diff options
| -rw-r--r-- | provider_base/services/mx.json | 4 | ||||
| -rw-r--r-- | provider_base/services/webapp.json | 4 | ||||
| -rw-r--r-- | puppet/modules/site_config/manifests/params.pp | 6 | ||||
| -rw-r--r-- | puppet/modules/site_config/manifests/x509.pp | 9 | ||||
| -rw-r--r-- | puppet/modules/site_openvpn/manifests/server_config.pp | 6 | ||||
| -rw-r--r-- | puppet/modules/site_postfix/manifests/mx.pp | 3 | ||||
| -rw-r--r-- | puppet/modules/site_postfix/manifests/mx/tls.pp | 20 |
7 files changed, 25 insertions, 27 deletions
diff --git a/provider_base/services/mx.json b/provider_base/services/mx.json index 25ccf4f0..f999dd23 100644 --- a/provider_base/services/mx.json +++ b/provider_base/services/mx.json @@ -12,8 +12,8 @@ "x509": { "use": true, "ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap cert ca`'", - "client_ca_cert": "= file_path :client_ca_cert", - "client_ca_key": "= file_path :client_ca_key", + "client_ca_cert": "= file :client_ca_cert, :missing => 'Certificate Authority. Run `leap cert ca`'", + "client_ca_key": "= file :client_ca_key, :missing => 'Certificate Authority. Run `leap cert ca`'", "commercial_cert": "= file [:commercial_cert, domain.full_suffix]", "commercial_key": "= file [:commercial_key, domain.full_suffix]", "commercial_ca_cert": "= try_file :commercial_ca_cert" diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index ee61e5ab..e47f047b 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -45,8 +45,8 @@ "x509": { "use": true, "ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap cert ca`'", - "client_ca_cert": "= file_path :client_ca_cert", - "client_ca_key": "= file_path :client_ca_key", + "client_ca_cert": "= file :client_ca_cert, :missing => 'Certificate Authority. Run `leap cert ca`'", + "client_ca_key": "= file :client_ca_key, :missing => 'Certificate Authority. Run `leap cert ca`'", "commercial_cert": "= file [:commercial_cert, domain.full_suffix]", "commercial_key": "= file [:commercial_key, domain.full_suffix]", "commercial_ca_cert": "= try_file :commercial_ca_cert" diff --git a/puppet/modules/site_config/manifests/params.pp b/puppet/modules/site_config/manifests/params.pp index a4657457..008a4e1f 100644 --- a/puppet/modules/site_config/manifests/params.pp +++ b/puppet/modules/site_config/manifests/params.pp @@ -23,6 +23,8 @@ class site_config::params { fail("unable to determine a valid interface, please set a valid interface for this node in nodes/${::hostname}.json") } - $ca_name = 'leap_ca' - $cert_name = 'leap' + $ca_name = 'leap_ca' + $client_ca_name = 'leap_client_ca' + $ca_bundle_name = 'leap_ca_bundle' + $cert_name = 'leap' } diff --git a/puppet/modules/site_config/manifests/x509.pp b/puppet/modules/site_config/manifests/x509.pp index 879285dd..8eca97e7 100644 --- a/puppet/modules/site_config/manifests/x509.pp +++ b/puppet/modules/site_config/manifests/x509.pp @@ -4,6 +4,7 @@ class site_config::x509 { $key = $x509['key'] $cert = $x509['cert'] $ca = $x509['ca_cert'] + $client_ca = $x509['client_ca_cert'] x509::key { $site_config::params::cert_name: content => $key @@ -16,4 +17,12 @@ class site_config::x509 { x509::ca { $site_config::params::ca_name: content => $ca } + + x509::ca { $site_config::params::client_ca_name: + content => $client_ca + } + + x509::ca { $site_config::params::ca_bundle_name: + content => "${ca}${client_ca}" + } } diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 5ba9812f..befeaef7 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -80,15 +80,15 @@ define site_openvpn::server_config( openvpn::option { "ca ${openvpn_configname}": key => 'ca', - value => '/etc/openvpn/ca_bundle.pem', + value => "${x509::variables::local_CAs}/${site_config::params::ca_bundle_name}.crt", server => $openvpn_configname; "cert ${openvpn_configname}": key => 'cert', - value => '/etc/x509/certs/leap_openvpn.crt', + value => "${x509::variables::certs}/${site_config::params::cert_name}.crt", server => $openvpn_configname; "key ${openvpn_configname}": key => 'key', - value => '/etc/x509/keys/leap_openvpn.key', + value => "${x509::variables::keys}/${site_config::params::cert_name}.key", server => $openvpn_configname; "dh ${openvpn_configname}": key => 'dh', diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 2d8f3db5..4a7d66ed 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -44,7 +44,6 @@ submission inet n - n - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_recipient_restrictions=\$submission_recipient_restrictions -o smtpd_helo_restrictions=\$submission_helo_restrictions", - require => [ - X509::Key[$cert_name], X509::Cert[$cert_name], User['vmail'] ] + require => Class['Site_config::X509'] } } diff --git a/puppet/modules/site_postfix/manifests/mx/tls.pp b/puppet/modules/site_postfix/manifests/mx/tls.pp index 8c9da9db..34df72bb 100644 --- a/puppet/modules/site_postfix/manifests/mx/tls.pp +++ b/puppet/modules/site_postfix/manifests/mx/tls.pp @@ -1,26 +1,14 @@ class site_postfix::mx::tls { - $x509 = hiera('x509') - $key = $x509['key'] - $cert = $x509['cert'] - $client_ca = $x509['client_ca_cert'] - include x509::variables - $cert_name = hiera('name') - $cert_path = "${x509::variables::certs}/${cert_name}.crt" - $key_path = "${x509::variables::keys}/${cert_name}.key" - - x509::key { $cert_name: - content => $key, - } + $ca_path = "${x509::variables::local_CAs}/${site_config::params::client_ca_name}.crt" + $cert_path = "${x509::variables::certs}/${site_config::params::cert_name}.crt" + $key_path = "${x509::variables::keys}/${site_config::params::cert_name}.key" - x509::cert { $cert_name: - content => $cert, - } postfix::config { 'smtpd_use_tls': value => 'yes'; - 'smtpd_tls_CAfile': value => $client_ca; + 'smtpd_tls_CAfile': value => $ca_path; 'smtpd_tls_cert_file': value => $cert_path; 'smtpd_tls_key_file': value => $key_path; 'smtpd_tls_ask_ccert': value => 'yes'; |