summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMicah Anderson <micah@leap.se>2014-06-19 14:12:08 -0400
committerMicah Anderson <micah@leap.se>2014-06-19 14:12:08 -0400
commit9198af78956972a01aaf85e19753c5c9e62ea018 (patch)
tree7c2c4901c92528b2fababb0e4283d5bec6cd1aef
parent6100b6ded99241f10e7fb12c13a0820fda084912 (diff)
parentf991e8a4c877cff1d274fd1cac26488f8c3fda84 (diff)
Merge tag '0.5.2'
tagging 0.5.2 release
-rw-r--r--platform.rb2
-rw-r--r--provider_base/files/service-definitions/provider.json.erb2
-rw-r--r--provider_base/services/static.json9
-rw-r--r--puppet/manifests/site.pp25
-rw-r--r--puppet/modules/site_apt/manifests/preferences/passenger.pp10
-rw-r--r--puppet/modules/site_config/manifests/default.pp5
-rw-r--r--puppet/modules/site_config/manifests/hosts.pp16
-rw-r--r--puppet/modules/site_config/manifests/setup.pp1
-rw-r--r--puppet/modules/site_config/manifests/sshd.pp9
-rw-r--r--puppet/modules/site_config/templates/hosts3
-rw-r--r--puppet/modules/site_haproxy/manifests/init.pp9
-rw-r--r--puppet/modules/site_haproxy/templates/haproxy_couchdb.cfg.erb (renamed from puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb)0
-rw-r--r--puppet/modules/site_mx/manifests/haproxy.pp14
-rw-r--r--puppet/modules/site_mx/manifests/init.pp2
-rw-r--r--puppet/modules/site_openvpn/manifests/resolver.pp24
-rw-r--r--puppet/modules/site_sshd/manifests/authorized_keys.pp16
-rw-r--r--puppet/modules/site_sshd/manifests/init.pp21
-rw-r--r--puppet/modules/site_static/manifests/domain.pp13
-rw-r--r--puppet/modules/site_static/manifests/init.pp33
-rw-r--r--puppet/modules/site_static/manifests/location.pp10
-rw-r--r--puppet/modules/site_static/templates/amber.erb15
-rw-r--r--puppet/modules/site_static/templates/apache.conf.erb70
-rw-r--r--puppet/modules/site_static/templates/rack.erb21
-rw-r--r--puppet/modules/site_webapp/manifests/haproxy.pp13
-rw-r--r--puppet/modules/site_webapp/manifests/init.pp2
m---------puppet/modules/sshd0
-rw-r--r--puppet/modules/templatewlv/Modulefile11
-rw-r--r--puppet/modules/templatewlv/README.md21
-rw-r--r--puppet/modules/templatewlv/lib/puppet/parser/functions/templatewlv.rb41
-rw-r--r--puppet/modules/templatewlv/lib/puppet/parser/templatewrapperwlv.rb39
30 files changed, 340 insertions, 117 deletions
diff --git a/platform.rb b/platform.rb
index d36cb3af..cd0cbde0 100644
--- a/platform.rb
+++ b/platform.rb
@@ -5,7 +5,7 @@
Leap::Platform.define do
self.version = "0.5.2"
- self.compatible_cli = "1.5.0".."1.99"
+ self.compatible_cli = "1.5.5".."1.99"
#
# the facter facts that should be gathered
diff --git a/provider_base/files/service-definitions/provider.json.erb b/provider_base/files/service-definitions/provider.json.erb
index be8ae484..2d0a5886 100644
--- a/provider_base/files/service-definitions/provider.json.erb
+++ b/provider_base/files/service-definitions/provider.json.erb
@@ -7,7 +7,7 @@
hsh['domain'] = domain.full_suffix
# advertise services that are 'user services' and for which there are actually nodes
- hsh['services'] ||= global.services[:service_type => :user_service].field(:name).select do |service|
+ hsh['services'] ||= global.env(environment).services[:service_type => :user_service].field(:name).select do |service|
nodes_like_me[:services => service].any?
