summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--puppet/modules/site_apache/templates/vhosts.d/api.conf.erb6
-rw-r--r--puppet/modules/site_config/manifests/default.pp2
-rw-r--r--puppet/modules/site_config/manifests/x509.pp28
-rw-r--r--puppet/modules/site_config/manifests/x509/ca.pp9
-rw-r--r--puppet/modules/site_config/manifests/x509/ca_bundle.pp16
-rw-r--r--puppet/modules/site_config/manifests/x509/cert_key.pp15
-rw-r--r--puppet/modules/site_config/manifests/x509/client_ca.pp14
-rw-r--r--puppet/modules/site_couchdb/manifests/stunnel.pp20
-rw-r--r--puppet/modules/site_mx/manifests/init.pp5
-rw-r--r--puppet/modules/site_nickserver/manifests/init.pp27
-rw-r--r--puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb6
-rw-r--r--puppet/modules/site_openvpn/manifests/dh_key.pp10
-rw-r--r--puppet/modules/site_openvpn/manifests/init.pp17
-rw-r--r--puppet/modules/site_openvpn/manifests/keys.pp45
-rw-r--r--puppet/modules/site_postfix/manifests/mx.pp8
-rw-r--r--puppet/modules/site_stunnel/manifests/clients.pp6
-rw-r--r--puppet/modules/site_webapp/manifests/apache.pp24
-rw-r--r--puppet/modules/site_webapp/manifests/client_ca.pp25
-rw-r--r--puppet/modules/site_webapp/manifests/couchdb.pp17
-rw-r--r--puppet/modules/site_webapp/manifests/init.pp3
-rw-r--r--puppet/modules/site_webapp/templates/config.yml.erb4
-rw-r--r--puppet/modules/soledad/manifests/server.pp32
-rw-r--r--puppet/modules/soledad/templates/default-soledad.erb4
23 files changed, 153 insertions, 190 deletions
diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
index bc5ff156..5f1f4c1d 100644
--- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
+++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
@@ -15,9 +15,9 @@ Listen 0.0.0.0:<%= api_port %>
SSLHonorCipherOrder on
SSLCACertificatePath /etc/ssl/certs
- SSLCertificateChainFile /etc/ssl/certs/leap_api.pem
- SSLCertificateKeyFile /etc/x509/keys/leap_api.key
- SSLCertificateFile /etc/x509/certs/leap_api.crt
+ SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::ca_name') %>.crt
+ SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.key
+ SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.crt
RequestHeader set X_FORWARDED_PROTO 'https'
diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp
index 13de82af..16932ab2 100644
--- a/puppet/modules/site_config/manifests/default.pp
+++ b/puppet/modules/site_config/manifests/default.pp
@@ -71,6 +71,4 @@ class site_config::default {
include site_squid_deb_proxy::client
}
- include site_config::x509
-
}
diff --git a/puppet/modules/site_config/manifests/x509.pp b/puppet/modules/site_config/manifests/x509.pp
deleted file mode 100644
index 8eca97e7..00000000
--- a/puppet/modules/site_config/manifests/x509.pp
+++ /dev/null
@@ -1,28 +0,0 @@
-class site_config::x509 {
-
- $x509 = hiera('x509')
- $key = $x509['key']
- $cert = $x509['cert']
- $ca = $x509['ca_cert']
- $client_ca = $x509['client_ca_cert']
-
- x509::key { $site_config::params::cert_name:
- content => $key
- }
-
- x509::cert { $site_config::params::cert_name:
- content => $cert
- }
-
- x509::ca { $site_config::params::ca_name:
- content => $ca
- }
-
- x509::ca { $site_config::params::client_ca_name:
- content => $client_ca
- }
-
- x509::ca { $site_config::params::ca_bundle_name:
- content => "${ca}${client_ca}"
- }
-}
diff --git a/puppet/modules/site_config/manifests/x509/ca.pp b/puppet/modules/site_config/manifests/x509/ca.pp
new file mode 100644
index 00000000..b16d0eeb
--- /dev/null
+++ b/puppet/modules/site_config/manifests/x509/ca.pp
@@ -0,0 +1,9 @@
+class site_config::x509::ca {
+
+ $x509 = hiera('x509')
+ $ca = $x509['ca_cert']
+
+ x509::ca { $site_config::params::ca_name:
+ content => $ca
+ }
+}
diff --git a/puppet/modules/site_config/manifests/x509/ca_bundle.pp b/puppet/modules/site_config/manifests/x509/ca_bundle.pp
new file mode 100644
index 00000000..4cbe574a
--- /dev/null
+++ b/puppet/modules/site_config/manifests/x509/ca_bundle.pp
@@ -0,0 +1,16 @@
+class site_config::x509::ca_bundle {
+
+ # CA bundle -- we want to have the possibility of allowing multiple CAs.
