wafer: only ask for client certs on the login page

[mirror/dsa-puppet.git] / modules / onion / files / create-onionbalance-config

diff --git a/modules/onion/files/create-onionbalance-config b/modules/onion/files/create-onionbalance-config
index f89f7d1..d0b97fb 100755 (executable)
--- a/modules/onion/files/create-onionbalance-config
+++ b/modules/onion/files/create-onionbalance-config
@@ -42,17 +42,20 @@
 # FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
 # OTHER DEALINGS IN THE SOFTWARE.
 
+import os
 import os.path
+import shutil
 import subprocess
 import yaml
 
 j = '/etc/onionbalance/config-dsa-snippet.yaml'
-outfile = '/etc/onionbalance/config.yaml-NEW'
+outfile = '/etc/onionbalance/config.yaml'
 
 relkeydir = 'private_keys'
 keydir = os.path.join('/etc/onionbalance', relkeydir)
 
-data = yaml.safe_load(open(j))
+with open(j) as conf:
+  data = yaml.safe_load(conf)
 
 service_instances = {}
 for entry in data:
@@ -70,8 +73,11 @@ services = []
 for s in service_instances:
   keyfile = os.path.join(keydir, s+'.key')
   relkeyfile = os.path.join(relkeydir, s+'.key')
-  if (not os.path.exists(keyfile)):
-    subprocess.check_call('umask 0027 && openssl genrsa -out %s 1024 && chgrp onionbalance %s'%(keyfile, keyfile), shell=True)
+  if not os.path.exists(keyfile):
+    subprocess.check_call(['openssl', 'genrsa', '-out', keyfile, '1024'],
+                          preexec_fn=lambda: os.umask(0o027))
+    shutil.chown(keyfile, group='onionbalance')
+    os.chmod(keyfile, 0o640)
 
   service = {
     'key': relkeyfile,
@@ -81,7 +87,7 @@ for s in service_instances:
 
 
 config = {}
-config['service'] = services
+config['services'] = services
 
 with open(outfile, 'w') as f:
   yaml.dump(config, f, indent=4)