end
diff --git a/provider_base/services/static.json b/provider_base/services/static.json
index d9155a84..d9f52b36 100644
--- a/provider_base/services/static.json
+++ b/provider_base/services/static.json
@@ -1,6 +1,13 @@
{
"static": {
- "formats": "=> (self.static.domains||{}).values.collect{|d| (d.locations||{}).values.collect{|l|l['format']}}.flatten.uniq"
+ "formats": "=> try{static.domains.values.collect{|d| try{d.locations.values.collect{|l|l.format}} }.flatten.compact.uniq} || []",
+ // include a copy of provider.json in case any of the configured domains happens to match provider.domain
+ "bootstrap_files": {
+ "domain": "= provider.domain",
+ "enabled": "= !! try{static.domains[provider.domain]}",
+ "provider_json": "=> static.bootstrap_files.enabled ? try{nodes_like_me[:services => 'webapp'].values.first.definition_files['provider']} : nil",
+ "client_version": "= static.bootstrap_files.enabled ? provider.client_version : nil"
+ }
},
"service_type": "public_service"
} \ No newline at end of file
diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp
index f8726fa9..9afa5dfd 100644
--- a/puppet/manifests/site.pp
+++ b/puppet/manifests/site.pp
@@ -1,45 +1,44 @@
# set a default exec path
Exec { path => '/usr/bin:/usr/sbin/:/bin:/sbin:/usr/local/bin:/usr/local/sbin' }
-# parse services for host
-$services=join(hiera_array('services', ['']), ' ')
-notice("Services for ${fqdn}: ${services}")
-
include site_config::setup
include site_config::default
-# configure eip
-if $services =~ /\bopenvpn\b/ {
+$services = hiera('services', [])
+$services_str = join($services, ', ')
+notice("Services for ${fqdn}: ${services_str}")
+
+if member($services, 'openvpn') {
include site_openvpn
}
-if $services =~ /\bcouchdb\b/ {
+if member($services, 'couchdb') {
include site_couchdb
include tapicero
}
-if $services =~ /\bwebapp\b/ {
+if member($services, 'webapp') {
include site_webapp
include site_nickserver
}
-if $services =~ /\bsoledad\b/ {
+if member($services, 'soledad') {
include soledad::server
}
-if $services =~ /\bmonitor\b/ {
+if member($services, 'monitor') {
include site_nagios
}
-if $services =~ /\btor\b/ {
+if member($services, 'tor') {
include site_tor
}
-if $services =~ /\bmx\b/ {
+if member($services, 'mx') {
include site_mx
}
-if $services =~ /\bstatic\b/ {
+if member($services, 'static') {
include site_static
}
diff --git a/puppet/modules/site_apt/manifests/preferences/passenger.pp b/puppet/modules/site_apt/manifests/preferences/passenger.pp
new file mode 100644
index 00000000..af501b6b
--- /dev/null
+++ b/puppet/modules/site_apt/manifests/preferences/passenger.pp
@@ -0,0 +1,10 @@
+class site_apt::preferences::passenger {
+
+ apt::preferences_snippet { 'passenger':
+ package => 'libapache2-mod-passenger',
+ release => "${::lsbdistcodename}-backports",
+ priority => 999,
+ require => [Package['apache'], Class['ruby']];
+ }
+
+}
diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp
index c7352857..fc2179de 100644
--- a/puppet/modules/site_config/manifests/default.pp
+++ b/puppet/modules/site_config/manifests/default.pp
@@ -1,6 +1,7 @@
class site_config::default {
tag 'leap_base'
+ $services = hiera('services', [])
$domain_hash = hiera('domain')
include site_config::params
@@ -18,7 +19,7 @@ class site_config::default {
include site_config::sysctl
# configure ssh and include ssh-keys
- include site_config::sshd
+ include site_sshd
# include classes for special environments
# i.e. openstack/aws nodes, vagrant nodes
@@ -54,7 +55,7 @@ class site_config::default {
# set up core leap files and directories
include site_config::files
- if $::services !~ /\bmx\b/ {
