F32/XPvn3qX+Qi0eJE1rvRnynyTUNzQSOZtTB+YUAtmqUglLeN7E3cSC
+    wlJ46co2TkyaRZqrY28cax90GhOgkmOZK8MZQ4kPDWA1tddS3QP5L558sWeZ
+    K5aMEIYTwCazPsVcy7v6MNOM06Yhnce1BOhioDS8vPI8pf84HDC99MSZSvYr
+    qvDmr/gOVY+BrYfk0E9y7l4eVSpD7uDEDhaPS6lTZrj5JclihoGGKWUPmg7q
+    XXEH3rwF9NqloFBDNDIcYTnIOpdo+vDKF04oA4Q3K35dh67kwVjW/3DqdC5R
+    k/AcB+8+nCjWCxjYCxF9EJpenSmYhS8Seeuly4w57qpT23bwDk39whqBvnz3
+    o/tWFCLhC9EuQ95S5h7cKxTLatgfD6/U8zuA8kkFA2Aq9JB2kZthU1HWglr5
+    7OhcmTa3j4zEF/946VjmjneVxdsbbT2WAf4+hf7CuByI0xEeGmboJQ6sAvoo
+    1ASdTIzZbfnbI0KjBuNK7OkI0XtmUr+hz3bWGrrXXOeEXPLd8WCJf9QzWjnS
+    kLta5LzCHU5D54w20W5OxKmIW8al8QweYPKgV/PrOFwYLy57+2NJuDfu7646
+    uszXtkOdfvAHp98KR/cGdaBMTGqO54CFfTBm9GlZ0wnkiJw2KxoNiJlsBoXB
+    ahHGJzBU2QMGmWCLlk9cJXHJsj0FwhxCeGionq5IeJ4aUHTACFTnRn0mLJIE
+    0rNAd6ZuprpGb8ZhMOD2Evyfhfi6QH8k7lQkvZFnAKBkCwm9VvNMtNnBK1Jw
+    SZPc1RJ/zuh/q/K5ROLz+w2hAXB8uzAvxxq/rUr9q8OHtrNspQL1hCiTYIpM
+    39ty9yOFY+vGSNTgkwNEVeMU511nngQFRF/kyNAXNFGYLdR+LyOWDzH8QcP0
+    PSH4aqYeRR8ID2Rm4dwOBw7r97wQmH3s8YRXQ/7fryTx/5d6mAnuFW6y3v33
+    VSU+SSaC8u+D1QWPg5opS0I0/om8cF53+hlp5KMZVRQB2Orl4TqXaYAG9MQt
+    f58DDo3aIKBGpw4cV34XVq0N71oxxsileK9Lwi+MdwYLSkgy/dfZHlV7hRCT
+    BcFA+WD4GvCEVriLey6E5u7RSxKg3X2TeuLGM8q18HpAzaJtfWIu31bzBJrr
+    0/Wzm/MQXlwHNzWJdH0igetK9PJz5QZ+kkU7TaP+crYm4KrA/7/d+fEdLIIB
+    zZQ6LDXJeQjW2gLSirKezuFbpHY1uhJibi1gASxqT1e2WuJTvliUSoc5aEiu
+    yivOYX+nyg7+EpUl1WDsOqAbSchqsM1oQ5oCdkehWAN00szO+/Kn3SaIZLda
+    v9pUtuxYSOTVNZECXq1nR4/0tMO9qFdlaBk8PzWIkeNkrCblZ8tS9yTpoSYe
+    omUKIN0npvEqB6Vfdk0ZpxVxqErnsr8gGiCPmGebtklFFvGDdWI1gfnIrKeP
+    Llirqqf3mIv8107hv8ozayWsHD1PhEiRKmputKU+5bb3PJb61MiFNaIdflgR
+    OJYhZ6bhtVm/ofUQAUY2AATURZbkSYPHYidgXd45QoVOA0Oc5pxmA3f/tJ+f
+    avp32Ix/y5MmzpPwUESjv7WPnvlU+WADzXuyTJXCOED6Y5LMp//U0lNr+AXQ
+    rlc8d6na/DTTyIDFd42W+Yvy7wl0JofyIUSsPGRx/srzzeJAq0k31GmmMPXN
+    TGb/HtFj+BaUDPn+5G/2KdCsCbFqKk2MiuBZ7GYVxJMH83zFAhxQy8APOgke
+    b24elx5vnfEENvbFrlWHp48KJzHGiBwvabw2TGSsIZj0TCIIS179F7T/ecyy
+    meSzL66S0bE3fMQW7PHJBEJfd1rF7Lzc1zyYOuEEKxKuZTAv0oNJa7boRFWN
+    b7xfkInLzKPfTfNlY9txwOqlGWYfZxa4d6fBKbVxdspf8WnTIrXgWshjWYcV
+    /r8P6g==]
diff --git a/sitemodules/profiles/manifests/cacert_selfservice.pp b/sitemodules/profiles/manifests/cacert_selfservice.pp
new file mode 100644 (file)
index 0000000..1d0e5d0
--- /dev/null
@@ -0,0 +1,128 @@
+# Class: profiles::cacert_selfservice
+# ===================================
+#
+# This class defines the cacert_selfservice profile that configures the CAcert
+# community self service system web interface.
