summaryrefslogtreecommitdiff
path: root/puppet
diff options
context:
space:
mode:
Diffstat (limited to 'puppet')
-rw-r--r--puppet/modules/site_apache/templates/vhosts.d/api.conf.erb3
-rw-r--r--puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb6
-rw-r--r--puppet/modules/site_config/manifests/params.pp10
-rw-r--r--puppet/modules/site_config/manifests/x509/cert.pp (renamed from puppet/modules/site_config/manifests/x509/cert_key.pp)7
-rw-r--r--puppet/modules/site_config/manifests/x509/commercial/ca.pp9
-rw-r--r--puppet/modules/site_config/manifests/x509/commercial/cert.pp10
-rw-r--r--puppet/modules/site_config/manifests/x509/commercial/key.pp9
-rw-r--r--puppet/modules/site_config/manifests/x509/key.pp9
-rw-r--r--puppet/modules/site_couchdb/manifests/stunnel.pp12
-rw-r--r--puppet/modules/site_mx/manifests/init.pp3
-rw-r--r--puppet/modules/site_nickserver/manifests/init.pp6
-rw-r--r--puppet/modules/site_openvpn/manifests/init.pp6
-rw-r--r--puppet/modules/site_postfix/manifests/mx.pp6
-rw-r--r--puppet/modules/site_stunnel/manifests/clients.pp3
-rw-r--r--puppet/modules/site_webapp/manifests/apache.pp34
-rw-r--r--puppet/modules/site_webapp/manifests/init.pp2
-rw-r--r--puppet/modules/soledad/manifests/server.pp6
17 files changed, 83 insertions, 58 deletions
diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
index 9e2dbcaf..5f1f4c1d 100644
--- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
+++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
@@ -7,8 +7,7 @@
Listen 0.0.0.0:<%= api_port %>
<VirtualHost *:<%= api_port -%>>
- ServerName <%= domain_name %>
- ServerAlias <%= api_domain %>
+ ServerName <%= api_domain %>
SSLEngine on
SSLProtocol -all +SSLv3 +TLSv1
diff --git a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb
index 3b376839..6059453b 100644
--- a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb
+++ b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb
@@ -16,9 +16,9 @@
SSLHonorCipherOrder on
SSLCACertificatePath /etc/ssl/certs
- SSLCertificateChainFile /etc/ssl/certs/leap_webapp.pem
- SSLCertificateKeyFile /etc/x509/keys/leap_webapp.key
- SSLCertificateFile /etc/x509/certs/leap_webapp.crt
+ SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::commercial_ca_name') %>.crt
+ SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::commercial_cert_name') %>.key
+ SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::commercial_cert_name') %>.crt
RequestHeader set X_FORWARDED_PROTO 'https'
diff --git a/puppet/modules/site_config/manifests/params.pp b/puppet/modules/site_config/manifests/params.pp
index 008a4e1f..59a161e8 100644
--- a/puppet/modules/site_config/manifests/params.pp
+++ b/puppet/modules/site_config/manifests/params.pp
@@ -23,8 +23,10 @@ class site_config::params {
fail("unable to determine a valid interface, please set a valid interface for this node in nodes/${::hostname}.json")
}
- $ca_name = 'leap_ca'
- $client_ca_name = 'leap_client_ca'
- $ca_bundle_name = 'leap_ca_bundle'
- $cert_name = 'leap'
+ $ca_name = 'leap_ca'
+ $client_ca_name = 'leap_client_ca'
+ $ca_bundle_name = 'leap_ca_bundle'
+ $cert_name = 'leap'
+ $commercial_ca_name = 'leap_commercial_ca'
+ $commercial_cert_name = 'leap_commercial'
}