+ if ! member($services, 'mx') {
include site_postfix::satellite
}
diff --git a/puppet/modules/site_config/manifests/hosts.pp b/puppet/modules/site_config/manifests/hosts.pp
index e5d4dd70..6982d37b 100644
--- a/puppet/modules/site_config/manifests/hosts.pp
+++ b/puppet/modules/site_config/manifests/hosts.pp
@@ -1,9 +1,19 @@
class site_config::hosts() {
$hosts = hiera('hosts', false)
+
+ # calculate all the hostname aliases that might be used
$hostname = hiera('name')
- $domain_hash = hiera('domain')
- $domain_public = $domain_hash['full_suffix']
- $api = hiera('api', '')
+ $domain_hash = hiera('domain', {})
+ $dns = hiera('dns', {})
+ if $dns['aliases'] == undef {
+ $dns_aliases = []
+ } else {
+ $dns_aliases = $dns['aliases']
+ }
+ $my_hostnames = unique(sort(concat(
+ [$hostname, $domain_hash['full'], $domain_hash['internal']],
+ $dns_aliases
+ )))
file { '/etc/hostname':
ensure => present,
diff --git a/puppet/modules/site_config/manifests/setup.pp b/puppet/modules/site_config/manifests/setup.pp
index 6d89be86..b09d0413 100644
--- a/puppet/modules/site_config/manifests/setup.pp
+++ b/puppet/modules/site_config/manifests/setup.pp
@@ -4,7 +4,6 @@ class site_config::setup {
#
# this is applied before each run of site.pp
#
- #$services = ''
Exec { path => '/usr/bin:/usr/sbin/:/bin:/sbin:/usr/local/bin:/usr/local/sbin' }
diff --git a/puppet/modules/site_config/manifests/sshd.pp b/puppet/modules/site_config/manifests/sshd.pp
deleted file mode 100644
index 8ff337a0..00000000
--- a/puppet/modules/site_config/manifests/sshd.pp
+++ /dev/null
@@ -1,9 +0,0 @@
-class site_config::sshd {
- # configure sshd
- include sshd
- include site_sshd
- # no need for configuring authorized_keys as leap_cli cares for that
- #$ssh_pubkeys=hiera_hash('ssh_pubkeys')
- #notice($ssh_pubkeys)
- #create_resources('site_sshd::ssh_key', $ssh_pubkeys)
-}
diff --git a/puppet/modules/site_config/templates/hosts b/puppet/modules/site_config/templates/hosts
index bfcabaa5..d557f730 100644
--- a/puppet/modules/site_config/templates/hosts
+++ b/puppet/modules/site_config/templates/hosts
@@ -1,8 +1,7 @@
# This file is managed by puppet, any changes will be overwritten!
127.0.0.1 localhost
-127.0.1.1 <%= @hostname %>.<%= @domain_public %> <%= @hostname %> <% if (defined? @services) and (@services.include? 'webapp') -%><%= @domain_public %> <%= @api['domain'] %><% end -%>
-
+127.0.1.1 <%= @my_hostnames.join(' ') %>
<%- if @hosts then -%>
<% @hosts.keys.sort.each do |name| -%>
diff --git a/puppet/modules/site_haproxy/manifests/init.pp b/puppet/modules/site_haproxy/manifests/init.pp
index 1a681373..6bcf3f5c 100644
--- a/puppet/modules/site_haproxy/manifests/init.pp
+++ b/puppet/modules/site_haproxy/manifests/init.pp
@@ -1,4 +1,5 @@
class site_haproxy {
+ $haproxy = hiera('haproxy')
class { 'haproxy':
enable => true,
@@ -28,5 +29,13 @@ class site_haproxy {
order => '90',
source => 'puppet:///modules/site_haproxy/haproxy-stats.cfg';
}
+
+ # Template uses $haproxy
+ concat::fragment { 'leap_haproxy_webapp_couchdb':
+ target => '/etc/haproxy/haproxy.cfg',
+ order => '20',
+ content => template('site_haproxy/haproxy_couchdb.cfg.erb'),
+ }
+
include site_check_mk::agent::haproxy
}
diff --git a/puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb b/puppet/modules/site_haproxy/templates/haproxy_couchdb.cfg.erb
index 1fa01b96..1fa01b96 100644
--- a/puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb
+++ b/puppet/modules/site_haproxy/templates/haproxy_couchdb.cfg.erb
diff --git a/puppet/modules/site_mx/manifests/haproxy.pp b/puppet/modules/site_mx/manifests/haproxy.pp
deleted file mode 100644