+#
+# Parameters
+# ----------
+#
+# @param server_certificate  PEM encoded X.509 server certificate
+#
+# @param server_private_key  PEM encoded unencrypted RSA private key
+#
+# Examples
+# --------
+#
+# @example
+#   class roles::myhost {
+#     include profiles::cacert_selfservice
+#   }
+#
+# Authors
+# -------
+#
+# Jan Dittberner <jandd@cacert.org>
+#
+# Copyright
+# ---------
+#
+# Copyright 2019 Jan Dittberner
+#
+class profiles::cacert_selfservice (
+  String $server_certificate,
+  String $server_private_key,
+) {
+  include profiles::cacert_debrepo
+
+  $service_name = 'cacert-selfservice'
+  $config_directory = "/etc/${service_directory}"
+  $config_file = "${config_directory}/config.yaml"
+  $server_certificate_file = "${config_directory}/certs/server.crt.pem"
+  $server_key_file = "${config_directory}/private/server.key.pem"
+  $log_directory = "/var/log/${service_name}"
+
+  $api_ca_file = "${config_directory}/certs/api_cas.pem"
+  $client_ca_file = "${config_directory}/certs/client_cas.pem"
+
+  package { $service_name:
+    ensure  => latest,
+    require => Apt::Source['cacert'],
+  }
+
+  file { $log_directory:
+    ensure  => directory,
+    owner   => $service_name,
+    group   => 'root',
+    mode    => '0750',
+    require => Package[$service_name],
+  }
+  file { "${config_directory}/certs":
+    ensure  => directory,
+    owner   => $service_name,
+    group   => 'root',
+    mode    => '0750',
+    require => Package[$service_name],
+  }
+  file { "${config_directory}/private":
+    ensure  => directory,
+    owner   => $service_name,
+    group   => 'root',
+    mode    => '0700',
+    require => Package[$service_name],
+  }
+  file { $server_certificate_file:
+    ensure  => file,
+    owner   => $service_name,
+    group   => 'root',
+    mode    => '0644',
+    content => $server_certificate,
+    require => File["${config_directory}/certs"],
+    notify  => Service[$service_name],
+  }
+  file { $server_key_file:
+    ensure  => file,
+    owner   => $service_name,
+    group   => 'root',
+    mode    => '0600',
+    content => $server_private_key,
+    require => File["${config_directory}/private"],
+    notify  => Service[$service_name],
+  }
+  concat { $client_ca_file:
+    ensure  => present
+    owner   => $service_name,
+    group   => 'root',
+    mode    => '0640',
+    require => File["${config_directory}/certs"],
+    notify  => Service[$service_name],
+  }
+  concat::fragment { 'cacert-class3-client-ca':
+    tag    => 'cacert-class3-client-ca',
+    order  => 10,
+    target => $client_ca_file,
+    source => 'puppet:///modules/profiles/base/cacert_class3_X0E.crt',
+  }
+  concat::fragment { 'cacert-class1-client-ca':
+    tag    => 'cacert-class1-client-ca',
+    order  => 20,
+    target => $client_ca_file,
+    source => 'puppet:///modules/profiles/base/cacert_class1_X0F.crt',
+  }
+
+  file { $api_cas:
+    ensure  => file,
+    owner   => $service_name,
+    group   => 'root',
+    mode    => '0640',
+    source => 'puppet:///modules/profiles/base/cacert_class3_X0E.crt',
+    require => File["${config_directory}/certs"],
+    notify  => Service[$service_name],
+  }
+
+  service { $service_name:
+    ensure  => running,
+    enable  => true,
+    require => Package[$service_name],
+  }
+}
index ce09b26..0bd872c 100644 (file)
@@ -25,4 +25,5 @@ class roles::community {
   include profiles::rsyslog
   include profiles::icinga2_agent
   include profiles::roundcube
+  include profiles::cacert_selfservice
 }