[PATCH] Setup sigul bridge and client

Jesse Keating jkeating at redhat.com
Sat Jul 25 03:53:24 UTC 2009 

Add a sigul module with bridge and server classes.
Adjust the sign-bridge1 node to use the new classes.
---
 .../nodes/sign-bridge1.fedora.phx.redhat.com.pp    |   17 +++-
 modules/sigul/files/server.conf                    |   47 ++++++++++
 modules/sigul/manifests/init.pp                    |   97 ++++++++++++++++++++
 modules/sigul/templates/bridge.conf.erb            |   30 ++++++
 4 files changed, 189 insertions(+), 2 deletions(-)
 create mode 100644 modules/sigul/files/server.conf
 create mode 100644 modules/sigul/manifests/init.pp
 create mode 100644 modules/sigul/templates/bridge.conf.erb

diff --git a/manifests/nodes/sign-bridge1.fedora.phx.redhat.com.pp b/manifests/nodes/sign-bridge1.fedora.phx.redhat.com.pp
index 3bfcb8a..6c5d295 100644
--- a/manifests/nodes/sign-bridge1.fedora.phx.redhat.com.pp
+++ b/manifests/nodes/sign-bridge1.fedora.phx.redhat.com.pp
@@ -3,7 +3,9 @@ node "sign-bridge1.fedora.phx.redhat.com" {
     include phx
     include fas::client
     #include global
-    #include pkgsigner
+    # Include the builder infrastructure so that we get the same rpm versions
+    include yum::repo::builder-infrastructure
+    include sigul::bridge
 
     # Hack but it's easy to predict and easy to follow:
 #     exec { "disable-ssh":
@@ -16,6 +18,17 @@ node "sign-bridge1.fedora.phx.redhat.com" {
 #         command => '/etc/init.d/puppet stop; /sbin/chkconfig puppet off',
 #     }
 
+    # Firewall Rules, allow sigul server through.
+    $tcpPorts = [ '44333' ]
+    $custom = [ ]
+
+    iptables { '/etc/sysconfig/iptables':
+            content => template('system/iptables-template.conf.erb'),
+    }
+
+    service { iptables:
+        ensure => running,
+        hasstatus => true,
+    }
 