+ # For now, the reason is to transition to using client CA. In the future,
+ # we will want to be able to smoothly phase out one CA and phase in another.
+ # I tried "--capath" for this, but it did not work.
+
+
+ $x509 = hiera('x509')
+ $ca = $x509['ca_cert']
+ $client_ca = $x509['client_ca_cert']
+
+ x509::ca { $site_config::params::ca_bundle_name:
+ content => "${ca}${client_ca}"
+ }
+}
diff --git a/puppet/modules/site_config/manifests/x509/cert_key.pp b/puppet/modules/site_config/manifests/x509/cert_key.pp
new file mode 100644
index 00000000..d55c6cf2
--- /dev/null
+++ b/puppet/modules/site_config/manifests/x509/cert_key.pp
@@ -0,0 +1,15 @@
+class site_config::x509::cert_key {
+
+ $x509 = hiera('x509')
+ $key = $x509['key']
+ $cert = $x509['cert']
+
+ x509::key { $site_config::params::cert_name:
+ content => $key
+ }
+
+ x509::cert { $site_config::params::cert_name:
+ content => $cert
+ }
+
+}
diff --git a/puppet/modules/site_config/manifests/x509/client_ca.pp b/puppet/modules/site_config/manifests/x509/client_ca.pp
new file mode 100644
index 00000000..3e914cf5
--- /dev/null
+++ b/puppet/modules/site_config/manifests/x509/client_ca.pp
@@ -0,0 +1,14 @@
+class site_config::x509::client_ca {
+
+ ##
+ ## This is for the special CA that is used exclusively for generating
+ ## client certificates by the webapp.
+ ##
+
+ $x509 = hiera('x509')
+ $client_ca = $x509['client_ca_cert']
+
+ x509::ca { $site_config::params::client_ca_name:
+ content => $client_ca
+ }
+}
diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp
index 993555cb..7ba303fe 100644
--- a/puppet/modules/site_couchdb/manifests/stunnel.pp
+++ b/puppet/modules/site_couchdb/manifests/stunnel.pp
@@ -18,6 +18,11 @@ class site_couchdb::stunnel {
$ednp_server_connect = $ednp_server['connect']
$ednp_clients = $stunnel['ednp_clients']
+
+
+ include site_config::x509::cert_key
+ include site_config::x509::ca
+
include x509::variables
$ca_path = "${x509::variables::local_CAs}/${site_config::params::ca_name}.crt"
$cert_path = "${x509::variables::certs}/${site_config::params::cert_name}.crt"
@@ -34,7 +39,10 @@ class site_couchdb::stunnel {
verify => '2',
pid => '/var/run/stunnel4/couchserver.pid',
rndfile => '/var/lib/stunnel4/.rnd',
- debuglevel => '4'
+ debuglevel => '4',
+ require => [
+ Class['Site_config::X509::Cert_key'],
+ Class['Site_config::X509::Ca'] ];
}
@@ -50,7 +58,10 @@ class site_couchdb::stunnel {
verify => '2',
pid => '/var/run/stunnel4/epmd_server.pid',
rndfile => '/var/lib/stunnel4/.rnd',
- debuglevel => '4'
+ debuglevel => '4',
+ require => [
+ Class['Site_config::X509::Cert_key'],
+ Class['Site_config::X509::Ca'] ];
}
# setup stunnel clients for Erlang Port Mapper Daemon (epmd) to connect
@@ -76,7 +87,10 @@ class site_couchdb::stunnel {
verify => '2',
pid => '/var/run/stunnel4/ednp_server.pid',
rndfile => '/var/lib/stunnel4/.rnd',
- debuglevel => '4'
+ debuglevel => '4',
+ require => [
+ Class['Site_config::X509::Cert_key'],
+ Class['Site_config::X509::Ca'] ];
}
# setup stunnel clients for Erlang Distributed Node Protocol (ednp) to connect
diff --git a/puppet/modules/site_mx/manifests/init.pp b/puppet/modules/site_mx/manifests/init.pp
index 3d8469fd..527dc4a5 100644
--- a/puppet/modules/site_mx/manifests/init.pp
+++ b/puppet/modules/site_mx/manifests/init.pp
@@ -2,6 +2,11 @@ class site_mx {
tag 'leap_service'
Class['site_config::default'] -> Class['site_mx']