index 988eeaf3..00000000
--- a/puppet/modules/site_mx/manifests/haproxy.pp
+++ /dev/null
@@ -1,14 +0,0 @@
-class site_mx::haproxy {
-
- include site_haproxy
-
- $haproxy = hiera('haproxy')
- $local_ports = $haproxy['local_ports']
-
- # Template uses $global_options, $defaults_options
- concat::fragment { 'leap_haproxy_webapp_couchdb':
- target => '/etc/haproxy/haproxy.cfg',
- order => '20',
- content => template('site_webapp/haproxy_couchdb.cfg.erb'),
- }
-}
diff --git a/puppet/modules/site_mx/manifests/init.pp b/puppet/modules/site_mx/manifests/init.pp
index 3949c787..c3d38a46 100644
--- a/puppet/modules/site_mx/manifests/init.pp
+++ b/puppet/modules/site_mx/manifests/init.pp
@@ -10,7 +10,7 @@ class site_mx {
include site_postfix::mx
- include site_mx::haproxy
+ include site_haproxy
include site_shorewall::mx
include site_shorewall::service::smtp
include site_mx::couchdb
diff --git a/puppet/modules/site_openvpn/manifests/resolver.pp b/puppet/modules/site_openvpn/manifests/resolver.pp
index c1367a33..cea0153a 100644
--- a/puppet/modules/site_openvpn/manifests/resolver.pp
+++ b/puppet/modules/site_openvpn/manifests/resolver.pp
@@ -3,15 +3,15 @@ class site_openvpn::resolver {
if $site_openvpn::openvpn_allow_unlimited {
$ensure_unlimited = 'present'
file {
- '/etc/unbound/unbound.conf.d/vpn_unlimited_udp_resolver':
- content => "interface: ${site_openvpn::openvpn_unlimited_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_unlimited_udp_network_prefix}.0/${site_openvpn::openvpn_unlimited_udp_cidr} allow\n",
+ '/etc/unbound/unbound.conf.d/vpn_unlimited_udp_resolver.conf':
+ content => "server:\n\tinterface: ${site_openvpn::openvpn_unlimited_udp_network_prefix}.1\n\taccess-control: ${site_openvpn::openvpn_unlimited_udp_network_prefix}.0/${site_openvpn::openvpn_unlimited_udp_cidr} allow\n",
owner => root,
group => root,
mode => '0644',
require => [ Class['site_config::caching_resolver'], Service['openvpn'] ],
notify => Service['unbound'];
- '/etc/unbound/unbound.conf.d/vpn_unlimited_tcp_resolver':
- content => "interface: ${site_openvpn::openvpn_unlimited_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_unlimited_tcp_network_prefix}.0/${site_openvpn::openvpn_unlimited_tcp_cidr} allow\n",
+ '/etc/unbound/unbound.conf.d/vpn_unlimited_tcp_resolver.conf':
+ content => "server:\n\tinterface: ${site_openvpn::openvpn_unlimited_tcp_network_prefix}.1\n\taccess-control: ${site_openvpn::openvpn_unlimited_tcp_network_prefix}.0/${site_openvpn::openvpn_unlimited_tcp_cidr} allow\n",
owner => root,
group => root,
mode => '0644',
@@ -20,22 +20,22 @@ class site_openvpn::resolver {
}
} else {
$ensure_unlimited = 'absent'
- tidy { '/etc/unbound/unbound.conf.d/vpn_unlimited_udp_resolver': }
- tidy { '/etc/unbound/unbound.conf.d/vpn_unlimited_tcp_resolver': }
+ tidy { '/etc/unbound/unbound.conf.d/vpn_unlimited_udp_resolver.conf': }
+ tidy { '/etc/unbound/unbound.conf.d/vpn_unlimited_tcp_resolver.conf': }
}
if $site_openvpn::openvpn_allow_limited {
$ensure_limited = 'present'
file {
- '/etc/unbound/unbound.conf.d/vpn_limited_udp_resolver':
- content => "interface: ${site_openvpn::openvpn_limited_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_limited_udp_network_prefix}.0/${site_openvpn::openvpn_limited_udp_cidr} allow\n",
+ '/etc/unbound/unbound.conf.d/vpn_limited_udp_resolver.conf':
+ content => "server:\n\tinterface: ${site_openvpn::openvpn_limited_udp_network_prefix}.1\n\taccess-control: ${site_openvpn::openvpn_limited_udp_network_prefix}.0/${site_openvpn::openvpn_limited_udp_cidr} allow\n",
owner => root,
group => root,
mode => '0644',
