diff options
author | Micah Anderson <micah@leap.se> | 2014-06-19 14:12:08 -0400 |
---|---|---|
committer | Micah Anderson <micah@leap.se> | 2014-06-19 14:12:08 -0400 |
commit | 9198af78956972a01aaf85e19753c5c9e62ea018 (patch) | |
tree | 7c2c4901c92528b2fababb0e4283d5bec6cd1aef | |
parent | 6100b6ded99241f10e7fb12c13a0820fda084912 (diff) | |
parent | f991e8a4c877cff1d274fd1cac26488f8c3fda84 (diff) |
Merge tag '0.5.2'
tagging 0.5.2 release
30 files changed, 340 insertions, 117 deletions
diff --git a/platform.rb b/platform.rb index d36cb3af..cd0cbde0 100644 --- a/platform.rb +++ b/platform.rb @@ -5,7 +5,7 @@ Leap::Platform.define do self.version = "0.5.2" - self.compatible_cli = "1.5.0".."1.99" + self.compatible_cli = "1.5.5".."1.99" # # the facter facts that should be gathered diff --git a/provider_base/files/service-definitions/provider.json.erb b/provider_base/files/service-definitions/provider.json.erb index be8ae484..2d0a5886 100644 --- a/provider_base/files/service-definitions/provider.json.erb +++ b/provider_base/files/service-definitions/provider.json.erb @@ -7,7 +7,7 @@ hsh['domain'] = domain.full_suffix # advertise services that are 'user services' and for which there are actually nodes - hsh['services'] ||= global.services[:service_type => :user_service].field(:name).select do |service| + hsh['services'] ||= global.env(environment).services[:service_type => :user_service].field(:name).select do |service| nodes_like_me[:services => service].any? end diff --git a/provider_base/services/static.json b/provider_base/services/static.json index d9155a84..d9f52b36 100644 --- a/provider_base/services/static.json +++ b/provider_base/services/static.json @@ -1,6 +1,13 @@ { "static": { - "formats": "=> (self.static.domains||{}).values.collect{|d| (d.locations||{}).values.collect{|l|l['format']}}.flatten.uniq" + "formats": "=> try{static.domains.values.collect{|d| try{d.locations.values.collect{|l|l.format}} }.flatten.compact.uniq} || []", + // include a copy of provider.json in case any of the configured domains happens to match provider.domain + "bootstrap_files": { + "domain": "= provider.domain", + "enabled": "= !! try{static.domains[provider.domain]}", + "provider_json": "=> static.bootstrap_files.enabled ? try{nodes_like_me[:services => 'webapp'].values.first.definition_files['provider']} : nil", + "client_version": "= static.bootstrap_files.enabled ? provider.client_version : nil" + } }, "service_type": "public_service" }
\ No newline at end of file diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index f8726fa9..9afa5dfd 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -1,45 +1,44 @@ # set a default exec path Exec { path => '/usr/bin:/usr/sbin/:/bin:/sbin:/usr/local/bin:/usr/local/sbin' } -# parse services for host -$services=join(hiera_array('services', ['']), ' ') -notice("Services for ${fqdn}: ${services}") - include site_config::setup include site_config::default -# configure eip -if $services =~ /\bopenvpn\b/ { +$services = hiera('services', []) +$services_str = join($services, ', ') +notice("Services for ${fqdn}: ${services_str}") + +if member($services, 'openvpn') { include site_openvpn } -if $services =~ /\bcouchdb\b/ { +if member($services, 'couchdb') { include site_couchdb include tapicero } -if $services =~ /\bwebapp\b/ { +if member($services, 'webapp') { include site_webapp include site_nickserver } -if $services =~ /\bsoledad\b/ { +if member($services, 'soledad') { include soledad::server } -if $services =~ /\bmonitor\b/ { +if member($services, 'monitor') { include site_nagios } -if $services =~ /\btor\b/ { +if member($services, 'tor') { include site_tor } -if $services =~ /\bmx\b/ { +if member($services, 'mx') { include