diff --git a/puppet/modules/site_config/manifests/x509/cert_key.pp b/puppet/modules/site_config/manifests/x509/cert.pp
index d55c6cf2..7ed42959 100644
--- a/puppet/modules/site_config/manifests/x509/cert_key.pp
+++ b/puppet/modules/site_config/manifests/x509/cert.pp
@@ -1,13 +1,8 @@
-class site_config::x509::cert_key {
+class site_config::x509::cert {
$x509 = hiera('x509')
- $key = $x509['key']
$cert = $x509['cert']
- x509::key { $site_config::params::cert_name:
- content => $key
- }
-
x509::cert { $site_config::params::cert_name:
content => $cert
}
diff --git a/puppet/modules/site_config/manifests/x509/commercial/ca.pp b/puppet/modules/site_config/manifests/x509/commercial/ca.pp
new file mode 100644
index 00000000..8f35759f
--- /dev/null
+++ b/puppet/modules/site_config/manifests/x509/commercial/ca.pp
@@ -0,0 +1,9 @@
+class site_config::x509::commercial::ca {
+
+ $x509 = hiera('x509')
+ $ca = $x509['commercial_ca_cert']
+
+ x509::ca { $site_config::params::commercial_ca_name:
+ content => $ca
+ }
+}
diff --git a/puppet/modules/site_config/manifests/x509/commercial/cert.pp b/puppet/modules/site_config/manifests/x509/commercial/cert.pp
new file mode 100644
index 00000000..0c71a705
--- /dev/null
+++ b/puppet/modules/site_config/manifests/x509/commercial/cert.pp
@@ -0,0 +1,10 @@
+class site_config::x509::commercial::cert {
+
+ $x509 = hiera('x509')
+ $cert = $x509['commercial_cert']
+
+ x509::cert { $site_config::params::commercial_cert_name:
+ content => $cert
+ }
+
+}
diff --git a/puppet/modules/site_config/manifests/x509/commercial/key.pp b/puppet/modules/site_config/manifests/x509/commercial/key.pp
new file mode 100644
index 00000000..d32e85ef
--- /dev/null
+++ b/puppet/modules/site_config/manifests/x509/commercial/key.pp
@@ -0,0 +1,9 @@
+class site_config::x509::commercial::key {
+
+ $x509 = hiera('x509')
+ $key = $x509['commercial_key']
+
+ x509::key { $site_config::params::commercial_cert_name:
+ content => $key
+ }
+}
diff --git a/puppet/modules/site_config/manifests/x509/key.pp b/puppet/modules/site_config/manifests/x509/key.pp
new file mode 100644
index 00000000..32b59726
--- /dev/null
+++ b/puppet/modules/site_config/manifests/x509/key.pp
@@ -0,0 +1,9 @@
+class site_config::x509::key {
+
+ $x509 = hiera('x509')
+ $key = $x509['key']
+
+ x509::key { $site_config::params::cert_name:
+ content => $key
+ }
+}
diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp
index 7ba303fe..87c35f05 100644
--- a/puppet/modules/site_couchdb/manifests/stunnel.pp
+++ b/puppet/modules/site_couchdb/manifests/stunnel.pp
@@ -20,7 +20,8 @@ class site_couchdb::stunnel {
- include site_config::x509::cert_key
+ include site_config::x509::cert
+ include site_config::x509::key
include site_config::x509::ca
include x509::variables
@@ -41,7 +42,8 @@ class site_couchdb::stunnel {
rndfile => '/var/lib/stunnel4/.rnd',
debuglevel => '4',
require => [
- Class['Site_config::X509::Cert_key'],
+ Class['Site_config::X509::Key'],
+ Class['Site_config::X509::Cert'],
Class['Site_config::X509::Ca'] ];
}
@@ -60,7 +62,8 @@ class site_couchdb::stunnel {
rndfile => '/var/lib/stunnel4/.rnd',
debuglevel => '4',
require => [
- Class['Site_config::X509::Cert_key'],
+ Class['Site_config::X509::Key'],
