diff options
17 files changed, 83 insertions, 58 deletions
| diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb index 9e2dbcaf..5f1f4c1d 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb @@ -7,8 +7,7 @@  Listen 0.0.0.0:<%= api_port %>  <VirtualHost *:<%= api_port -%>> -  ServerName <%= domain_name %> -  ServerAlias <%= api_domain %> +  ServerName <%= api_domain %>    SSLEngine on    SSLProtocol -all +SSLv3 +TLSv1 diff --git a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb index 3b376839..6059453b 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb @@ -16,9 +16,9 @@    SSLHonorCipherOrder on    SSLCACertificatePath /etc/ssl/certs -  SSLCertificateChainFile /etc/ssl/certs/leap_webapp.pem -  SSLCertificateKeyFile /etc/x509/keys/leap_webapp.key -  SSLCertificateFile /etc/x509/certs/leap_webapp.crt +  SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::commercial_ca_name') %>.crt +  SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::commercial_cert_name') %>.key +  SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::commercial_cert_name') %>.crt     RequestHeader set X_FORWARDED_PROTO 'https' diff --git a/puppet/modules/site_config/manifests/params.pp b/puppet/modules/site_config/manifests/params.pp index 008a4e1f..59a161e8 100644 --- a/puppet/modules/site_config/manifests/params.pp +++ b/puppet/modules/site_config/manifests/params.pp @@ -23,8 +23,10 @@ class site_config::params {      fail("unable to determine a valid interface, please set a valid interface for this node in nodes/${::hostname}.json")    } -  $ca_name          = 'leap_ca' -  $client_ca_name   = 'leap_client_ca' -  $ca_bundle_name   = 'leap_ca_bundle' -  $cert_name        = 'leap' +  $ca_name              = 'leap_ca' +  $client_ca_name       = 'leap_client_ca' +  $ca_bundle_name       = 'leap_ca_bundle' +  $cert_name            = 'leap' +  $commercial_ca_name   = 'leap_commercial_ca' +  $commercial_cert_name = 'leap_commercial'  } diff --git a/puppet/modules/site_config/manifests/x509/cert_key.pp b/puppet/modules/site_config/manifests/x509/cert.pp index d55c6cf2..7ed42959 100644 --- a/puppet/modules/site_config/manifests/x509/cert_key.pp +++ b/puppet/modules/site_config/manifests/x509/cert.pp @@ -1,13 +1,8 @@ -class site_config::x509::cert_key { +class site_config::x509::cert {    $x509      = hiera('x509') -  $key       = $x509['key']    $cert      = $x509['cert'] -  x509::key { $site_config::params::cert_name: -    content => $key -  } -    x509::cert { $site_config::params::cert_name:      content => $cert    } diff --git a/puppet/modules/site_config/manifests/x509/commercial/ca.pp b/puppet/modules/site_config/manifests/x509/commercial/ca.pp new file mode 100644 index 00000000..8f35759f --- /dev/null +++ b/puppet/modules/site_config/manifests/x509/commercial/ca.pp @@ -0,0 +1,9 @@ +class site_config::x509::commercial::ca { + +  $x509      = hiera('x509') +  $ca        = $x509['commercial_ca_cert'] + +  x509::ca { $site_config::params::commercial_ca_name: +    content => $ca +  } +} diff --git a/puppet/modules/site_config/manifests/x509/commercial/cert.pp b/puppet/modules/site_config/manifests/x509/commercial/cert.pp new file mode 100644 index 00000000..0c71a705 --- /dev/null +++ b/puppet/modules/site_config/manifests/x509/commercial/cert.pp @@ -0,0 +1,10 @@ +class site_config::x509::commercial::cert { + +  $x509      = hiera('x509') +  $cert      = $x509['commercial_cert'] + +  x509::cert { $site_config::params::commercial_cert_name: +    content => $cert +  } + +} diff --git a/puppet/modules/site_config/manifests/x509/commercial/key.pp b/puppet/modules/site_config/manifests/x509/commercial/key.pp new file mode 100644 index 00000000..d32e85ef --- /dev/null +++ b/puppet/modules/site_config/manifests/x509/commercial/key.pp @@ -0,0 +1,9 @@ +class site_config::x509::commercial::key { + +  $x509      = hiera('x509') +  $key       = $x509['commercial_key'] + +  x509::key { $site_config::params::commercial_cert_name: +    content => $key +  } +} diff --git a/puppet/modules/site_config/manifests/x509/key.pp