diff options
23 files changed, 153 insertions, 190 deletions
diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb index bc5ff156..5f1f4c1d 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb @@ -15,9 +15,9 @@ Listen 0.0.0.0:<%= api_port %> SSLHonorCipherOrder on SSLCACertificatePath /etc/ssl/certs - SSLCertificateChainFile /etc/ssl/certs/leap_api.pem - SSLCertificateKeyFile /etc/x509/keys/leap_api.key - SSLCertificateFile /etc/x509/certs/leap_api.crt + SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::ca_name') %>.crt + SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.key + SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.crt RequestHeader set X_FORWARDED_PROTO 'https' diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index 13de82af..16932ab2 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -71,6 +71,4 @@ class site_config::default { include site_squid_deb_proxy::client } - include site_config::x509 - } diff --git a/puppet/modules/site_config/manifests/x509.pp b/puppet/modules/site_config/manifests/x509.pp deleted file mode 100644 index 8eca97e7..00000000 --- a/puppet/modules/site_config/manifests/x509.pp +++ /dev/null @@ -1,28 +0,0 @@ -class site_config::x509 { - - $x509 = hiera('x509') - $key = $x509['key'] - $cert = $x509['cert'] - $ca = $x509['ca_cert'] - $client_ca = $x509['client_ca_cert'] - - x509::key { $site_config::params::cert_name: - content => $key - } - - x509::cert { $site_config::params::cert_name: - content => $cert - } - - x509::ca { $site_config::params::ca_name: - content => $ca - } - - x509::ca { $site_config::params::client_ca_name: - content => $client_ca - } - - x509::ca { $site_config::params::ca_bundle_name: - content => "${ca}${client_ca}" - } -} diff --git a/puppet/modules/site_config/manifests/x509/ca.pp b/puppet/modules/site_config/manifests/x509/ca.pp new file mode 100644 index 00000000..b16d0eeb --- /dev/null +++ b/puppet/modules/site_config/manifests/x509/ca.pp @@ -0,0 +1,9 @@ +class site_config::x509::ca { + + $x509 = hiera('x509') + $ca = $x509['ca_cert'] + + x509::ca { $site_config::params::ca_name: + content => $ca + } +} diff --git a/puppet/modules/site_config/manifests/x509/ca_bundle.pp b/puppet/modules/site_config/manifests/x509/ca_bundle.pp new file mode 100644 index 00000000..4cbe574a --- /dev/null +++ b/puppet/modules/site_config/manifests/x509/ca_bundle.pp @@ -0,0 +1,16 @@ +class site_config::x509::ca_bundle { + + # CA bundle -- we want to have the possibility of allowing multiple CAs. + # For now, the reason is to transition to using client CA. In the future, + # we will want to be able to smoothly phase out one CA and phase in another. + # I tried "--capath" for this, but it did not work. + + + $x509 = hiera('x509') + $ca = $x509['ca_cert'] + $client_ca = $x509['client_ca_cert'] + + x509::ca { $site_config::params::ca_bundle_name: + content => "${ca}${client_ca}" + } +} diff --git a/puppet/modules/site_config/manifests/x509/cert_key.pp b/puppet/modules/site_config/manifests/x509/cert_key.pp new file mode 100644 index 00000000..d55c6cf2 --- /dev/null +++ b/puppet/modules/site_config/manifests/x509/cert_key.pp @@ -0,0 +1,15 @@ +class site_config::x509::cert_key { + + $x509 = hiera('x509') + $key = $x509['key'] + $cert = $x509['cert'] + + x509::key { $site_config::params::cert_name: + content => $key + } + + x509::cert { $site_config::params::cert_name: + content => $cert + } + +} diff --git a/puppet/modules/site_config/manifests/x509/client_ca.pp b/puppet/modules/site_config/manifests/x509/client_ca.pp new file mode 100644 index 00000000..3e914cf5 --- /dev/null +++ b/puppet/modules/site_config/manifests/x509/client_ca.pp @@ -0,0 +1,14 @@ +class site_config::x509::client_ca { + + ## + ## This is for the special CA that is used exclusively for generating + ## client