+ Class['Site_config::X509::Cert'],
Class['Site_config::X509::Ca'] ];
}
@@ -89,7 +92,8 @@ class site_couchdb::stunnel {
rndfile => '/var/lib/stunnel4/.rnd',
debuglevel => '4',
require => [
- Class['Site_config::X509::Cert_key'],
+ Class['Site_config::X509::Key'],
+ Class['Site_config::X509::Cert'],
Class['Site_config::X509::Ca'] ];
}
diff --git a/puppet/modules/site_mx/manifests/init.pp b/puppet/modules/site_mx/manifests/init.pp
index 527dc4a5..52c5f1d6 100644
--- a/puppet/modules/site_mx/manifests/init.pp
+++ b/puppet/modules/site_mx/manifests/init.pp
@@ -2,7 +2,8 @@ class site_mx {
tag 'leap_service'
Class['site_config::default'] -> Class['site_mx']
- include site_config::x509::cert_key
+ include site_config::x509::cert
+ include site_config::x509::key
include site_config::x509::ca
include site_config::x509::client_ca
diff --git a/puppet/modules/site_nickserver/manifests/init.pp b/puppet/modules/site_nickserver/manifests/init.pp
index a12ed3a2..bf0511d5 100644
--- a/puppet/modules/site_nickserver/manifests/init.pp
+++ b/puppet/modules/site_nickserver/manifests/init.pp
@@ -38,7 +38,8 @@ class site_nickserver {
$address_domain = $domain['full_suffix']
- include site_config::x509::cert_key
+ include site_config::x509::cert
+ include site_config::x509::key
include site_config::x509::ca
#
@@ -126,7 +127,8 @@ class site_nickserver {
hasstatus => true,
require => [
File['/etc/init.d/nickserver'],
- Class['Site_config::X509::Cert_key'],
+ Class['Site_config::X509::Key'],
+ Class['Site_config::X509::Cert'],
Class['Site_config::X509::Ca'] ];
}
diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp
index 6ab0d430..bf72c8d6 100644
--- a/puppet/modules/site_openvpn/manifests/init.pp
+++ b/puppet/modules/site_openvpn/manifests/init.pp
@@ -20,7 +20,8 @@
class site_openvpn {
tag 'leap_service'
- include site_config::x509::cert_key
+ include site_config::x509::cert
+ include site_config::x509::key
include site_config::x509::ca_bundle
@@ -140,7 +141,8 @@ class site_openvpn {
require => [
Package['openvpn'],
File['/etc/openvpn'],
- Class['Site_config::X509::Cert_key'],
+ Class['Site_config::X509::Key'],
+ Class['Site_config::X509::Cert'],
Class['Site_config::X509::Ca_bundle'] ];
}
diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp
index 32465e01..d56b526f 100644
--- a/puppet/modules/site_postfix/manifests/mx.pp
+++ b/puppet/modules/site_postfix/manifests/mx.pp
@@ -8,7 +8,8 @@ class site_postfix::mx {
$root_mail_recipient = $mx_hash['contact']
$postfix_smtp_listen = 'all'
- include site_config::x509::cert_key
+ include site_config::x509::cert
+ include site_config::x509::key
include site_config::x509::client_ca
postfix::config {
@@ -48,7 +49,8 @@ submission inet n - n - - smtpd
-o smtpd_recipient_restrictions=\$submission_recipient_restrictions
-o smtpd_helo_restrictions=\$submission_helo_restrictions",
require => [
- Class['Site_config::X509::Cert_key'],
+ Class['Site_config::X509::Key'],
+ Class['Site_config::X509::Cert'],
Class['Site_config::X509::Client_ca'],
User['vmail'] ]
}
diff --git a/puppet/modules/site_stunnel/manifests/clients.pp b/puppet/modules/site_stunnel/manifests/clients.pp
index b2c8db1f..791fdbc5 100644
--- a/puppet/modules/site_stunnel/manifests/clients.pp
