diff options
author | elijah <elijah@riseup.net> | 2013-01-21 22:41:51 -0800 |
---|---|---|
committer | elijah <elijah@riseup.net> | 2013-01-21 22:41:51 -0800 |
commit | 306a0e6c21d0e27035ba48530392eede59537516 (patch) | |
tree | 1d9195dee41e820d9b0b9b5070c06be1126b6218 | |
parent | 9ae011f2cbedfae166281f2f6a097acec35c943b (diff) |
client ca -- configure the webapp with the client ca
-rw-r--r-- | provider_base/services/openvpn.json | 2 | ||||
-rw-r--r-- | provider_base/services/webapp.json | 2 | ||||
-rw-r--r-- | puppet/modules/site_webapp/manifests/client_ca.pp | 24 | ||||
-rw-r--r-- | puppet/modules/site_webapp/manifests/init.pp | 1 | ||||
-rw-r--r-- | puppet/modules/site_webapp/templates/config.yml.erb | 2 |
5 files changed, 30 insertions, 1 deletions
diff --git a/provider_base/services/openvpn.json b/provider_base/services/openvpn.json index 0008a2d2..7b67ccb3 100644 --- a/provider_base/services/openvpn.json +++ b/provider_base/services/openvpn.json @@ -2,7 +2,7 @@ "service_type": "user_service", "x509": { "use": true, - "ca_cert": "= file :ca_cert, :missing => 'Certificate Authority. Run `leap cert ca`'", + "client_ca_cert": "= file :client_ca_cert, :missing => 'Certificate Authority. Run `leap cert ca`'", "dh": "= file :dh_params, :missing => 'Diffie-Hellman parameters. Run `leap cert dh`'" }, "openvpn": { diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index 311f1284..c9e4c532 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -23,6 +23,8 @@ "x509": { "use": true, "ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap cert ca`'", + "client_ca_cert": "= file_path :client_ca_cert", + "client_ca_key": "= file_path :client_ca_key", "commercial_cert": "= file [:commercial_cert, global.provider.domain]", "commercial_key": "= file [:commercial_key, global.provider.domain]", "commercial_ca_cert": "= try_file :commercial_ca_cert" diff --git a/puppet/modules/site_webapp/manifests/client_ca.pp b/puppet/modules/site_webapp/manifests/client_ca.pp new file mode 100644 index 00000000..53c49d69 --- /dev/null +++ b/puppet/modules/site_webapp/manifests/client_ca.pp @@ -0,0 +1,24 @@ +## +## This is for the special CA that is used exclusively for generating +## client certificates by the webapp. +## + +class site_webapp::client_ca { + include x509::variables + + $x509 = hiera('x509') + $cert_path = "${x509::variables::certs}/leap_client_ca.crt" + $key_path = "${x509::variables::keys}/leap_client_ca.key" + + x509::key { + 'leap_client_ca': + source => $x509['client_ca_key'], + notify => Service[apache]; + } + + x509::cert { + 'leap_client_ca': + source => $x509['client_ca_cert'], + notify => Service[apache]; + } +} diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index f7c6565e..717a9477 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -16,6 +16,7 @@ class site_webapp { include rubygems include site_webapp::apache include site_webapp::couchdb + include site_webapp::client_ca group { 'leap-webapp': ensure => present, diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb index 5e223a58..9cf85f0c 100644 --- a/puppet/modules/site_webapp/templates/config.yml.erb +++ b/puppet/modules/site_webapp/templates/config.yml.erb @@ -1,3 +1,5 @@ production: admins: [admin] domain: <%= @provider_domain %> + client_ca_key: <%= scope.lookupvar('site_webapp::client_ca::key_path') %> + client_ca_cert: <%= scope.lookupvar('site_webapp::client_ca::cert_path') %> |