site_mx } -if $services =~ /\bstatic\b/ { +if member($services, 'static') { include site_static } diff --git a/puppet/modules/site_apt/manifests/preferences/passenger.pp b/puppet/modules/site_apt/manifests/preferences/passenger.pp new file mode 100644 index 00000000..af501b6b --- /dev/null +++ b/puppet/modules/site_apt/manifests/preferences/passenger.pp @@ -0,0 +1,10 @@ +class site_apt::preferences::passenger { + + apt::preferences_snippet { 'passenger': + package => 'libapache2-mod-passenger', + release => "${::lsbdistcodename}-backports", + priority => 999, + require => [Package['apache'], Class['ruby']]; + } + +} diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index c7352857..fc2179de 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -1,6 +1,7 @@ class site_config::default { tag 'leap_base' + $services = hiera('services', []) $domain_hash = hiera('domain') include site_config::params @@ -18,7 +19,7 @@ class site_config::default { include site_config::sysctl # configure ssh and include ssh-keys - include site_config::sshd + include site_sshd # include classes for special environments # i.e. openstack/aws nodes, vagrant nodes @@ -54,7 +55,7 @@ class site_config::default { # set up core leap files and directories include site_config::files - if $::services !~ /\bmx\b/ { + if ! member($services, 'mx') { include site_postfix::satellite } diff --git a/puppet/modules/site_config/manifests/hosts.pp b/puppet/modules/site_config/manifests/hosts.pp index e5d4dd70..6982d37b 100644 --- a/puppet/modules/site_config/manifests/hosts.pp +++ b/puppet/modules/site_config/manifests/hosts.pp @@ -1,9 +1,19 @@ class site_config::hosts() { $hosts = hiera('hosts', false) + + # calculate all the hostname aliases that might be used $hostname = hiera('name') - $domain_hash = hiera('domain') - $domain_public = $domain_hash['full_suffix'] - $api = hiera('api', '') + $domain_hash = hiera('domain', {}) + $dns = hiera('dns', {}) + if $dns['aliases'] == undef { + $dns_aliases = [] + } else { + $dns_aliases = $dns['aliases'] + } + $my_hostnames = unique(sort(concat( + [$hostname, $domain_hash['full'], $domain_hash['internal']], + $dns_aliases + ))) file { '/etc/hostname': ensure => present, diff --git a/puppet/modules/site_config/manifests/setup.pp b/puppet/modules/site_config/manifests/setup.pp index 6d89be86..b09d0413 100644 --- a/puppet/modules/site_config/manifests/setup.pp +++ b/puppet/modules/site_config/manifests/setup.pp @@ -4,7 +4,6 @@ class site_config::setup { # # this is applied before each run of site.pp # - #$services = '' Exec { path => '/usr/bin:/usr/sbin/:/bin:/sbin:/usr/local/bin:/usr/local/sbin' } diff --git a/puppet/modules/site_config/manifests/sshd.pp b/puppet/modules/site_config/manifests/sshd.pp deleted file mode 100644 index 8ff337a0..00000000 --- a/puppet/modules/site_config/manifests/sshd.pp +++ /dev/null @@ -1,9 +0,0 @@ -class site_config::sshd { - # configure sshd - include sshd - include site_sshd - # no need for configuring authorized_keys as leap_cli cares for that - #$ssh_pubkeys=hiera_hash('ssh_pubkeys') - #notice($ssh_pubkeys) - #create_resources('site_sshd::ssh_key', $ssh_pubkeys) -} diff --git a/puppet/modules/site_config/templates/hosts b/puppet/modules/site_config/templates/hosts index bfcabaa5..d557f730 100644 --- a/puppet/modules/site_config/templates/hosts +++ b/puppet/modules/site_config/templates/hosts @@ -1,8 +1,7 @@ # This file is managed by puppet, any changes will be overwritten! 127.0.0.1 localhost -127.0.1.1 <%= @hostname %>.<%= @domain_public %> <%= @hostname %> <% if (defined? @services) and (@services.include? 