+ include site_config::x509::cert_key
+ include site_config::x509::ca
+ include site_config::x509::client_ca
+
+
include site_postfix::mx
include site_mx::haproxy
include site_shorewall::mx
diff --git a/puppet/modules/site_nickserver/manifests/init.pp b/puppet/modules/site_nickserver/manifests/init.pp
index 45503d8a..a12ed3a2 100644
--- a/puppet/modules/site_nickserver/manifests/init.pp
+++ b/puppet/modules/site_nickserver/manifests/init.pp
@@ -36,10 +36,10 @@ class site_nickserver {
# temporarily for now:
$domain = hiera('domain')
$address_domain = $domain['full_suffix']
- $x509 = hiera('x509')
- $x509_key = $x509['key']
- $x509_cert = $x509['cert']
- $x509_ca = $x509['ca_cert']
+
+
+ include site_config::x509::cert_key
+ include site_config::x509::ca
#
# USER AND GROUP
@@ -124,7 +124,10 @@ class site_nickserver {
enable => true,
hasrestart => true,
hasstatus => true,
- require => File['/etc/init.d/nickserver'];
+ require => [
+ File['/etc/init.d/nickserver'],
+ Class['Site_config::X509::Cert_key'],
+ Class['Site_config::X509::Ca'] ];
}
#
@@ -160,18 +163,4 @@ class site_nickserver {
content => template('site_nickserver/nickserver-proxy.conf.erb')
}
- x509::key { 'nickserver':
- content => $x509_key,
- notify => Service[apache];
- }
-
- x509::cert { 'nickserver':
- content => $x509_cert,
- notify => Service[apache];
- }
-
- x509::ca { 'nickserver':
- content => $x509_ca,
- notify => Service[apache];
- }
}
diff --git a/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb b/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb
index 67896cd3..ae06410e 100644
--- a/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb
+++ b/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb
@@ -14,9 +14,9 @@ Listen 0.0.0.0:<%= @nickserver_port -%>
SSLHonorCipherOrder on
SSLCACertificatePath /etc/ssl/certs
- SSLCertificateChainFile /etc/ssl/certs/nickserver.pem
- SSLCertificateKeyFile /etc/x509/keys/nickserver.key
- SSLCertificateFile /etc/x509/certs/nickserver.crt
+ SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::ca_name') %>.crt
+ SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.key
+ SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.crt
ProxyPass / http://localhost:<%= @nickserver_local_port %>/
ProxyPreserveHost On # preserve Host header in HTTP request
diff --git a/puppet/modules/site_openvpn/manifests/dh_key.pp b/puppet/modules/site_openvpn/manifests/dh_key.pp
new file mode 100644
index 00000000..13cc0f5b
--- /dev/null
+++ b/puppet/modules/site_openvpn/manifests/dh_key.pp
@@ -0,0 +1,10 @@
+class site_openvpn::dh_key {
+
+ $x509_config = hiera('x509')
+
+ file { '/etc/openvpn/keys/dh.pem':
+ content => $x509_config['dh'],
+ mode => '0644',
+ }
+
+}
diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp
index fe5ef87f..6ab0d430 100644
--- a/puppet/modules/site_openvpn/manifests/init.pp
+++ b/puppet/modules/site_openvpn/manifests/init.pp
@@ -20,10 +20,13 @@
class site_openvpn {
tag 'leap_service'
+ include site_config::x509::cert_key
+ include site_config::x509::ca_bundle
+
+
Class['site_config::default'] -> Class['site_openvpn']
-
+
$openvpn_config = hiera('openvpn')
- $x509_config = hiera('x509')
$openvpn_ports = $openvpn_config['ports']
if $::ec2_instance_id {
@@ -58,8 +61,8 @@ class site_openvpn {
$openvpn_limited_udp_cidr = '21'
}
- # deploy ca + server keys
- include site_openvpn::keys