require => [ Class['site_config::caching_resolver'], Service['openvpn'] ],
notify => Service['unbound'];
- '/etc/unbound/unbound.conf.d/vpn_limited_tcp_resolver':
- content => "interface: ${site_openvpn::openvpn_limited_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_limited_tcp_network_prefix}.0/${site_openvpn::openvpn_limited_tcp_cidr} allow\n",
+ '/etc/unbound/unbound.conf.d/vpn_limited_tcp_resolver.conf':
+ content => "server\n\tinterface: ${site_openvpn::openvpn_limited_tcp_network_prefix}.1\n\taccess-control: ${site_openvpn::openvpn_limited_tcp_network_prefix}.0/${site_openvpn::openvpn_limited_tcp_cidr} allow\n",
owner => root,
group => root,
mode => '0644',
@@ -44,7 +44,7 @@ class site_openvpn::resolver {
}
} else {
$ensure_limited = 'absent'
- tidy { '/etc/unbound/unbound.conf.d/vpn_limited_udp_resolver': }
- tidy { '/etc/unbound/unbound.conf.d/vpn_limited_tcp_resolver': }
+ tidy { '/etc/unbound/unbound.conf.d/vpn_limited_udp_resolver.conf': }
+ tidy { '/etc/unbound/unbound.conf.d/vpn_limited_tcp_resolver.conf': }
}
}
diff --git a/puppet/modules/site_sshd/manifests/authorized_keys.pp b/puppet/modules/site_sshd/manifests/authorized_keys.pp
index f36fe20f..90a33d8d 100644
--- a/puppet/modules/site_sshd/manifests/authorized_keys.pp
+++ b/puppet/modules/site_sshd/manifests/authorized_keys.pp
@@ -1,7 +1,17 @@
define site_sshd::authorized_keys ($keys, $ensure = 'present', $home = '') {
- # We use a custom define here to deploy the authorized_keys file
- # cause puppet doesn't allow purgin before populating this file
- # (see https://tickets.puppetlabs.com/browse/PUP-1174)
+ # We want to purge unmanaged keys from the authorized_keys file so that only
+ # keys added in the provider are valid. Any manually added keys will be
+ # overridden.
+ #
+ # In order to do this, we have to use a custom define to deploy the
+ # authorized_keys file because puppet's internal resource doesn't allow
+ # purging before populating this file.
+ #
+ # See the following for more information:
+ # https://tickets.puppetlabs.com/browse/PUP-1174
+ # https://leap.se/code/issues/2990
+ # https://leap.se/code/issues/3010
+ #
# This line allows default homedir based on $title variable.
# If $home is empty, the default is used.
$homedir = $home ? {'' => "/home/${title}", default => $home}
diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp
index d9bc1d51..400c21ea 100644
--- a/puppet/modules/site_sshd/manifests/init.pp
+++ b/puppet/modules/site_sshd/manifests/init.pp
@@ -1,5 +1,5 @@
class site_sshd {
- $ssh = hiera_hash('ssh')
+ $ssh = hiera_hash('ssh')
$hosts = hiera('hosts', '')
##
@@ -22,10 +22,11 @@ class site_sshd {
group => root,
mode => '0644',
content => template('site_sshd/ssh_known_hosts.erb');
+
'/etc/ssh/ssh_config':
- owner => root,
- group => root,
- mode => '0644',
+ owner => root,
+ group => root,
+ mode => '0644',
content => template('site_sshd/ssh_config.erb');
}
@@ -46,4 +47,16 @@ class site_sshd {
ensure => absent
}
}
+
+ ##
+ ## SSHD SERVER CONFIGURATION
+ ##
+ class { '::sshd':
+ manage_nagios => 'no',
+ ports => $ssh['port'],
+ use_pam => 'yes',
+ hardened_ssl => 'yes',
+ print_motd => 'no',
+ manage_client => false
+ }
}
diff --git a/puppet/modules/site_static/manifests/domain.pp b/puppet/modules/site_static/manifests/domain.pp
index 8af2230f..6941b1a3 100644
--- a/puppet/modules/site_static/manifests/domain.pp
+++ b/puppet/modules/site_static/manifests/domain.pp
@@ -1,9 +1,11 @@
define site_static::domain (
- $locations,
$ca_cert,
$key,
$cert,
- $tls_only) {
+ $tls_only=true,
+ $locations=undef,
+ $aliases=undef,
+ $apache_config=undef) {
$domain = $name
$base_dir = '/srv/static'