certificates by the webapp. + ## + + $x509 = hiera('x509') + $client_ca = $x509['client_ca_cert'] + + x509::ca { $site_config::params::client_ca_name: + content => $client_ca + } +} diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index 993555cb..7ba303fe 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -18,6 +18,11 @@ class site_couchdb::stunnel { $ednp_server_connect = $ednp_server['connect'] $ednp_clients = $stunnel['ednp_clients'] + + + include site_config::x509::cert_key + include site_config::x509::ca + include x509::variables $ca_path = "${x509::variables::local_CAs}/${site_config::params::ca_name}.crt" $cert_path = "${x509::variables::certs}/${site_config::params::cert_name}.crt" @@ -34,7 +39,10 @@ class site_couchdb::stunnel { verify => '2', pid => '/var/run/stunnel4/couchserver.pid', rndfile => '/var/lib/stunnel4/.rnd', - debuglevel => '4' + debuglevel => '4', + require => [ + Class['Site_config::X509::Cert_key'], + Class['Site_config::X509::Ca'] ]; } @@ -50,7 +58,10 @@ class site_couchdb::stunnel { verify => '2', pid => '/var/run/stunnel4/epmd_server.pid', rndfile => '/var/lib/stunnel4/.rnd', - debuglevel => '4' + debuglevel => '4', + require => [ + Class['Site_config::X509::Cert_key'], + Class['Site_config::X509::Ca'] ]; } # setup stunnel clients for Erlang Port Mapper Daemon (epmd) to connect @@ -76,7 +87,10 @@ class site_couchdb::stunnel { verify => '2', pid => '/var/run/stunnel4/ednp_server.pid', rndfile => '/var/lib/stunnel4/.rnd', - debuglevel => '4' + debuglevel => '4', + require => [ + Class['Site_config::X509::Cert_key'], + Class['Site_config::X509::Ca'] ]; } # setup stunnel clients for Erlang Distributed Node Protocol (ednp) to connect diff --git a/puppet/modules/site_mx/manifests/init.pp b/puppet/modules/site_mx/manifests/init.pp index 3d8469fd..527dc4a5 100644 --- a/puppet/modules/site_mx/manifests/init.pp +++ b/puppet/modules/site_mx/manifests/init.pp @@ -2,6 +2,11 @@ class site_mx { tag 'leap_service' Class['site_config::default'] -> Class['site_mx'] + include site_config::x509::cert_key + include site_config::x509::ca + include site_config::x509::client_ca + + include site_postfix::mx include site_mx::haproxy include site_shorewall::mx diff --git a/puppet/modules/site_nickserver/manifests/init.pp b/puppet/modules/site_nickserver/manifests/init.pp index 45503d8a..a12ed3a2 100644 --- a/puppet/modules/site_nickserver/manifests/init.pp +++ b/puppet/modules/site_nickserver/manifests/init.pp @@ -36,10 +36,10 @@ class site_nickserver { # temporarily for now: $domain = hiera('domain') $address_domain = $domain['full_suffix'] - $x509 = hiera('x509') - $x509_key = $x509['key'] - $x509_cert = $x509['cert'] - $x509_ca = $x509['ca_cert'] + + + include site_config::x509::cert_key + include site_config::x509::ca # # USER AND GROUP @@ -124,7 +124,10 @@ class site_nickserver { enable => true, hasrestart => true, hasstatus => true, - require => File['/etc/init.d/nickserver']; + require => [ + File['/etc/init.d/nickserver'], + Class['Site_config::X509::Cert_key'], + Class['Site_config::X509::Ca'] ]; } # @@ -160,18 +163,4 @@ class site_nickserver { content => template('site_nickserver/nickserver-proxy.conf.erb') } - x509::key { 'nickserver': - content => $x509_key, - notify => Service[apache]; - } - - x509::cert { 'nickserver': - content => $x509_cert, - notify => Service[apache]; - } - - x509::ca { 'nickserver': - content => $x509_ca, - notify => Service[apache]; - } } diff --git a/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb b/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb index 67896cd3..ae06410e 100644 --- a/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb +++ b/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb @@ -14,9 +14,9 @@ Listen 0.0.0.0:<%= @nickserver_port -%> SSLHonorCipherOrder on