Add a sigul module with bridge and server classes.
Adjust the sign-bridge1 node to use the new classes.
Have sign-vault1 use the sigul::server class to get its
configuration
---
.../nodes/sign-bridge1.fedora.phx.redhat.com.pp | 17 +++-
.../nodes/sign-vault1.fedora.phx.redhat.com.pp | 6 +-
modules/sigul/files/server.conf | 47 +++++++++
modules/sigul/manifests/init.pp | 99 ++++++++++++++++++++
modules/sigul/templates/bridge.conf.erb | 30 ++++++
5 files changed, 196 insertions(+), 3 deletions(-)
create mode 100644 modules/sigul/files/server.conf
create mode 100644 modules/sigul/manifests/init.pp
create mode 100644 modules/sigul/templates/bridge.conf.erb
diff --git a/manifests/nodes/sign-bridge1.fedora.phx.redhat.com.pp b/manifests/nodes/sign-bridge1.fedora.phx.redhat.com.pp
index 3bfcb8a..6c5d295 100644
--- a/manifests/nodes/sign-bridge1.fedora.phx.redhat.com.pp
+++ b/manifests/nodes/sign-bridge1.fedora.phx.redhat.com.pp
@@ -3,7 +3,9 @@ node "sign-bridge1.fedora.phx.redhat.com" {
include phx
include fas::client
#include global
- #include pkgsigner
+ # Include the builder infrastructure so that we get the same rpm versions
+ include yum::repo::builder-infrastructure
+ include sigul::bridge
# Hack but it's easy to predict and easy to follow:
# exec { "disable-ssh":
@@ -16,6 +18,17 @@ node "sign-bridge1.fedora.phx.redhat.com" {
# command => '/etc/init.d/puppet stop; /sbin/chkconfig puppet off',
# }
+ # Firewall Rules, allow sigul server through.
+ $tcpPorts = [ '44333' ]
+ $custom = [ ]
+
+ iptables { '/etc/sysconfig/iptables':
+ content => template('system/iptables-template.conf.erb'),
+ }
+
+ service { iptables:
+ ensure => running,
+ hasstatus => true,
+ }
-
}
diff --git a/manifests/nodes/sign-vault1.fedora.phx.redhat.com.pp b/manifests/nodes/sign-vault1.fedora.phx.redhat.com.pp
index 4c57d01..912d050 100644
--- a/manifests/nodes/sign-vault1.fedora.phx.redhat.com.pp
+++ b/manifests/nodes/sign-vault1.fedora.phx.redhat.com.pp
@@ -4,7 +4,9 @@ node "sign-vault1" {
include phx
include fas::client
#include global
- include pkgsigner
+ # Include the builder infrastructure so that we get the same rpm versions
+ include yum::repo::builder-infrastructure
+ include sigul::server
# Hack but it's easy to predict and easy to follow:
# exec { "disable-ssh":
@@ -17,5 +19,7 @@ node "sign-vault1" {
# command => '/etc/init.d/puppet stop; /sbin/chkconfig puppet off',
# }
+# Need iptables blocking everything here
+
}
diff --git a/modules/sigul/files/server.conf b/modules/sigul/files/server.conf
new file mode 100644
index 0000000..513cad5
--- /dev/null
+++ b/modules/sigul/files/server.conf
@@ -0,0 +1,47 @@
+# This is a configuration for the sigul server.