+++ b/puppet/modules/site_stunnel/manifests/clients.pp
@@ -23,7 +23,8 @@ define site_stunnel::clients (
rndfile => $rndfile,
debuglevel => $debuglevel,
require => [
- Class['Site_config::X509::Cert_key'],
+ Class['Site_config::X509::Key'],
+ Class['Site_config::X509::Cert'],
Class['Site_config::X509::Ca'] ];
}
diff --git a/puppet/modules/site_webapp/manifests/apache.pp b/puppet/modules/site_webapp/manifests/apache.pp
index d604b00f..6a199b9e 100644
--- a/puppet/modules/site_webapp/manifests/apache.pp
+++ b/puppet/modules/site_webapp/manifests/apache.pp
@@ -7,19 +7,14 @@ class site_webapp::apache {
$web_domain = hiera('domain')
$domain_name = $web_domain['name']
- $x509 = hiera('x509')
- $commercial_key = $x509['commercial_key']
- $commercial_cert = $x509['commercial_cert']
- $commercial_root = $x509['commercial_ca_cert']
-
- include site_config::x509::cert_key
- include site_config::x509::ca
-
include x509::variables
+ include site_config::x509::commercial::cert
+ include site_config::x509::commercial::key
+ include site_config::x509::commercial::ca
- X509::Cert[$site_config::params::cert_name] ~> Service[apache]
- X509::Key[$site_config::params::cert_name] ~> Service[apache]
- X509::Ca[$site_config::params::ca_name] ~> Service[apache]
+ Class['Site_config::X509::Commercial::Key'] ~> Service[apache]
+ Class['Site_config::X509::Commercial::Cert'] ~> Service[apache]
+ Class['Site_config::X509::Commercial::Ca'] ~> Service[apache]
class { '::apache': no_default_site => true, ssl => true }
@@ -39,21 +34,4 @@ class site_webapp::apache {
content => template('site_apache/vhosts.d/api.conf.erb')
}
- x509::key {
- 'leap_webapp':
- content => $commercial_key,
- notify => Service[apache];
- }
-
- x509::cert {
- 'leap_webapp':
- content => $commercial_cert,
- notify => Service[apache];
- }
-
- x509::ca {
- 'leap_webapp':
- content => $commercial_root,
- notify => Service[apache];
- }
}
diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp
index 4b06cea6..e630875c 100644
--- a/puppet/modules/site_webapp/manifests/init.pp
+++ b/puppet/modules/site_webapp/manifests/init.pp
@@ -74,7 +74,7 @@ class site_webapp {
'/srv/leap/webapp/public/ca.crt':
ensure => link,
require => Vcsrepo['/srv/leap/webapp'],
- target => '/usr/local/share/ca-certificates/leap_api.crt';
+ target => "${x509::variables::local_CAs}/${site_config::params::ca_name}.crt";
"/srv/leap/webapp/public/${api_version}":
ensure => directory,
diff --git a/puppet/modules/soledad/manifests/server.pp b/puppet/modules/soledad/manifests/server.pp
index 0c073443..6ccd934a 100644
--- a/puppet/modules/soledad/manifests/server.pp
+++ b/puppet/modules/soledad/manifests/server.pp
@@ -9,7 +9,8 @@ class soledad::server {
$couchdb_user = $couchdb['couchdb_admin_user']['username']
$couchdb_password = $couchdb['couchdb_admin_user']['password']
- include site_config::x509::cert_key
+ include site_config::x509::cert
+ include site_config::x509::key
include site_config::x509::ca
$soledad = hiera('soledad')
@@ -52,7 +53,8 @@ class soledad::server {
require => [
Class['soledad'],
Package['soledad-server'],
- Class['Site_config::X509::Cert_key'],
+ Class['Site_config::X509::Key'],
+ Class['Site_config::X509::Cert'],
Class['Site_config::X509::Ca'] ];
}