SSLCACertificatePath /etc/ssl/certs - SSLCertificateChainFile /etc/ssl/certs/nickserver.pem - SSLCertificateKeyFile /etc/x509/keys/nickserver.key - SSLCertificateFile /etc/x509/certs/nickserver.crt + SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::ca_name') %>.crt + SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.key + SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.crt ProxyPass / http://localhost:<%= @nickserver_local_port %>/ ProxyPreserveHost On # preserve Host header in HTTP request diff --git a/puppet/modules/site_openvpn/manifests/dh_key.pp b/puppet/modules/site_openvpn/manifests/dh_key.pp new file mode 100644 index 00000000..13cc0f5b --- /dev/null +++ b/puppet/modules/site_openvpn/manifests/dh_key.pp @@ -0,0 +1,10 @@ +class site_openvpn::dh_key { + + $x509_config = hiera('x509') + + file { '/etc/openvpn/keys/dh.pem': + content => $x509_config['dh'], + mode => '0644', + } + +} diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index fe5ef87f..6ab0d430 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -20,10 +20,13 @@ class site_openvpn { tag 'leap_service' + include site_config::x509::cert_key + include site_config::x509::ca_bundle + + Class['site_config::default'] -> Class['site_openvpn'] - + $openvpn_config = hiera('openvpn') - $x509_config = hiera('x509') $openvpn_ports = $openvpn_config['ports'] if $::ec2_instance_id { @@ -58,8 +61,8 @@ class site_openvpn { $openvpn_limited_udp_cidr = '21' } - # deploy ca + server keys - include site_openvpn::keys + # deploy dh keys + include site_openvpn::dh_key if $openvpn_allow_unlimited and $openvpn_allow_limited { $unlimited_gateway_address = $openvpn_gateway_address @@ -134,7 +137,11 @@ class site_openvpn { command => '/etc/init.d/openvpn restart', refreshonly => true, subscribe => File['/etc/openvpn'], - require => [ Package['openvpn'], File['/etc/openvpn'] ]; + require => [ + Package['openvpn'], + File['/etc/openvpn'], + Class['Site_config::X509::Cert_key'], + Class['Site_config::X509::Ca_bundle'] ]; } cron { 'add_gateway_ips.sh': diff --git a/puppet/modules/site_openvpn/manifests/keys.pp b/puppet/modules/site_openvpn/manifests/keys.pp deleted file mode 100644 index 864bbd9b..00000000 --- a/puppet/modules/site_openvpn/manifests/keys.pp +++ /dev/null @@ -1,45 +0,0 @@ -class site_openvpn::keys { - - x509::key { - 'leap_openvpn': - content => $site_openvpn::x509_config['key'], - notify => Service[openvpn]; - } - - x509::cert { - 'leap_openvpn': - content => $site_openvpn::x509_config['cert'], - notify => Service[openvpn]; - } - - file { '/etc/openvpn/keys/dh.pem': - content => $site_openvpn::x509_config['dh'], - mode => '0644', - } - - # - # CA bundle -- we want to have the possibility of allowing multiple CAs. - # For now, the reason is to transition to using client CA. In the future, - # we will want to be able to smoothly phase out one CA and phase in another. - # I tried "--capath" for this, but it did not work. - # - - concat { - '/etc/openvpn/ca_bundle.pem': - owner => root, - group => root, - mode => 644, - warn => true, - notify => Service['openvpn']; - } - - concat::fragment { - 'client_ca_cert': - content => $site_openvpn::x509_config['client_ca_cert'], - target => '/etc/openvpn/ca_bundle.pem'; - 'ca_cert': - content => $site_openvpn::x509_config['ca_cert'], - target => '/etc/openvpn/ca_bundle.pem'; - } - -} diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 4a7d66ed..32465e01 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -8,6 +8,9 @@ class site_postfix::mx { $root_mail_recipient = $mx_hash['contact'] $postfix_smtp_listen = 'all' + include site_config::x509::cert_key + include site_config::x509::client_ca + postfix::config { 'mydestination': value => "\$myorigin, localhost, localhost.