+
+[server]
+# Host name of the publically acessible bridge to clients
+bridge-hostname: sign-bridge1
+# Port on which the bridge expects server connections
+bridge-port: 44333
+# Maximum accepted size of payload stored on disk
+max-file-payload-size: 1073741824
+# Maximum accepted size of payload stored in server's memory
+max-memory-payload-size: 1048576
+# Nickname of the server's certificate in the NSS database specified below
+server-cert-nickname: sigul-server-cert
+
+[database]
+# Path to a directory containing a SQLite database
+;database-path: /var/lib/sigul
+
+[gnupg]
+# Path to a directory containing GPG configuration and keyrings
+gnupg-home: /var/lib/sigul/gnupg
+# Default primary key type for newly created keys
+gnupg-key-type: RSA
+# Default primary key length for newly created keys
+gnupg-key-length: 4096
+# Default subkey type for newly created keys, empty for no subkey
+gnupg-subkey-type:
+# Default subkey length for newly created keys if gnupg-subkey-type is not empty
+; gnupg-subkey-length: 2048
+# Default key usage flags for newly created keys
+gnupg-key-usage: encrypt, sign
+# Length of key passphrases used for newsly created keys
+passphrase-length: 64
+
+[daemon]
+# The user to run as
+unix-user: sigul
+# The group to run as
+unix-group: sigul
+
+[nss]
+# Path to a directory containing a NSS database
+nss-dir: /var/lib/sigul
+# Password for accessing the NSS database. If not specified, the server will
+# ask on startup
+; nss-password is not specified by default
+
diff --git a/modules/sigul/manifests/init.pp b/modules/sigul/manifests/init.pp
new file mode 100644
index 0000000..be7023d
--- /dev/null
+++ b/modules/sigul/manifests/init.pp
@@ -0,0 +1,99 @@
+class sigul {
+
+ package { "sigul":
+ ensure => installed,
+ }
+}
+
+class sigul::bridge inherits sigul {
+
+ package { "koji";
+ ensure => installed,
+ }
+
+ file { "/etc/sigul/bridge.conf":
+ owner => "root",
+ group => "sigul",
+ mode => 0640,
+ content => template("sigul/bridge.conf.erb")
+ require => Package["sigul"],
+ }
+
+ file { "/var/lib/sigul/cert8.db":
+ owner => "sigul",
+ group => "sigul",
+ mode => 0600,
+ source => "puppet:///config/secure/sigul_bridge_cert8.db",
+ require => Package["sigul"],
+ }
+
+ file { "/var/lib/sigul/key3.db":
+ owner => "sigul",
+ group => "sigul",
+ mode => 0600,
+ source => "puppet:///config/secure/sigul_bridge_key3.db",
+ require => Package["sigul"],
+ }
+
+ file { "/var/lib/sigul/secmod.db":
+ owner => "sigul",
+ group => "sigul",
+ mode => 0600,
+ source => "puppet:///config/secure/sigul_bridge_secmod.db",
+ require => Package["sigul"],
+ }
+
+ file { "/var/lib/sigul/.fedora-server-ca.cert":
+ owner => "sigul",
+ group => "sigul",
+ mode => 0644,
+ source => "puppet:///config/secure/fedora-ca.cert",
+ require => Package["sigul"],
+ }
+
+ file { "/var/lib/sigul/.fedora.cert":
+ owner => "sigul",
+ group => "sigul",
+ mode => 0644,
+ source => "puppet:///config/secure/sigul_key_and_cert.pem",
+ require => Package["sigul"],
+ }
+
+}
+
+class sigul::server inherits sigul {
+
+ file { "/etc/sigul/server.conf":
+ owner => "root",
+ group => "sigul",
+ mode => 0640,
+ source => "puppet:///sigul/server.conf"
+ require => Package["sigul"],
+ }
+
+ file { "/var/lib/sigul/cert8.db":
+ owner => "sigul",
+ group => "sigul",
+ mode => 0600,
+ source => "puppet:///config/secure/sigul_server_cert8.db",
+ require => Package["sigul"],
+ }
+
+ file { "/var/lib/sigul/key3.db":
+ owner => "sigul",
+ group => "sigul",
+ mode => 0600,
+ source => "puppet:///config/secure/sigul_server_key3.db",
+ require => Package["sigul"],
+ }
+
+ file { "/var/lib/sigul/secmod.db":
+ owner => "sigul",
+ group => "sigul",
+ mode => 0600,
+ source => "puppet:///config/secure/sigul_server_secmod.db",
+ require => Package["sigul"],
+ }
+
+}
+
diff --git a/modules/sigul/templates/bridge.conf.erb b/modules/sigul/templates/bridge.conf.erb
new file mode 100644
index 0000000..01f3ee9
--- /dev/null
+++ b/modules/sigul/templates/bridge.conf.erb
@@ -0,0 +1,30 @@
+# This is a configuration for the sigul bridge.
+
+[bridge]
+# Nickname of the bridge's certificate in the NSS database specified below
+bridge-cert-nickname: sigul-bridge-cert
+# Port on which the bridge expects client connections
+client-listen-port: 44334
+# Port on which the bridge expects server connections
+server-listen-port: 44333
+# A Fedora account system group required for access to the signing server. If
+# empty, no Fedora account check is done.
+#required-fas-group:
+required-fas-group: signers
+# User name and password for an account on the Fedora account system that can
+# be used to verify group memberships
+fas-user-name: fedoradummy
+fas-password: <%= fedoraDummyUserPassword %>
+
+[daemon]
+# The user to run as
+unix-user: sigul
+# The group to run as
+unix-group: sigul
+
+[nss]
+# Path to a directory containing a NSS database
+nss-dir: /var/lib/sigul
+# Password for accessing the NSS database. If not specified, the bridge will
+# ask on startup
+; nss-password:
--
1.5.5.6
_______________________________________________
Fedora-infrastructure-list mailing list
Fedora-infrastructure-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