+ # deploy dh keys
+ include site_openvpn::dh_key
if $openvpn_allow_unlimited and $openvpn_allow_limited {
$unlimited_gateway_address = $openvpn_gateway_address
@@ -134,7 +137,11 @@ class site_openvpn {
command => '/etc/init.d/openvpn restart',
refreshonly => true,
subscribe => File['/etc/openvpn'],
- require => [ Package['openvpn'], File['/etc/openvpn'] ];
+ require => [
+ Package['openvpn'],
+ File['/etc/openvpn'],
+ Class['Site_config::X509::Cert_key'],
+ Class['Site_config::X509::Ca_bundle'] ];
}
cron { 'add_gateway_ips.sh':
diff --git a/puppet/modules/site_openvpn/manifests/keys.pp b/puppet/modules/site_openvpn/manifests/keys.pp
deleted file mode 100644
index 864bbd9b..00000000
--- a/puppet/modules/site_openvpn/manifests/keys.pp
+++ /dev/null
@@ -1,45 +0,0 @@
-class site_openvpn::keys {
-
- x509::key {
- 'leap_openvpn':
- content => $site_openvpn::x509_config['key'],
- notify => Service[openvpn];
- }
-
- x509::cert {
- 'leap_openvpn':
- content => $site_openvpn::x509_config['cert'],
- notify => Service[openvpn];
- }
-
- file { '/etc/openvpn/keys/dh.pem':
- content => $site_openvpn::x509_config['dh'],
- mode => '0644',
- }
-
- #
- # CA bundle -- we want to have the possibility of allowing multiple CAs.
- # For now, the reason is to transition to using client CA. In the future,
- # we will want to be able to smoothly phase out one CA and phase in another.
- # I tried "--capath" for this, but it did not work.
- #
-
- concat {
- '/etc/openvpn/ca_bundle.pem':
- owner => root,
- group => root,
- mode => 644,
- warn => true,
- notify => Service['openvpn'];
- }
-
- concat::fragment {
- 'client_ca_cert':
- content => $site_openvpn::x509_config['client_ca_cert'],
- target => '/etc/openvpn/ca_bundle.pem';
- 'ca_cert':
- content => $site_openvpn::x509_config['ca_cert'],
- target => '/etc/openvpn/ca_bundle.pem';
- }
-
-}
diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp
index 4a7d66ed..32465e01 100644
--- a/puppet/modules/site_postfix/manifests/mx.pp
+++ b/puppet/modules/site_postfix/manifests/mx.pp
@@ -8,6 +8,9 @@ class site_postfix::mx {
$root_mail_recipient = $mx_hash['contact']
$postfix_smtp_listen = 'all'
+ include site_config::x509::cert_key
+ include site_config::x509::client_ca
+
postfix::config {
'mydestination':
value => "\$myorigin, localhost, localhost.\$mydomain, ${domain}";
@@ -44,6 +47,9 @@ submission inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_recipient_restrictions=\$submission_recipient_restrictions
-o smtpd_helo_restrictions=\$submission_helo_restrictions",
- require => Class['Site_config::X509']
+ require => [
+ Class['Site_config::X509::Cert_key'],
+ Class['Site_config::X509::Client_ca'],
+ User['vmail'] ]
}
}
diff --git a/puppet/modules/site_stunnel/manifests/clients.pp b/puppet/modules/site_stunnel/manifests/clients.pp
index ed766e1a..b2c8db1f 100644
--- a/puppet/modules/site_stunnel/manifests/clients.pp
+++ b/puppet/modules/site_stunnel/manifests/clients.pp
@@ -21,6 +21,10 @@ define site_stunnel::clients (
verify => $verify,
pid => "/var/run/stunnel4/${pid}.pid",
rndfile => $rndfile,
- debuglevel => $debuglevel
+ debuglevel => $debuglevel,
+ require => [
+ Class['Site_config::X509::Cert_key'],
+ Class['Site_config::X509::Ca'] ];
+
}
}
diff --git a/puppet/modules/site_webapp/manifests/apache.pp b/puppet/modules/site_webapp/manifests/apache.pp
index 4331afe4..3dd1c4c7 100644