b/puppet/modules/site_config/manifests/x509/key.pp new file mode 100644 index 00000000..32b59726 --- /dev/null +++ b/puppet/modules/site_config/manifests/x509/key.pp @@ -0,0 +1,9 @@ +class site_config::x509::key { + +  $x509      = hiera('x509') +  $key       = $x509['key'] + +  x509::key { $site_config::params::cert_name: +    content => $key +  } +} diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index 7ba303fe..87c35f05 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -20,7 +20,8 @@ class site_couchdb::stunnel { -  include site_config::x509::cert_key +  include site_config::x509::cert +  include site_config::x509::key    include site_config::x509::ca    include x509::variables @@ -41,7 +42,8 @@ class site_couchdb::stunnel {      rndfile    => '/var/lib/stunnel4/.rnd',      debuglevel => '4',      require    => [ -      Class['Site_config::X509::Cert_key'], +      Class['Site_config::X509::Key'], +      Class['Site_config::X509::Cert'],        Class['Site_config::X509::Ca'] ];    } @@ -60,7 +62,8 @@ class site_couchdb::stunnel {      rndfile    => '/var/lib/stunnel4/.rnd',      debuglevel => '4',      require    => [ -      Class['Site_config::X509::Cert_key'], +      Class['Site_config::X509::Key'], +      Class['Site_config::X509::Cert'],        Class['Site_config::X509::Ca'] ];    } @@ -89,7 +92,8 @@ class site_couchdb::stunnel {      rndfile    => '/var/lib/stunnel4/.rnd',      debuglevel => '4',      require    => [ -      Class['Site_config::X509::Cert_key'], +      Class['Site_config::X509::Key'], +      Class['Site_config::X509::Cert'],        Class['Site_config::X509::Ca'] ];    } diff --git a/puppet/modules/site_mx/manifests/init.pp b/puppet/modules/site_mx/manifests/init.pp index 527dc4a5..52c5f1d6 100644 --- a/puppet/modules/site_mx/manifests/init.pp +++ b/puppet/modules/site_mx/manifests/init.pp @@ -2,7 +2,8 @@ class site_mx {    tag 'leap_service'    Class['site_config::default'] -> Class['site_mx'] -  include site_config::x509::cert_key +  include site_config::x509::cert +  include site_config::x509::key    include site_config::x509::ca    include site_config::x509::client_ca diff --git a/puppet/modules/site_nickserver/manifests/init.pp b/puppet/modules/site_nickserver/manifests/init.pp index a12ed3a2..bf0511d5 100644 --- a/puppet/modules/site_nickserver/manifests/init.pp +++ b/puppet/modules/site_nickserver/manifests/init.pp @@ -38,7 +38,8 @@ class site_nickserver {    $address_domain  = $domain['full_suffix'] -  include site_config::x509::cert_key +  include site_config::x509::cert +  include site_config::x509::key    include site_config::x509::ca    # @@ -126,7 +127,8 @@ class site_nickserver {      hasstatus  => true,      require    => [        File['/etc/init.d/nickserver'], -      Class['Site_config::X509::Cert_key'], +      Class['Site_config::X509::Key'], +      Class['Site_config::X509::Cert'],        Class['Site_config::X509::Ca'] ];    } diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index 6ab0d430..bf72c8d6 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -20,7 +20,8 @@  class site_openvpn {    tag 'leap_service' -  include site_config::x509::cert_key +  include site_config::x509::cert +  include site_config::x509::key    include site_config::x509::ca_bundle @@ -140,7 +141,8 @@ class site_openvpn {      require     => [        Package['openvpn'],        File['/etc/openvpn'], -      Class['Site_config::X509::Cert_key'], +      Class['Site_config::X509::Key'], +      Class['Site_config::X509::Cert'],        Class['Site_config::X509::Ca_bundle'] ];    } diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 32465e01..d56b526f 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -8,7 +8,8 @@ class site_postfix::mx {    $root_mail_recipient = $mx_hash['contact']    $postfix_smtp_listen = 'all' -  include site_config::x509::cert_key +  include site_config::x509::cert +  include site_config::x509::key    include site_config::x509::client_ca    postfix::config { @@ -48,7 +49,8 @@ submission inet n        -       n       -       -       smtpd    -o smtpd_recipient_restrictions=\$submission_recipient_restrictions    -o smtpd_helo_restrictions=\$submission_helo_restrictions",      require             => [ -      Class['Site_config::X509::Cert_key'], +      Class['Site_config::X509::Key'], +      Class['Site_config::X509::Cert'],        Class['Site_config::X509::Client_ca'],        User['vmail'] ]    } diff --git a/puppet/modules/site_stunnel/manifests/clients.pp b/puppet/modules/site_stunnel/manifests/clients.pp index b2c8db1f..791fdbc5 100644 --- a/puppet/modules/site_stunnel/manifests/clients.pp +++ b/puppet/modules/site_stunnel/manifests/clients.pp @@ -23,7 +23,8 @@ define site_stunnel::clients (      rndfile    => $rndfile,      debuglevel => $debuglevel,      require    => [ -      Class['Site_config::X509::Cert_key'], +      Class['Site_config::X509::Key'], +      Class['Site_config::X509::Cert'],        Class['Site_config::X509::Ca'] ];    } diff --git a/puppet/modules/site_webapp/manifests/apache.pp b/puppet/modules/site_webapp/manifests/apache.pp index d604b00f..6a199b9e 100644 --- a/puppet/modules/site_webapp/manifests/apache.pp +++ b/puppet/modules/site_webapp/manifests/apache.pp @@ -7,19 +7,14 @@ class site_webapp::apache {    $web_domain       = hiera('domain')    $domain_name      = $web_domain['name'] -  $x509             = hiera('x509') -  $commercial_key   = $x509['commercial_key'] -  $commercial_cert  = $x509['commercial_cert'] -  $commercial_root  = $x509['commercial_ca_cert'] - -  include site_config::x509::cert_key -  include site_config::x509::ca -    include x509::variables +  include site_config::x509::commercial::cert +  include site_config::x509::commercial::key +  include site_config::x509::commercial::ca -  X509::Cert[$site_config::params::cert_name] ~> Service[apache] -  X509::Key[$site_config::params::cert_name]  ~> Service[apache] -  X509::Ca[$site_config::params::ca_name]  ~> Service[apache] +  Class['Site_config::X509::Commercial::Key'] ~> Service[apache] +  Class['Site_config::X509::Commercial::Cert'] ~> Service[apache] +  Class['Site_config::X509::Commercial::Ca'] ~> Service[apache]    class { '::apache': no_default_site => true, ssl => true } @@ -39,21 +34,4 @@ class site_webapp::apache {        content => template('site_apache/vhosts.d/api.conf.erb')    } -  x509::key { -    'leap_webapp': -      content => $commercial_key, -      notify  => Service[apache]; -  } - -  x509::cert { -    'leap_webapp': -      content => $commercial_cert, -      notify  => Service[apache]; -  } - -  x509::ca { -    'leap_webapp': -      content => $commercial_root, -      notify  => Service[apache]; -  }  } diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 4b06cea6..e630875c 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -74,7 +74,7 @@ class site_webapp {      '/srv/leap/webapp/public/ca.crt':        ensure  => link,        require => Vcsrepo['/srv/leap/webapp'], -      target  => '/usr/local/share/ca-certificates/leap_api.crt'; +      target  => "${x509::variables::local_CAs}/${site_config::params::ca_name}.crt";      "/srv/leap/webapp/public/${api_version}":        ensure  => directory, diff --git a/puppet/modules/soledad/manifests/server.pp b/puppet/modules/soledad/manifests/server.pp index 0c073443..6ccd934a 100644 --- a/puppet/modules/soledad/manifests/server.pp +++ b/puppet/modules/soledad/manifests/server.pp @@ -9,7 +9,8 @@ class soledad::server {    $couchdb_user     = $couchdb['couchdb_admin_user']['username']    $couchdb_password = $couchdb['couchdb_admin_user']['password'] -  include site_config::x509::cert_key +  include site_config::x509::cert +  include site_config::x509::key    include site_config::x509::ca    $soledad      = hiera('soledad') @@ -52,7 +53,8 @@ class soledad::server {      require    => [        Class['soledad'],        Package['soledad-server'], -      Class['Site_config::X509::Cert_key'], +      Class['Site_config::X509::Key'], +      Class['Site_config::X509::Cert'],        Class['Site_config::X509::Ca'] ];    } | 