\$mydomain, ${domain}"; @@ -44,6 +47,9 @@ submission inet n - n - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_recipient_restrictions=\$submission_recipient_restrictions -o smtpd_helo_restrictions=\$submission_helo_restrictions", - require => Class['Site_config::X509'] + require => [ + Class['Site_config::X509::Cert_key'], + Class['Site_config::X509::Client_ca'], + User['vmail'] ] } } diff --git a/puppet/modules/site_stunnel/manifests/clients.pp b/puppet/modules/site_stunnel/manifests/clients.pp index ed766e1a..b2c8db1f 100644 --- a/puppet/modules/site_stunnel/manifests/clients.pp +++ b/puppet/modules/site_stunnel/manifests/clients.pp @@ -21,6 +21,10 @@ define site_stunnel::clients ( verify => $verify, pid => "/var/run/stunnel4/${pid}.pid", rndfile => $rndfile, - debuglevel => $debuglevel + debuglevel => $debuglevel, + require => [ + Class['Site_config::X509::Cert_key'], + Class['Site_config::X509::Ca'] ]; + } } diff --git a/puppet/modules/site_webapp/manifests/apache.pp b/puppet/modules/site_webapp/manifests/apache.pp index 4331afe4..3dd1c4c7 100644 --- a/puppet/modules/site_webapp/manifests/apache.pp +++ b/puppet/modules/site_webapp/manifests/apache.pp @@ -8,9 +8,15 @@ class site_webapp::apache { $commercial_key = $x509['commercial_key'] $commercial_cert = $x509['commercial_cert'] $commercial_root = $x509['commercial_ca_cert'] - $api_key = $x509['key'] - $api_cert = $x509['cert'] - $api_root = $x509['ca_cert'] + + include site_config::x509::cert_key + include site_config::x509::ca + + include x509::variables + + X509::Cert[$site_config::params::cert_name] ~> Service[apache] + X509::Key[$site_config::params::cert_name] ~> Service[apache] + X509::Ca[$site_config::params::ca_name] ~> Service[apache] class { '::apache': no_default_site => true, ssl => true } @@ -34,29 +40,17 @@ class site_webapp::apache { 'leap_webapp': content => $commercial_key, notify => Service[apache]; - - 'leap_api': - content => $api_key, - notify => Service[apache]; } x509::cert { 'leap_webapp': content => $commercial_cert, notify => Service[apache]; - - 'leap_api': - content => $api_cert, - notify => Service[apache]; } x509::ca { 'leap_webapp': content => $commercial_root, notify => Service[apache]; - - 'leap_api': - content => $api_root, - notify => Service[apache]; } } diff --git a/puppet/modules/site_webapp/manifests/client_ca.pp b/puppet/modules/site_webapp/manifests/client_ca.pp deleted file mode 100644 index 0d9b15d6..00000000 --- a/puppet/modules/site_webapp/manifests/client_ca.pp +++ /dev/null @@ -1,25 +0,0 @@ -## -## This is for the special CA that is used exclusively for generating -## client certificates by the webapp. -## - -class site_webapp::client_ca { - include x509::variables - - $x509 = hiera('x509') - $cert_path = "${x509::variables::certs}/leap_client_ca.crt" - $key_path = "${x509::variables::keys}/leap_client_ca.key" - - x509::key { - 'leap_client_ca': - source => $x509['client_ca_key'], - group => 'leap-webapp', - notify => Service[apache]; - } - - x509::cert { - 'leap_client_ca': - source => $x509['client_ca_cert'], - notify => Service[apache]; - } -} diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index f9a4eb6b..5a5cccad 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -14,15 +14,6 @@ class site_webapp::couchdb { $couch_client_connect = $couch_client['connect'] include x509::variables - $x509 = hiera('x509') - $key = $x509['key'] - $cert = $x509['cert'] - $ca = $x509['ca_cert'] - $cert_name = 'leap_couchdb' - $ca_name = 'leap_ca' - $ca_path = "${x509::variables::local_CAs}/${ca_name}.crt" - $cert_path = "${x509::variables::certs}/${cert_name}.crt" - $key_path = "${x509::variables::keys}/${cert_name}.key" file { '/srv/leap/webapp/config/couchdb.yml.admin': @@ -71,10 +62,10 @@ class site_webapp::couchdb { $couchdb_stunnel_client_defaults = { 'connect_port' => $couch_client_connect, - 'client' => true, - 