--- a/puppet/modules/site_webapp/manifests/apache.pp
+++ b/puppet/modules/site_webapp/manifests/apache.pp
@@ -8,9 +8,15 @@ class site_webapp::apache {
$commercial_key = $x509['commercial_key']
$commercial_cert = $x509['commercial_cert']
$commercial_root = $x509['commercial_ca_cert']
- $api_key = $x509['key']
- $api_cert = $x509['cert']
- $api_root = $x509['ca_cert']
+
+ include site_config::x509::cert_key
+ include site_config::x509::ca
+
+ include x509::variables
+
+ X509::Cert[$site_config::params::cert_name] ~> Service[apache]
+ X509::Key[$site_config::params::cert_name] ~> Service[apache]
+ X509::Ca[$site_config::params::ca_name] ~> Service[apache]
class { '::apache': no_default_site => true, ssl => true }
@@ -34,29 +40,17 @@ class site_webapp::apache {
'leap_webapp':
content => $commercial_key,
notify => Service[apache];
-
- 'leap_api':
- content => $api_key,
- notify => Service[apache];
}
x509::cert {
'leap_webapp':
content => $commercial_cert,
notify => Service[apache];
-
- 'leap_api':
- content => $api_cert,
- notify => Service[apache];
}
x509::ca {
'leap_webapp':
content => $commercial_root,
notify => Service[apache];
-
- 'leap_api':
- content => $api_root,
- notify => Service[apache];
}
}
diff --git a/puppet/modules/site_webapp/manifests/client_ca.pp b/puppet/modules/site_webapp/manifests/client_ca.pp
deleted file mode 100644
index 0d9b15d6..00000000
--- a/puppet/modules/site_webapp/manifests/client_ca.pp
+++ /dev/null
@@ -1,25 +0,0 @@
-##
-## This is for the special CA that is used exclusively for generating
-## client certificates by the webapp.
-##
-
-class site_webapp::client_ca {
- include x509::variables
-
- $x509 = hiera('x509')
- $cert_path = "${x509::variables::certs}/leap_client_ca.crt"
- $key_path = "${x509::variables::keys}/leap_client_ca.key"
-
- x509::key {
- 'leap_client_ca':
- source => $x509['client_ca_key'],
- group => 'leap-webapp',
- notify => Service[apache];
- }
-
- x509::cert {
- 'leap_client_ca':
- source => $x509['client_ca_cert'],
- notify => Service[apache];
- }
-}
diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp
index f9a4eb6b..5a5cccad 100644
--- a/puppet/modules/site_webapp/manifests/couchdb.pp
+++ b/puppet/modules/site_webapp/manifests/couchdb.pp
@@ -14,15 +14,6 @@ class site_webapp::couchdb {
$couch_client_connect = $couch_client['connect']
include x509::variables
- $x509 = hiera('x509')
- $key = $x509['key']
- $cert = $x509['cert']
- $ca = $x509['ca_cert']
- $cert_name = 'leap_couchdb'
- $ca_name = 'leap_ca'
- $ca_path = "${x509::variables::local_CAs}/${ca_name}.crt"
- $cert_path = "${x509::variables::certs}/${cert_name}.crt"
- $key_path = "${x509::variables::keys}/${cert_name}.key"
file {
'/srv/leap/webapp/config/couchdb.yml.admin':
@@ -71,10 +62,10 @@ class site_webapp::couchdb {
$couchdb_stunnel_client_defaults = {
'connect_port' => $couch_client_connect,
- 'client' => true,
- 'cafile' => $ca_path,
- 'key' => $key_path,
- 'cert' => $cert_path,
+ 'client' => true,
+ 'cafile' => "${x509::variables::local_CAs}/${site_config::params::ca_name}.crt",
+ 'key' => "${x509::variables::keys}/${site_config::params::cert_name}.key",
+ 'cert' => "${x509::variables::certs}/${site_config::params::cert_name}.crt",
}
create_resources(site_stunnel::clients, $couch_client, $couchdb_stunnel_client_defaults)
diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp
index 97a75010..4b06cea6 100644