-  
 }
diff --git a/modules/sigul/files/server.conf b/modules/sigul/files/server.conf
new file mode 100644
index 0000000..513cad5
--- /dev/null
+++ b/modules/sigul/files/server.conf
@@ -0,0 +1,47 @@
+# This is a configuration for the sigul server.
+
+[server]
+# Host name of the publically acessible bridge to clients
+bridge-hostname: sign-bridge1
+# Port on which the bridge expects server connections
+bridge-port: 44333
+# Maximum accepted size of payload stored on disk
+max-file-payload-size: 1073741824
+# Maximum accepted size of payload stored in server's memory
+max-memory-payload-size: 1048576
+# Nickname of the server's certificate in the NSS database specified below
+server-cert-nickname: sigul-server-cert
+
+[database]
+# Path to a directory containing a SQLite database
+;database-path: /var/lib/sigul
+
+[gnupg]
+# Path to a directory containing GPG configuration and keyrings
+gnupg-home: /var/lib/sigul/gnupg
+# Default primary key type for newly created keys
+gnupg-key-type: RSA
+# Default primary key length for newly created keys
+gnupg-key-length: 4096
+# Default subkey type for newly created keys, empty for no subkey
+gnupg-subkey-type:
+# Default subkey length for newly created keys if gnupg-subkey-type is not empty
+; gnupg-subkey-length: 2048
+# Default key usage flags for newly created keys
+gnupg-key-usage: encrypt, sign
+# Length of key passphrases used for newsly created keys
+passphrase-length: 64
+
+[daemon]
+# The user to run as
+unix-user: sigul
+# The group to run as
+unix-group: sigul
+
+[nss]
+# Path to a directory containing a NSS database
+nss-dir: /var/lib/sigul
+# Password for accessing the NSS database.  If not specified, the server will
+# ask on startup
+; nss-password is not specified by default
+
diff --git a/modules/sigul/manifests/init.pp b/modules/sigul/manifests/init.pp
new file mode 100644
index 0000000..aae73eb
--- /dev/null
+++ b/modules/sigul/manifests/init.pp
@@ -0,0 +1,97 @@
+class sigul {
+
+    package { "sigul":
+        ensure => installed,
+    }
+}
+
+class sigul::bridge inherits sigul {
+
+    package { "koji";
+        ensure => installed,
+    }
+
+    file { "/etc/sigul/bridge.conf":
+        owner   => "root",
+        group   => "sigul",
+        mode    => 0640,
+        content => template("sigul/bridge.conf.erb")
+        require => [ Package["sigul"] ],
+    }
+
+    file { "/var/lib/sigul/cert8.db":
+        owner   => "sigul",
+        group   => "sigul",
+        mode    => 0600,
+        source  => "puppet:///config/secure/sigul_bridge_cert8.db",
+        require => Package["sigul"],
+    }
+
+    file { "/var/lib/sigul/key3.db":
+        owner   => "sigul",
+        group   => "sigul",
+        mode    => 0600,
+        source  => "puppet:///config/secure/sigul_bridge_key3.db",
+        require => Package["sigul"],
+    }
+
+    file { "/var/lib/sigul/secmod.db":
+        owner   => "sigul",
+        group   => "sigul",
+        mode    => 0600,
+        source  => "puppet:///config/secure/sigul_bridge_secmod.db",
+        require => Package["sigul"],
+    }
+
+    file { "/var/lib/sigul/.fedora-server-ca.cert":
+        owner  => "sigul",
+        group  => "sigul",
+        mode   => 0644,
+        source => "puppet:///config/secure/fedora-ca.cert",
+    }
+
+    file { "/var/lib/sigul/.fedora.cert":
+        owner  => "sigul",
+        group  => "sigul",
+        mode   => 0644,
+        source => "puppet:///config/secure/sigul_key_and_cert.pem",
+    }
+
+}
+
+class sigul::server inherits sigul {
+
+    file { "/etc/sigul/server.conf":
+        owner   => "root",
+        group   => "sigul",
+        mode    => 0640,
+        source  => "puppet:///sigul/server.conf"
+        require => [ Package["sigul"] ],
+    }
+
+    file { "/var/lib/sigul/cert8.db":
+        owner   => "sigul",
+        group   => "sigul",
+        mode    => 0600,
+        source  => "puppet:///config/secure/sigul_server_cert8.db",
+        require => Package["sigul"],
+    }
+
+    file { "/var/lib/sigul/key3.db":
+        owner   => "sigul",
+        group   => "sigul",
+        mode    => 0600,
+        source  => "puppet:///config/secure/sigul_server_key3.db",
+        require => Package["sigul"],
+    }
+
+    file { "/var/lib/sigul/secmod.db":
+        owner   => "sigul",
+        group   => "sigul",
+        mode    => 0600,
+        source  => "puppet:///config/secure/sigul_server_secmod.db",
+        require => Package["sigul"],
+    }
+
+}
+
diff --git a/modules/sigul/templates/bridge.conf.erb b/modules/sigul/templates/bridge.conf.erb
new file mode 100644
index 0000000..01f3ee9
--- /dev/null
+++ b/modules/sigul/templates/bridge.conf.erb
@@ -0,0 +1,30 @@
+# This is a configuration for the sigul bridge.
+
+[bridge]
+# Nickname of the bridge's certificate in the NSS database specified below
+bridge-cert-nickname: sigul-bridge-cert
+# Port on which the bridge expects client connections
+client-listen-port: 44334
+# Port on which the bridge expects server connections
+server-listen-port: 44333
+# A Fedora account system group required for access to the signing server.  If
+# empty, no Fedora account check is done.
+#required-fas-group:
+required-fas-group: signers
+# User name and password for an account on the Fedora account system that can
+# be used to verify group memberships
+fas-user-name: fedoradummy
+fas-password: <%= fedoraDummyUserPassword %>
+
+[daemon]
+# The user to run as
+unix-user: sigul
+# The group to run as
+unix-group: sigul
+
+[nss]
+# Path to a directory containing a NSS database
+nss-dir: /var/lib/sigul
+# Password for accessing the NSS database.  If not specified, the bridge will
+# ask on startup
+; nss-password:
-- 
1.5.5.6

More information about the Fedora-infrastructure-list mailing list