summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorelijah <elijah@riseup.net>2013-01-21 22:41:51 -0800
committerelijah <elijah@riseup.net>2013-01-21 22:41:51 -0800
commit306a0e6c21d0e27035ba48530392eede59537516 (patch)
tree1d9195dee41e820d9b0b9b5070c06be1126b6218
parent9ae011f2cbedfae166281f2f6a097acec35c943b (diff)
client ca -- configure the webapp with the client ca
-rw-r--r--provider_base/services/openvpn.json2
-rw-r--r--provider_base/services/webapp.json2
-rw-r--r--puppet/modules/site_webapp/manifests/client_ca.pp24
-rw-r--r--puppet/modules/site_webapp/manifests/init.pp1
-rw-r--r--puppet/modules/site_webapp/templates/config.yml.erb2
5 files changed, 30 insertions, 1 deletions
diff --git a/provider_base/services/openvpn.json b/provider_base/services/openvpn.json
index 0008a2d2..7b67ccb3 100644
--- a/provider_base/services/openvpn.json
+++ b/provider_base/services/openvpn.json
@@ -2,7 +2,7 @@
"service_type": "user_service",
"x509": {
"use": true,
- "ca_cert": "= file :ca_cert, :missing => 'Certificate Authority. Run `leap cert ca`'",
+ "client_ca_cert": "= file :client_ca_cert, :missing => 'Certificate Authority. Run `leap cert ca`'",
"dh": "= file :dh_params, :missing => 'Diffie-Hellman parameters. Run `leap cert dh`'"
},
"openvpn": {
diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json
index 311f1284..c9e4c532 100644
--- a/provider_base/services/webapp.json
+++ b/provider_base/services/webapp.json
@@ -23,6 +23,8 @@
"x509": {
"use": true,
"ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap cert ca`'",
+ "client_ca_cert": "= file_path :client_ca_cert",
+ "client_ca_key": "= file_path :client_ca_key",
"commercial_cert": "= file [:commercial_cert, global.provider.domain]",
"commercial_key": "= file [:commercial_key, global.provider.domain]",
"commercial_ca_cert": "= try_file :commercial_ca_cert"
diff --git a/puppet/modules/site_webapp/manifests/client_ca.pp b/puppet/modules/site_webapp/manifests/client_ca.pp
new file mode 100644
index 00000000..53c49d69
--- /dev/null
+++ b/puppet/modules/site_webapp/manifests/client_ca.pp
@@ -0,0 +1,24 @@
+##
+## This is for the special CA that is used exclusively for generating
+## client certificates by the webapp.
+##
+
+class site_webapp::client_ca {
+ include x509::variables
+
+ $x509 = hiera('x509')
+ $cert_path = "${x509::variables::certs}/leap_client_ca.crt"
+ $key_path = "${x509::variables::keys}/leap_client_ca.key"
+
+ x509::key {
+ 'leap_client_ca':
+ source => $x509['client_ca_key'],
+ notify => Service[apache];
+ }
+
+ x509::cert {
+ 'leap_client_ca':
+ source => $x509['client_ca_cert'],
+ notify => Service[apache];
+ }
+}
diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp
index f7c6565e..717a9477 100644
--- a/puppet/modules/site_webapp/manifests/init.pp
+++ b/puppet/modules/site_webapp/manifests/init.pp
@@ -16,6 +16,7 @@ class site_webapp {
include rubygems
include site_webapp::apache
include site_webapp::couchdb
+ include site_webapp::client_ca
group { 'leap-webapp':
ensure => present,
diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb
index 5e223a58..9cf85f0c 100644
--- a/puppet/modules/site_webapp/templates/config.yml.erb
+++ b/puppet/modules/site_webapp/templates/config.yml.erb
@@ -1,3 +1,5 @@
production:
admins: [admin]
domain: <%= @provider_domain %>
+ client_ca_key: <%= scope.lookupvar('site_webapp::client_ca::key_path') %>
+ client_ca_cert: <%= scope.lookupvar('site_webapp::client_ca::cert_path') %>