diff options
Diffstat (limited to 'puppet')
| -rw-r--r-- | puppet/modules/site_config/manifests/params.pp | 6 | ||||
| -rw-r--r-- | puppet/modules/site_config/manifests/x509.pp | 9 | ||||
| -rw-r--r-- | puppet/modules/site_openvpn/manifests/server_config.pp | 6 | ||||
| -rw-r--r-- | puppet/modules/site_postfix/manifests/mx.pp | 3 | ||||
| -rw-r--r-- | puppet/modules/site_postfix/manifests/mx/tls.pp | 20 | 
5 files changed, 21 insertions, 23 deletions
| diff --git a/puppet/modules/site_config/manifests/params.pp b/puppet/modules/site_config/manifests/params.pp index a4657457..008a4e1f 100644 --- a/puppet/modules/site_config/manifests/params.pp +++ b/puppet/modules/site_config/manifests/params.pp @@ -23,6 +23,8 @@ class site_config::params {      fail("unable to determine a valid interface, please set a valid interface for this node in nodes/${::hostname}.json")    } -  $ca_name   = 'leap_ca' -  $cert_name = 'leap' +  $ca_name          = 'leap_ca' +  $client_ca_name   = 'leap_client_ca' +  $ca_bundle_name   = 'leap_ca_bundle' +  $cert_name        = 'leap'  } diff --git a/puppet/modules/site_config/manifests/x509.pp b/puppet/modules/site_config/manifests/x509.pp index 879285dd..8eca97e7 100644 --- a/puppet/modules/site_config/manifests/x509.pp +++ b/puppet/modules/site_config/manifests/x509.pp @@ -4,6 +4,7 @@ class site_config::x509 {    $key       = $x509['key']    $cert      = $x509['cert']    $ca        = $x509['ca_cert'] +  $client_ca = $x509['client_ca_cert']    x509::key { $site_config::params::cert_name:      content => $key @@ -16,4 +17,12 @@ class site_config::x509 {    x509::ca { $site_config::params::ca_name:      content => $ca    } + +  x509::ca { $site_config::params::client_ca_name: +    content => $client_ca +  } + +  x509::ca { $site_config::params::ca_bundle_name: +    content => "${ca}${client_ca}" +  }  } diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 5ba9812f..befeaef7 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -80,15 +80,15 @@ define site_openvpn::server_config(    openvpn::option {      "ca ${openvpn_configname}":          key     => 'ca', -        value   => '/etc/openvpn/ca_bundle.pem', +        value   => "${x509::variables::local_CAs}/${site_config::params::ca_bundle_name}.crt",          server  => $openvpn_configname;      "cert ${openvpn_configname}":          key     => 'cert', -        value   => '/etc/x509/certs/leap_openvpn.crt', +        value   => "${x509::variables::certs}/${site_config::params::cert_name}.crt",          server  => $openvpn_configname;      "key ${openvpn_configname}":          key     => 'key', -        value   => '/etc/x509/keys/leap_openvpn.key', +        value   => "${x509::variables::keys}/${site_config::params::cert_name}.key",          server  => $openvpn_configname;      "dh ${openvpn_configname}":          key     => 'dh', diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 2d8f3db5..4a7d66ed 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -44,7 +44,6 @@ submission inet n        -       n       -       -       smtpd    -o smtpd_tls_security_level=encrypt    -o smtpd_recipient_restrictions=\$submission_recipient_restrictions    -o smtpd_helo_restrictions=\$submission_helo_restrictions", -    require             => [ -      X509::Key[$cert_name], X509::Cert[$cert_name], User['vmail'] ] +    require             => Class['Site_config::X509']    }  } diff --git a/puppet/modules/site_postfix/manifests/mx/tls.pp b/puppet/modules/site_postfix/manifests/mx/tls.pp index 8c9da9db..34df72bb 100644 --- a/puppet/modules/site_postfix/manifests/mx/tls.pp +++ b/puppet/modules/site_postfix/manifests/mx/tls.pp @@ -1,26 +1,14 @@  class site_postfix::mx::tls { -  $x509                = hiera('x509') -  $key                 = $x509['key'] -  $cert                = $x509['cert'] -  $client_ca           = $x509['client_ca_cert'] -    include x509::variables -  $cert_name = hiera('name') -  $cert_path = "${x509::variables::certs}/${cert_name}.crt" -  $key_path  = "${x509::variables::keys}/${cert_name}.key" - -  x509::key { $cert_name: -    content => $key, -  } +  $ca_path   = "${x509::variables::local_CAs}/${site_config::params::client_ca_name}.crt" +  $cert_path = "${x509::variables::certs}/${site_config::params::cert_name}.crt" +  $key_path  = "${x509::variables::keys}/${site_config::params::cert_name}.key" -  x509::cert { $cert_name: -    content => $cert, -  }    postfix::config {      'smtpd_use_tls':        value  => 'yes'; -    'smtpd_tls_CAfile':     value  => $client_ca; +    'smtpd_tls_CAfile':     value  => $ca_path;      'smtpd_tls_cert_file':  value  => $cert_path;      'smtpd_tls_key_file':   value  => $key_path;      'smtpd_tls_ask_ccert':  value  => 'yes'; | 