'webapp') -%><%= @domain_public %> <%= @api['domain'] %><% end -%> - +127.0.1.1 <%= @my_hostnames.join(' ') %> <%- if @hosts then -%> <% @hosts.keys.sort.each do |name| -%> diff --git a/puppet/modules/site_haproxy/manifests/init.pp b/puppet/modules/site_haproxy/manifests/init.pp index 1a681373..6bcf3f5c 100644 --- a/puppet/modules/site_haproxy/manifests/init.pp +++ b/puppet/modules/site_haproxy/manifests/init.pp @@ -1,4 +1,5 @@ class site_haproxy { + $haproxy = hiera('haproxy') class { 'haproxy': enable => true, @@ -28,5 +29,13 @@ class site_haproxy { order => '90', source => 'puppet:///modules/site_haproxy/haproxy-stats.cfg'; } + + # Template uses $haproxy + concat::fragment { 'leap_haproxy_webapp_couchdb': + target => '/etc/haproxy/haproxy.cfg', + order => '20', + content => template('site_haproxy/haproxy_couchdb.cfg.erb'), + } + include site_check_mk::agent::haproxy } diff --git a/puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb b/puppet/modules/site_haproxy/templates/haproxy_couchdb.cfg.erb index 1fa01b96..1fa01b96 100644 --- a/puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb +++ b/puppet/modules/site_haproxy/templates/haproxy_couchdb.cfg.erb diff --git a/puppet/modules/site_mx/manifests/haproxy.pp b/puppet/modules/site_mx/manifests/haproxy.pp deleted file mode 100644 index 988eeaf3..00000000 --- a/puppet/modules/site_mx/manifests/haproxy.pp +++ /dev/null @@ -1,14 +0,0 @@ -class site_mx::haproxy { - - include site_haproxy - - $haproxy = hiera('haproxy') - $local_ports = $haproxy['local_ports'] - - # Template uses $global_options, $defaults_options - concat::fragment { 'leap_haproxy_webapp_couchdb': - target => '/etc/haproxy/haproxy.cfg', - order => '20', - content => template('site_webapp/haproxy_couchdb.cfg.erb'), - } -} diff --git a/puppet/modules/site_mx/manifests/init.pp b/puppet/modules/site_mx/manifests/init.pp index 3949c787..c3d38a46 100644 --- a/puppet/modules/site_mx/manifests/init.pp +++ b/puppet/modules/site_mx/manifests/init.pp @@ -10,7 +10,7 @@ class site_mx { include site_postfix::mx - include site_mx::haproxy + include site_haproxy include site_shorewall::mx include site_shorewall::service::smtp include site_mx::couchdb diff --git a/puppet/modules/site_openvpn/manifests/resolver.pp b/puppet/modules/site_openvpn/manifests/resolver.pp index c1367a33..cea0153a 100644 --- a/puppet/modules/site_openvpn/manifests/resolver.pp +++ b/puppet/modules/site_openvpn/manifests/resolver.pp @@ -3,15 +3,15 @@ class site_openvpn::resolver { if $site_openvpn::openvpn_allow_unlimited { $ensure_unlimited = 'present' file { - '/etc/unbound/unbound.conf.d/vpn_unlimited_udp_resolver': - content => "interface: ${site_openvpn::openvpn_unlimited_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_unlimited_udp_network_prefix}.0/${site_openvpn::openvpn_unlimited_udp_cidr} allow\n", + '/etc/unbound/unbound.conf.d/vpn_unlimited_udp_resolver.conf': + content => "server:\n\tinterface: ${site_openvpn::openvpn_unlimited_udp_network_prefix}.1\n\taccess-control: ${site_openvpn::openvpn_unlimited_udp_network_prefix}.0/${site_openvpn::openvpn_unlimited_udp_cidr} allow\n", owner => root, group => root, mode => '0644', require => [ Class['site_config::caching_resolver'], Service['openvpn'] ], notify => Service['unbound']; - '/etc/unbound/unbound.conf.d/vpn_unlimited_tcp_resolver': - content => "interface: ${site_openvpn::openvpn_unlimited_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_unlimited_tcp_network_prefix}.0/${site_openvpn::openvpn_unlimited_tcp_cidr} allow\n", + '/etc/unbound/unbound.conf.d/vpn_unlimited_tcp_resolver.conf': + content => "server:\n\tinterface: ${site_openvpn::openvpn_unlimited_tcp_network_prefix}.1\n\taccess-control: ${site_openvpn::openvpn_unlimited_tcp_network_prefix}.0/${site_openvpn::openvpn_unlimited_tcp_cidr} allow\n", owner => root, group => root, mode => '0644', @@ -20,22 +20,22 @@ class site_openvpn::resolver { } } else { $ensure_unlimited = 'absent' - tidy { '/etc/unbound/unbound.conf.d/vpn_unlimited_udp_resolver': } - tidy { '/etc/unbound/unbound.conf.d/vpn_unlimited_tcp_resolver': } + tidy { '/etc/unbound/unbound.conf.d/vpn_unlimited_udp_resolver.conf': } + tidy { '/etc/unbound/unbound.conf.d/vpn_unlimited_tcp_resolver.conf': } } if $site_openvpn::openvpn_allow_limited { $ensure_limited = 'present' file { - '/etc/unbound/unbound.conf.d/vpn_limited_udp_resolver': - content => "interface: ${site_openvpn::openvpn_limited_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_limited_udp_network_prefix}.0/${site_openvpn::openvpn_limited_udp_cidr} allow\n", + '/etc/unbound/unbound.conf.d/vpn_limited_udp_resolver.conf': + content => "server:\n\tinterface: ${site_openvpn::openvpn_limited_udp_network_prefix}.1\n\taccess-control: ${site_openvpn::openvpn_limited_udp_network_prefix}.0/${site_openvpn::openvpn_limited_udp_cidr} allow\n", owner => root, group => root, mode => '0644', require => [ Class['site_config::caching_resolver'], Service['openvpn'] ], notify => Service['unbound']; - '/etc/unbound/unbound.conf.d/vpn_limited_tcp_resolver': - content => "interface: ${site_openvpn::openvpn_limited_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_limited_tcp_network_prefix}.0/${site_openvpn::openvpn_limited_tcp_cidr} allow\n", + '/etc/unbound/unbound.conf.d/vpn_limited_tcp_resolver.conf': + content => "server\n\tinterface: ${site_openvpn::openvpn_limited_tcp_network_prefix}.1\n\taccess-control: ${site_openvpn::openvpn_limited_tcp_network_prefix}.0/${site_openvpn::openvpn_limited_tcp_cidr} allow\n", owner => root, group => root, mode => '0644', @@ -44,7 +44,7 @@ class site_openvpn::resolver { } } else { $ensure_limited = 'absent' - tidy { '/etc/unbound/unbound.conf.d/vpn_limited_udp_resolver': } - tidy { '/etc/unbound/unbound.conf.d/vpn_limited_tcp_resolver': } + tidy { '/etc/unbound/unbound.conf.d/vpn_limited_udp_resolver.conf': } + tidy { '/etc/unbound/unbound.conf.d/vpn_limited_tcp_resolver.conf': } } } diff --git a/puppet/modules/site_sshd/manifests/authorized_keys.pp b/puppet/modules/site_sshd/manifests/authorized_keys.pp index f36fe20f..90a33d8d 100644 --- a/puppet/modules/site_sshd/manifests/authorized_keys.pp +++ b/puppet/modules/site_sshd/manifests/authorized_keys.pp @@ -1,7 +1,17 @@ define site_sshd::authorized_keys ($keys, $ensure = 'present', $home = '') { - # We use a custom define here to deploy the authorized_keys file - # cause puppet doesn't allow purgin before populating this file - # (see https://tickets.puppetlabs.com/browse/PUP-1174) + # We want to purge unmanaged keys from the authorized_keys file so that only + # keys added in the provider are valid. Any manually added keys will be + # overridden. + # + # In order to do this, we have to use a custom define to deploy the + # authorized_keys file because puppet's internal resource doesn't allow + # purging before populating this file. + # + # See the following for more information: + # https://tickets.puppetlabs.com/browse/PUP-1174 + # https://leap.se/code/issues/2990 + # https://leap.se/code/issues/3010 + # # This line allows default homedir based on $title variable. # If $home is empty, the default is used. $homedir = $home ? {'' => "/home/${title}", default => $home} diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp index d9bc1d51..400c21ea 100644 --- a/puppet/modules/site_sshd/manifests/init.pp +++ b/puppet/modules/site_sshd/manifests/init.pp @@ -1,5 +1,5 @@ class site_sshd { - $ssh = hiera_hash('ssh') + $ssh = hiera_hash('ssh') $hosts = hiera('hosts', '') ## @@ -22,10 +22,11 @@ class site_sshd { group => root, mode => '0644', content => template('site_sshd/ssh_known_hosts.erb'); + '/etc/ssh/ssh_config': - owner => root, - group => root, - mode => '0644', + owner => root, + group => root, + mode => '0644', content => template('site_sshd/ssh_config.erb'); } @@ -46,4 +47,16 @@ class site_sshd { ensure => absent } } + + ## + ## SSHD SERVER CONFIGURATION + ## + class { '::sshd': + manage_nagios => 'no', + ports => $ssh['port'], + use_pam => 'yes', + hardened_ssl => 'yes', + print_motd => 'no', + manage_client => false + } } diff --git a/puppet/modules/site_static/manifests/domain.pp b/puppet/modules/site_static/manifests/domain.pp index 8af2230f..6941b1a3 100644 --- a/puppet/modules/site_static/manifests/domain.pp +++ b/puppet/modules/site_static/manifests/domain.pp @@ -1,9 +1,11 @@ define site_static::domain ( - $locations, $ca_cert, $key, $cert, - $tls_only) { + $tls_only=true, + $locations=undef, + $aliases=undef, + $apache_config=undef) { $domain = $name $base_dir = '/srv/static' @@ -14,13 +16,6 @@ define site_static::domain ( x509::key { $domain: content => $key } x509::ca { "${domain}_ca": content => $ca_cert } - class { '::apache': no_default_site => true, ssl => true } - include site_apache::module::headers - include site_apache::module::alias - include site_apache::module::expires - include site_apache::module::removeip - include site_apache::module::rewrite - apache::vhost::file { $domain: content => template('site_static/apache.conf.erb') } diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp index 4f6d895f..6e347d35 100644 --- a/puppet/modules/site_static/manifests/init.pp +++ b/puppet/modules/site_static/manifests/init.pp @@ -3,6 +3,39 @@ class site_static { $static = hiera('static') $domains = $static['domains'] $formats = $static['formats'] + $bootstrap = $static['bootstrap_files'] + + if $bootstrap['enabled'] { + $bootstrap_domain = $bootstrap['domain'] + $bootstrap_client = $bootstrap['client_version'] + file { '/srv/leap/provider.json': + content => $bootstrap['provider_json'], + owner => 'www-data', + group => 'www-data', + mode => '0444'; + } + # It is important to always touch provider.json: the client needs to check x-min-client-version header, + # but this is only sent when the file has been modified (otherwise 304 is sent by apache). The problem + # is that changing min client version won't alter the content of provider.json, so we must touch it. + exec { '/bin/touch /srv/leap/provider.json': + require => File['/srv/leap/provider.json']; + } + } + + class { '::apache': no_default_site => true, ssl => true } + include site_apache::module::headers + include site_apache::module::alias + include site_apache::module::expires + include site_apache::module::removeip + include site_apache::module::rewrite + + if (member($formats, 'rack')) { + include site_apt::preferences::passenger + class { 'passenger': + use_munin => false, + require => Class['site_apt::preferences::passenger'] + } + } if (member($formats, 'amber')) { include site_config::ruby::dev diff --git a/puppet/modules/site_static/manifests/location.pp b/puppet/modules/site_static/manifests/location.pp index 1ba6807e..ce2af9af 100644 --- a/puppet/modules/site_static/manifests/location.pp +++ b/puppet/modules/site_static/manifests/location.pp @@ -1,6 +1,16 @@ define site_static::location($path, $format, $source) { $file_path = "/srv/static/${name}" + $allowed_formats = ['amber','rack'] + + if $format == undef { + fail("static_site location `${path}` is missing `format` field.") + } + + if ! member($allowed_formats, $format) { + $formats_str = join($allowed_formats, ', ') + fail("Unsupported static_site location format `${format}`. Supported formats include ${formats_str}.") + } if ($format == 'amber') { exec {"amber_build_${name}": diff --git a/puppet/modules/site_static/templates/amber.erb b/puppet/modules/site_static/templates/amber.erb new file mode 100644 index 00000000..17dc2ad6 --- /dev/null +++ b/puppet/modules/site_static/templates/amber.erb @@ -0,0 +1,15 @@ +<%- if @location_path == '' -%> + <Directory "<%= @directory %>/"> + AllowOverride FileInfo Indexes Options=All,MultiViews + Order deny,allow + Allow from all + </Directory> +<%- else -%> + AliasMatch ^/[a-z]{2}/<%=@location_path%>(/.+|/|)$ "<%=@directory%>/$1" + Alias /<%=@location_path%> "<%=@directory%>/" + <Directory "<%=@directory%>/"> + AllowOverride FileInfo Indexes Options=All,MultiViews + Order deny,allow + Allow from all + </Directory> +<%- end -%> diff --git a/puppet/modules/site_static/templates/apache.conf.erb b/puppet/modules/site_static/templates/apache.conf.erb index 2abe1a98..07ac481d 100644 --- a/puppet/modules/site_static/templates/apache.conf.erb +++ b/puppet/modules/site_static/templates/apache.conf.erb @@ -2,32 +2,45 @@ ## ## An apache config for static websites. ## + def location_directory(name, location) - if location['format'] == 'amber' + if ['amber', 'rack'].include?(location['format']) File.join(@base_dir, name, 'public') else File.join(@base_dir, name) end end - document_root = '/var/www' - @locations.each do |name, location| - if location['path'] == '/' - document_root = location_directory(name, location) + + @document_root = begin + root = '/var/www' + @locations && @locations.each do |name, location| + root = location_directory(name, location) if location['path'] == '/' end + root.gsub(%r{^/|/$}, '') end - document_root = document_root.gsub(%r{^/|/$}, '') + + bootstrap_domain = scope.lookupvar('site_static::bootstrap_domain') + bootstrap_client = scope.lookupvar('site_static::bootstrap_client') -%> <VirtualHost *:80> ServerName <%= @domain %> ServerAlias www.<%= @domain %> +<%- @aliases && @aliases.each do |domain_alias| -%> + ServerAlias <%= domain_alias %> +<%- end -%> +<%- if @tls_only -%> RewriteEngine On RewriteRule ^.*$ https://<%= @domain -%>%{REQUEST_URI} [R=permanent,L] +<%- end -%> </VirtualHost> <VirtualHost *:443> ServerName <%= @domain %> ServerAlias www.<%= @domain %> +<%- @aliases && @aliases.each do |domain_alias| -%> + ServerAlias <%= domain_alias %> +<%- end -%> #RewriteLog "/var/log/apache2/rewrite.log" #RewriteLogLevel 3 @@ -38,8 +51,12 @@ SSLCompression off SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK" +<%- if @tls_only -%> Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains" +<%- end -%> Header set X-Frame-Options "deny" + Header always unset X-Powered-By + Header always unset X-Runtime SSLCertificateKeyFile /etc/x509/keys/<%= @domain %>.key SSLCertificateFile /etc/x509/certs/<%= @domain %>.crt @@ -47,31 +64,30 @@ RequestHeader set X_FORWARDED_PROTO 'https' - DocumentRoot "/<%= document_root %>/" + DocumentRoot "/<%= @document_root %>/" AccessFileName .htaccess -<%- @locations.each do |name, location| -%> - <%- path = location['path'].gsub(%r{^/|/$}, '') -%> - <%- directory = location_directory(name, location) -%> +<%- if ([@aliases]+[@domain]).flatten.include?(bootstrap_domain) -%> + Alias /provider.json /srv/leap/provider.json + <Location /provider.json> + Header set X-Minimum-Client-Version <%= bootstrap_client['min'] %> + </Location> +<%- end -%> + +<%- if @apache_config -%> +<%= @apache_config.gsub(':percent:','%') %> +<%- end -%> + +<%- @locations && @locations.each do |name, location| -%> +<%- location_path = location['path'].gsub(%r{^/|/$}, '') -%> +<%- directory = location_directory(name, location) -%> +<%- local_vars = {'location_path'=>location_path, 'directory'=>directory, 'location'=>location, 'name'=>name} -%> +<%- template_path = File.join(File.dirname(__FILE__), location['format']) + '.erb' -%> +<%- break unless File.exists?