13 files changed, 75 insertions, 32 deletions

diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp
index 83a344a2..b27e99af 100644
--- a/puppet/modules/site_config/manifests/default.pp
+++ b/puppet/modules/site_config/manifests/default.pp
@@ -62,6 +62,4 @@ class site_config::default {
     include site_squid_deb_proxy::client
   }
 
-  include site_config::x509
-
 }
diff --git a/puppet/modules/site_config/manifests/x509.pp b/puppet/modules/site_config/manifests/x509.pp
deleted file mode 100644
index 8eca97e7..00000000
--- a/puppet/modules/site_config/manifests/x509.pp
+++ /dev/null
@@ -1,28 +0,0 @@
-class site_config::x509 {
-
-  $x509      = hiera('x509')
-  $key       = $x509['key']
-  $cert      = $x509['cert']
-  $ca        = $x509['ca_cert']
-  $client_ca = $x509['client_ca_cert']
-
-  x509::key { $site_config::params::cert_name:
-    content => $key
-  }
-
-  x509::cert { $site_config::params::cert_name:
-    content => $cert
-  }
-
-  x509::ca { $site_config::params::ca_name:
-    content => $ca
-  }
-
-  x509::ca { $site_config::params::client_ca_name:
-    content => $client_ca
-  }
-
-  x509::ca { $site_config::params::ca_bundle_name:
-    content => "${ca}${client_ca}"
-  }
-}
diff --git a/puppet/modules/site_config/manifests/x509/ca.pp b/puppet/modules/site_config/manifests/x509/ca.pp
new file mode 100644
index 00000000..b16d0eeb
--- /dev/null
+++ b/puppet/modules/site_config/manifests/x509/ca.pp
@@ -0,0 +1,9 @@
+class site_config::x509::ca {
+
+  $x509      = hiera('x509')
+  $ca        = $x509['ca_cert']
+
+  x509::ca { $site_config::params::ca_name:
+    content => $ca
+  }
+}
diff --git a/puppet/modules/site_config/manifests/x509/ca_bundle.pp b/puppet/modules/site_config/manifests/x509/ca_bundle.pp
new file mode 100644
index 00000000..204f0a5e
--- /dev/null
+++ b/puppet/modules/site_config/manifests/x509/ca_bundle.pp
@@ -0,0 +1,10 @@
+class site_config::x509::ca_bundle {
+
+  $x509      = hiera('x509')
+  $ca        = $x509['ca_cert']
+  $client_ca = $x509['client_ca_cert']
+
+  x509::ca { $site_config::params::ca_bundle_name:
+    content => "${ca}${client_ca}"
+  }
+}
diff --git a/puppet/modules/site_config/manifests/x509/cert_key.pp b/puppet/modules/site_config/manifests/x509/cert_key.pp
new file mode 100644
index 00000000..d55c6cf2
--- /dev/null
+++ b/puppet/modules/site_config/manifests/x509/cert_key.pp
@@ -0,0 +1,15 @@
+class site_config::x509::cert_key {
+
+  $x509      = hiera('x509')
+  $key       = $x509['key']
+  $cert      = $x509['cert']
+
+  x509::key { $site_config::params::cert_name:
+    content => $key
+  }
+
+  x509::cert { $site_config::params::cert_name:
+    content => $cert
+  }
+
+}
diff --git a/puppet/modules/site_config/manifests/x509/client_ca.pp b/puppet/modules/site_config/manifests/x509/client_ca.pp
new file mode 100644
index 00000000..f91ea970
--- /dev/null
+++ b/puppet/modules/site_config/manifests/x509/client_ca.pp
@@ -0,0 +1,9 @@
+class site_config::x509::client_ca {
+
+  $x509      = hiera('x509')
+  $client_ca = $x509['client_ca_cert']
+
+  x509::ca { $site_config::params::client_ca_name:
+    content => $client_ca
+  }
+}
diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp
index 993555cb..fbb75000 100644
--- a/puppet/modules/site_couchdb/manifests/stunnel.pp
+++ b/puppet/modules/site_couchdb/manifests/stunnel.pp
@@ -18,6 +18,11 @@ class site_couchdb::stunnel {
   $ednp_server_connect  = $ednp_server['connect']
   $ednp_clients         = $stunnel['ednp_clients']
 