'cafile' => $ca_path, - 'key' => $key_path, - 'cert' => $cert_path, + 'client' => true, + 'cafile' => "${x509::variables::local_CAs}/${site_config::params::ca_name}.crt", + 'key' => "${x509::variables::keys}/${site_config::params::cert_name}.key", + 'cert' => "${x509::variables::certs}/${site_config::params::cert_name}.crt", } create_resources(site_stunnel::clients, $couch_client, $couchdb_stunnel_client_defaults) diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 97a75010..4b06cea6 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -16,8 +16,9 @@ class site_webapp { include site_config::ruby include site_webapp::apache include site_webapp::couchdb - include site_webapp::client_ca include site_webapp::haproxy + include site_config::x509::cert_key + include site_config::x509::ca group { 'leap-webapp': ensure => present, diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb index 05d62d41..0ce623fc 100644 --- a/puppet/modules/site_webapp/templates/config.yml.erb +++ b/puppet/modules/site_webapp/templates/config.yml.erb @@ -3,8 +3,8 @@ production: admins: <%= @webapp['admins'].inspect %> domain: <%= @provider_domain %> force_ssl: <%= @webapp['secure'] %> - client_ca_key: <%= scope.lookupvar('site_webapp::client_ca::key_path') %> - client_ca_cert: <%= scope.lookupvar('site_webapp::client_ca::cert_path') %> + client_ca_key: <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.key + client_ca_cert: <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.crt secret_token: "<%= @secret_token %>" client_cert_lifespan: <%= cert_options['life_span'].to_i %> client_cert_bit_size: <%= cert_options['bit_size'].to_i %> diff --git a/puppet/modules/soledad/manifests/server.pp b/puppet/modules/soledad/manifests/server.pp index 393d416a..0c073443 100644 --- a/puppet/modules/soledad/manifests/server.pp +++ b/puppet/modules/soledad/manifests/server.pp @@ -9,29 +9,12 @@ class soledad::server { $couchdb_user = $couchdb['couchdb_admin_user']['username'] $couchdb_password = $couchdb['couchdb_admin_user']['password'] - $x509 = hiera('x509') - $x509_key = $x509['key'] - $x509_cert = $x509['cert'] - $x509_ca = $x509['ca_cert'] + include site_config::x509::cert_key + include site_config::x509::ca $soledad = hiera('soledad') $soledad_port = $soledad['port'] - x509::key { 'soledad': - content => $x509_key, - notify => Service['soledad-server']; - } - - x509::cert { 'soledad': - content => $x509_cert, - notify => Service['soledad-server']; - } - - x509::ca { 'soledad': - content => $x509_ca, - notify => Service['soledad-server']; - } - # # SOLEDAD CONFIG # @@ -47,8 +30,9 @@ class soledad::server { package { 'soledad-server': ensure => latest, - require => [ Class['site_apt::preferences::twisted'], - Class['site_apt::leap_repo'] ]; + require => [ + Class['site_apt::preferences::twisted'], + Class['site_apt::leap_repo'] ]; } file { '/etc/default/soledad': @@ -65,7 +49,11 @@ class soledad::server { enable => true, hasstatus => true, hasrestart => true, - require => [ Class['soledad'], Package['soledad-server'] ]; + require => [ + Class['soledad'], + Package['soledad-server'], + Class['Site_config::X509::Cert_key'], + Class['Site_config::X509::Ca'] ]; } include site_shorewall::soledad diff --git a/puppet/modules/soledad/templates/default-soledad.erb b/puppet/modules/soledad/templates/default-soledad.erb index fd38903a..32504e38 100644 --- a/puppet/modules/soledad/templates/default-soledad.erb +++ b/puppet/modules/soledad/templates/default-soledad.erb @@ -1,5 +1,5 @@ # this file is managed by puppet START=yes -CERT_PATH=/etc/x509/certs/soledad.crt -PRIVKEY_PATH=/etc/x509/keys/soledad.key +CERT_PATH=<%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.crt +PRIVKEY_PATH=<%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.key HTTPS_PORT=<%=@soledad_port%> |