--- a/puppet/modules/site_webapp/manifests/init.pp
+++ b/puppet/modules/site_webapp/manifests/init.pp
@@ -16,8 +16,9 @@ class site_webapp {
include site_config::ruby
include site_webapp::apache
include site_webapp::couchdb
- include site_webapp::client_ca
include site_webapp::haproxy
+ include site_config::x509::cert_key
+ include site_config::x509::ca
group { 'leap-webapp':
ensure => present,
diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb
index 05d62d41..0ce623fc 100644
--- a/puppet/modules/site_webapp/templates/config.yml.erb
+++ b/puppet/modules/site_webapp/templates/config.yml.erb
@@ -3,8 +3,8 @@ production:
admins: <%= @webapp['admins'].inspect %>
domain: <%= @provider_domain %>
force_ssl: <%= @webapp['secure'] %>
- client_ca_key: <%= scope.lookupvar('site_webapp::client_ca::key_path') %>
- client_ca_cert: <%= scope.lookupvar('site_webapp::client_ca::cert_path') %>
+ client_ca_key: <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.key
+ client_ca_cert: <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.crt
secret_token: "<%= @secret_token %>"
client_cert_lifespan: <%= cert_options['life_span'].to_i %>
client_cert_bit_size: <%= cert_options['bit_size'].to_i %>
diff --git a/puppet/modules/soledad/manifests/server.pp b/puppet/modules/soledad/manifests/server.pp
index 393d416a..0c073443 100644
--- a/puppet/modules/soledad/manifests/server.pp
+++ b/puppet/modules/soledad/manifests/server.pp
@@ -9,29 +9,12 @@ class soledad::server {
$couchdb_user = $couchdb['couchdb_admin_user']['username']
$couchdb_password = $couchdb['couchdb_admin_user']['password']
- $x509 = hiera('x509')
- $x509_key = $x509['key']
- $x509_cert = $x509['cert']
- $x509_ca = $x509['ca_cert']
+ include site_config::x509::cert_key
+ include site_config::x509::ca
$soledad = hiera('soledad')
$soledad_port = $soledad['port']
- x509::key { 'soledad':
- content => $x509_key,
- notify => Service['soledad-server'];
- }
-
- x509::cert { 'soledad':
- content => $x509_cert,
- notify => Service['soledad-server'];
- }
-
- x509::ca { 'soledad':
- content => $x509_ca,
- notify => Service['soledad-server'];
- }
-
#
# SOLEDAD CONFIG
#
@@ -47,8 +30,9 @@ class soledad::server {
package { 'soledad-server':
ensure => latest,
- require => [ Class['site_apt::preferences::twisted'],
- Class['site_apt::leap_repo'] ];
+ require => [
+ Class['site_apt::preferences::twisted'],
+ Class['site_apt::leap_repo'] ];
}
file { '/etc/default/soledad':
@@ -65,7 +49,11 @@ class soledad::server {
enable => true,
hasstatus => true,
hasrestart => true,
- require => [ Class['soledad'], Package['soledad-server'] ];
+ require => [
+ Class['soledad'],
+ Package['soledad-server'],
+ Class['Site_config::X509::Cert_key'],
+ Class['Site_config::X509::Ca'] ];
}
include site_shorewall::soledad
diff --git a/puppet/modules/soledad/templates/default-soledad.erb b/puppet/modules/soledad/templates/default-soledad.erb
index fd38903a..32504e38 100644
--- a/puppet/modules/soledad/templates/default-soledad.erb
+++ b/puppet/modules/soledad/templates/default-soledad.erb
@@ -1,5 +1,5 @@
# this file is managed by puppet
START=yes
-CERT_PATH=/etc/x509/certs/soledad.crt
-PRIVKEY_PATH=/etc/x509/keys/soledad.key
+CERT_PATH=<%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.crt
+PRIVKEY_PATH=<%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.key
HTTPS_PORT=<%=@soledad_port%>