(template_path) -%> ## - ## <%= name %> + ## <%= name %> (<%= location['format'] %>) ## - <%- if path == '' -%> - <Directory "/<%= document_root %>/"> - AllowOverride FileInfo Indexes Options=All,MultiViews - Order deny,allow - Allow from all - </Directory> - <%- else -%> - AliasMatch ^/[a-z]{2}/<%=path%>(/.+|/|)$ "/<%=directory%>/$1" - Alias /<%=path%> "/<%=directory%>/" - <Directory "/<%=directory%>/"> - AllowOverride FileInfo Indexes Options=All,MultiViews - Order deny,allow - Allow from all - </Directory> - <%- end -%> - +<%= scope.function_templatewlv([template_path, local_vars]) %> <%- end -%> </VirtualHost> diff --git a/puppet/modules/site_static/templates/rack.erb b/puppet/modules/site_static/templates/rack.erb new file mode 100644 index 00000000..aae91f1c --- /dev/null +++ b/puppet/modules/site_static/templates/rack.erb @@ -0,0 +1,21 @@ + #PassengerLogLevel 1 + #PassengerAppEnv production + #PassengerFriendlyErrorPages on +<%- if @location_path == '' -%> + <Directory "<%=@directory%>"> + Order deny,allow + Allow from all + Options -MultiViews + </Directory> +<%- else -%> + Alias /<%=@location_path%> "<%=@directory%>" + <Location /<%=@location_path%>> + PassengerBaseURI /<%=@location_path%> + PassengerAppRoot "<%=File.dirname(@directory)%>" + </Location> + <Directory "<%=@directory%>"> + Order deny,allow + Allow from all + Options -MultiViews + </Directory> +<%- end -%> diff --git a/puppet/modules/site_webapp/manifests/haproxy.pp b/puppet/modules/site_webapp/manifests/haproxy.pp deleted file mode 100644 index b69c69da..00000000 --- a/puppet/modules/site_webapp/manifests/haproxy.pp +++ /dev/null @@ -1,13 +0,0 @@ -class site_webapp::haproxy { - - include site_haproxy - - $haproxy = hiera('haproxy') - - # Template uses $global_options, $defaults_options - concat::fragment { 'leap_haproxy_webapp_couchdb': - target => '/etc/haproxy/haproxy.cfg', - order => '20', - content => template('site_webapp/haproxy_couchdb.cfg.erb'), - } -} diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index d02a7261..d6f1d7ae 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -16,7 +16,7 @@ class site_webapp { include site_config::ruby::dev include site_webapp::apache include site_webapp::couchdb - include site_webapp::haproxy + include site_haproxy include site_webapp::cron include site_config::x509::cert include site_config::x509::key diff --git a/puppet/modules/sshd b/puppet/modules/sshd -Subproject 1eabfe1b590f6663c2558f949408a08fc5f58fa +Subproject 5c23b33200fc6229ada7f4e13672b5da0d4bdd8 diff --git a/puppet/modules/templatewlv/Modulefile b/puppet/modules/templatewlv/Modulefile new file mode 100644 index 00000000..8007a070 --- /dev/null +++ b/puppet/modules/templatewlv/Modulefile @@ -0,0 +1,11 @@ +name 'duritong-templatewlv' +version '0.0.1' +source 'https://github.com/duritong/puppet-templatewlv.git' +author 'duritong' +license 'Apache License, Version 2.0' +summary 'Template With Local Variables' +description 'Pass local variables to templates' +project_page 'https://github.com/duritong/puppet-templatewlv' + +## Add dependencies, if any: +# dependency 'username/name', '>= 1.2.0' diff --git a/puppet/modules/templatewlv/README.md b/puppet/modules/templatewlv/README.md new file mode 100644 index 00000000..5ab01e45 --- /dev/null +++ b/puppet/modules/templatewlv/README.md @@ -0,0 +1,21 @@ +# templatewlv + +## Template With Local Variables + +A wrapper around puppet's template function. See +[the templating docs](http://docs.puppetlabs.com/guides/templating.html) for +the basic functionality. + +Additionally, you can pass a hash, as the last argument, which will be turned into +local variables and available to the template itself. This will allow you to define +variables in a template and pass them down to a template you include in the current +template. An example: + + scope.function_templatewlv(['sub_template', { 'local_var' => 'value' }]) + +Note that if multiple templates are specified, their output is all +concatenated and returned as the output of the function. + +# Who - License + +duritong - Apache License, Version 2.0 diff --git a/puppet/modules/templatewlv/lib/puppet/parser/functions/templatewlv.rb b/puppet/modules/templatewlv/lib/puppet/parser/functions/templatewlv.rb new file mode 100644 index 00000000..c9579e2c --- /dev/null +++ b/puppet/modules/templatewlv/lib/puppet/parser/functions/templatewlv.rb @@ -0,0 +1,41 @@ +require File.join(File.dirname(__FILE__),'../templatewrapperwlv') +Puppet::Parser::Functions::newfunction(:templatewlv, :type => :rvalue, :arity => -2, :doc => + "A wrapper around puppet's template function. See + [the templating docs](http://docs.puppetlabs.com/guides/templating.html) for + the basic functionality. + + Additionally, you can pass a hash, as the last argument, which will be turned into + local variables and available to the template itself. This will allow you to define + variables in a template and pass them down to a template you include in the current + template. An example: + + scope.function_templatewlv(['sub_template', { 'local_var' => 'value' }]) + + Note that if multiple templates are specified, their output is all + concatenated and returned as the output of the function.") do |vals| + + if vals.last.is_a?(Hash) + local_vars = vals.last + local_vals = vals[0..-2] + else + local_vars = {} + local_vals = vals + end + + result = nil + local_vals.collect do |file| + # Use a wrapper, so the template can't get access to the full + # Scope object. + debug "Retrieving template #{file}" + + wrapper = Puppet::Parser::TemplateWrapperWlv.new(self,local_vars) + wrapper.file = file + begin + wrapper.result + rescue => detail + info = detail.backtrace.first.split(':') + raise Puppet::ParseError, + "Failed to parse template #{file}:\n Filepath: #{info[0]}\n Line: #{info[1]}\n Detail: #{detail}\n" + end + end.join("") +end diff --git a/puppet/modules/templatewlv/lib/puppet/parser/templatewrapperwlv.rb b/puppet/modules/templatewlv/lib/puppet/parser/templatewrapperwlv.rb new file mode 100644 index 00000000..f1753e18 --- /dev/null +++ b/puppet/modules/templatewlv/lib/puppet/parser/templatewrapperwlv.rb @@ -0,0 +1,39 @@ +# A wrapper for templates, that allows you to additionally define +# local variables +class Puppet::Parser::TemplateWrapperWlv < Puppet::Parser::TemplateWrapper + attr_reader :local_vars + def initialize(scope, local_vars) + super(scope) + @local_vars = local_vars + end + + # Should return true if a variable is defined, false if it is not + def has_variable?(name) + super(name) || local_vars.keys.include?(name.to_s) + end + + def method_missing(name, *args) + if local_vars.keys.include?(n=name.to_s) + local_vars[n] + else + super(name, *args) + end + end + + def result(string = nil) + # Expose all the variables in our scope as instance variables of the + # current object, making it possible to access them without conflict + # to the regular methods. + benchmark(:debug, "Bound local template variables for #{@__file__}") do + local_vars.each do |name, value| + if name.kind_of?(String) + realname = name.gsub(/[^\w]/, "_") + else + realname = name + end + instance_variable_set("@#{realname}", value) + end + end + super(string) + end +end |