+
+
+  include site_config::x509::cert_key
+  include site_config::x509::ca
+
   include x509::variables
   $ca_path   = "${x509::variables::local_CAs}/${site_config::params::ca_name}.crt"
   $cert_path = "${x509::variables::certs}/${site_config::params::cert_name}.crt"
diff --git a/puppet/modules/site_mx/manifests/init.pp b/puppet/modules/site_mx/manifests/init.pp
index 3d8469fd..527dc4a5 100644
--- a/puppet/modules/site_mx/manifests/init.pp
+++ b/puppet/modules/site_mx/manifests/init.pp
@@ -2,6 +2,11 @@ class site_mx {
   tag 'leap_service'
   Class['site_config::default'] -> Class['site_mx']
 
+  include site_config::x509::cert_key
+  include site_config::x509::ca
+  include site_config::x509::client_ca
+
+
   include site_postfix::mx
   include site_mx::haproxy
   include site_shorewall::mx
diff --git a/puppet/modules/site_nickserver/manifests/init.pp b/puppet/modules/site_nickserver/manifests/init.pp
index 45503d8a..84b07e77 100644
--- a/puppet/modules/site_nickserver/manifests/init.pp
+++ b/puppet/modules/site_nickserver/manifests/init.pp
@@ -36,6 +36,11 @@ class site_nickserver {
   # temporarily for now:
   $domain          = hiera('domain')
   $address_domain  = $domain['full_suffix']
+
+
+  include site_config::x509::cert_key
+  include site_config::x509::ca
+
   $x509            = hiera('x509')
   $x509_key        = $x509['key']
   $x509_cert       = $x509['cert']
diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp
index fe5ef87f..41f4c6d4 100644
--- a/puppet/modules/site_openvpn/manifests/init.pp
+++ b/puppet/modules/site_openvpn/manifests/init.pp
@@ -20,8 +20,12 @@
 class site_openvpn {
   tag 'leap_service'
 
+  include site_config::x509::cert_key
+  include site_config::x509::ca_bundle
+
+
   Class['site_config::default'] -> Class['site_openvpn']
-  
+
   $openvpn_config   = hiera('openvpn')
   $x509_config      = hiera('x509')
   $openvpn_ports    = $openvpn_config['ports']
diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp
index 4a7d66ed..32465e01 100644
--- a/puppet/modules/site_postfix/manifests/mx.pp
+++ b/puppet/modules/site_postfix/manifests/mx.pp
@@ -8,6 +8,9 @@ class site_postfix::mx {
   $root_mail_recipient = $mx_hash['contact']
   $postfix_smtp_listen = 'all'
 
+  include site_config::x509::cert_key
+  include site_config::x509::client_ca
+
   postfix::config {
     'mydestination':
       value => "\$myorigin, localhost, localhost.\$mydomain, ${domain}";
@@ -44,6 +47,9 @@ submission inet n        -       n       -       -       smtpd
   -o smtpd_tls_security_level=encrypt
   -o smtpd_recipient_restrictions=\$submission_recipient_restrictions
   -o smtpd_helo_restrictions=\$submission_helo_restrictions",
-    require             => Class['Site_config::X509']
+    require             => [
+      Class['Site_config::X509::Cert_key'],
+      Class['Site_config::X509::Client_ca'],
+      User['vmail'] ]
   }
 }
diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp
index f9a4eb6b..24f9279d 100644
--- a/puppet/modules/site_webapp/manifests/couchdb.pp
+++ b/puppet/modules/site_webapp/manifests/couchdb.pp
@@ -13,6 +13,8 @@ class site_webapp::couchdb {
   $couch_client            = $stunnel['couch_client']
   $couch_client_connect    = $couch_client['connect']
 
+  include site_config::x509::cert_key
+  include site_config::x509::ca
   include x509::variables
   $x509                    = hiera('x509')
   $key                     = $x509['key']
diff --git a/puppet/modules/soledad/manifests/server.pp b/puppet/modules/soledad/manifests/server.pp
index 393d416a..c0af238c 100644
--- a/puppet/modules/soledad/manifests/server.pp
+++ b/puppet/modules/soledad/manifests/server.pp
@@ -9,6 +9,9 @@ class soledad::server {
   $couchdb_user     = $couchdb['couchdb_admin_user']['username']
   $couchdb_password = $couchdb['couchdb_admin_user']['password']
 
+  include site_config::x509::cert_key
+  include site_config::x509::ca
+
   $x509      = hiera('x509')
   $x509_key  = $x509['key']
   $x509_cert = $x509['cert']