cdn-ops/global/overlay/etc/puppet/modules/cdn/manifests/ca.pp

107 lines
2.6 KiB
ObjectPascal
Raw Normal View History

2024-10-07 06:35:00 +00:00
# Configure a SUNET CDN CA server
class cdn::ca(
2024-10-08 08:02:48 +00:00
String $step_ca_version = '0.27.4',
2024-10-07 06:35:00 +00:00
)
{
2024-10-08 07:36:04 +00:00
$ca_secrets = lookup({ 'name' => 'cdn::ca-secrets', 'default_value' => undef })
file { '/opt/step-ca':
ensure => directory,
owner => 'root',
group => 'root',
mode => '0755',
}
# The owner/group matches the 'step' user in the step-ca container
file { '/opt/step-ca/data':
ensure => directory,
owner => '1000',
group => '1000',
mode => '0750',
}
# Files used for initial install of step-ca
file { '/opt/step-ca/init':
ensure => directory,
owner => 'root',
group => 'root',
mode => '0755',
}
file { '/opt/step-ca/init/secrets':
ensure => directory,
owner => '1000',
group => '1000',
mode => '0750',
}
file { '/opt/step-ca/init/scripts':
ensure => directory,
owner => 'root',
group => 'root',
mode => '0755',
}
file { '/opt/step-ca/init/scripts/set-provisioner-pw':
2024-10-08 11:36:21 +00:00
ensure => file,
owner => 'root',
group => 'root',
mode => '0755',
content => file('cdn/ca/set-provisioner-pw'),
}
2024-10-08 11:33:32 +00:00
file { '/opt/step-ca/init/deb':
ensure => directory,
owner => 'root',
group => 'root',
mode => '0755',
}
exec { 'curl -LO https://dl.smallstep.com/gh-release/cli/gh-release-header/v0.27.4/step-cli_0.27.4-1_amd64.deb':
cwd => '/opt/step-ca/init/deb',
creates => '/opt/step-ca/init/deb/step-cli_0.27.4-1_amd64.deb',
}
2024-10-08 11:40:54 +00:00
package {'step-cli':
2024-10-08 11:42:14 +00:00
ensure => present,
source => '/opt/step-ca/init/deb/step-cli_0.27.4-1_amd64.deb',
2024-10-08 11:40:54 +00:00
}
if $ca_secrets {
if $ca_secrets['key_password'] {
file { '/opt/step-ca/init/secrets/key-password':
2024-10-08 11:36:21 +00:00
ensure => file,
owner => '1000',
group => '1000',
mode => '0640',
2024-10-08 07:51:08 +00:00
content => template('cdn/ca/key-password.erb'),
}
2024-10-08 07:36:04 +00:00
}
if $ca_secrets['provisioner_password'] {
file { '/opt/step-ca/init/secrets/provisioner-password':
2024-10-08 11:36:21 +00:00
ensure => file,
owner => '1000',
group => '1000',
mode => '0640',
2024-10-08 07:51:08 +00:00
content => template('cdn/ca/provisioner-password.erb'),
}
2024-10-08 07:36:04 +00:00
}
}
2024-10-07 06:35:00 +00:00
sunet::nftables::docker_expose { 'expose step-ca' :
allow_clients => 'any',
port => 9000,
iif => $facts['networking']['primary'],
}
2024-10-08 08:04:32 +00:00
sunet::docker_compose { 'sunet-cdn-ca':
content => template('cdn/ca/docker-compose.yml.erb'),
service_name => 'cdn-ca',
compose_dir => '/opt/sunet-cdn/compose',
compose_filename => 'docker-compose.yml',
description => 'SUNET CDN CA',
}
2024-10-07 06:35:00 +00:00
}