@@ -14,13 +16,6 @@ define site_static::domain (
x509::key { $domain: content => $key }
x509::ca { "${domain}_ca": content => $ca_cert }
- class { '::apache': no_default_site => true, ssl => true }
- include site_apache::module::headers
- include site_apache::module::alias
- include site_apache::module::expires
- include site_apache::module::removeip
- include site_apache::module::rewrite
-
apache::vhost::file { $domain:
content => template('site_static/apache.conf.erb')
}
diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp
index 4f6d895f..6e347d35 100644
--- a/puppet/modules/site_static/manifests/init.pp
+++ b/puppet/modules/site_static/manifests/init.pp
@@ -3,6 +3,39 @@ class site_static {
$static = hiera('static')
$domains = $static['domains']
$formats = $static['formats']
+ $bootstrap = $static['bootstrap_files']
+
+ if $bootstrap['enabled'] {
+ $bootstrap_domain = $bootstrap['domain']
+ $bootstrap_client = $bootstrap['client_version']
+ file { '/srv/leap/provider.json':
+ content => $bootstrap['provider_json'],
+ owner => 'www-data',
+ group => 'www-data',
+ mode => '0444';
+ }
+ # It is important to always touch provider.json: the client needs to check x-min-client-version header,
+ # but this is only sent when the file has been modified (otherwise 304 is sent by apache). The problem
+ # is that changing min client version won't alter the content of provider.json, so we must touch it.
+ exec { '/bin/touch /srv/leap/provider.json':
+ require => File['/srv/leap/provider.json'];
+ }
+ }
+
+ class { '::apache': no_default_site => true, ssl => true }
+ include site_apache::module::headers
+ include site_apache::module::alias
+ include site_apache::module::expires
+ include site_apache::module::removeip
+ include site_apache::module::rewrite
+
+ if (member($formats, 'rack')) {
+ include site_apt::preferences::passenger
+ class { 'passenger':
+ use_munin => false,
+ require => Class['site_apt::preferences::passenger']
+ }
+ }
if (member($formats, 'amber')) {
include site_config::ruby::dev
diff --git a/puppet/modules/site_static/manifests/location.pp b/puppet/modules/site_static/manifests/location.pp
index 1ba6807e..ce2af9af 100644
--- a/puppet/modules/site_static/manifests/location.pp
+++ b/puppet/modules/site_static/manifests/location.pp
@@ -1,6 +1,16 @@
define site_static::location($path, $format, $source) {
$file_path = "/srv/static/${name}"
+ $allowed_formats = ['amber','rack']
+
+ if $format == undef {
+ fail("static_site location `${path}` is missing `format` field.")
+ }
+
+ if ! member($allowed_formats, $format) {
+ $formats_str = join($allowed_formats, ', ')
+ fail("Unsupported static_site location format `${format}`. Supported formats include ${formats_str}.")
+ }
if ($format == 'amber') {
exec {"amber_build_${name}":
diff --git a/puppet/modules/site_static/templates/amber.erb b/puppet/modules/site_static/templates/amber.erb
new file mode 100644
index 00000000..17dc2ad6
--- /dev/null
+++ b/puppet/modules/site_static/templates/amber.erb
@@ -0,0 +1,15 @@
+<%- if @location_path == '' -%>
+ <Directory "<%= @directory %>/">
+ AllowOverride FileInfo Indexes Options=All,MultiViews
+ Order deny,allow
+ Allow from all
+ </Directory>
+<%- else -%>
+ AliasMatch ^/[a-z]{2}/<%=@location_path%>(/.+|/|)$ "<%=@directory%>/$1"
+ Alias /<%=@location_path%> "<%=@directory%>/"
+ <Directory "<%=@directory%>/">
+ AllowOverride FileInfo Indexes Options=All,MultiViews
+ Order deny,allow
+ Allow from all
+ </Directory>
+<%- end -%>
diff --git a/puppet/modules/site_static/templates/apache.conf.erb b/puppet/modules/site_static/templates/apache.conf.erb
index 2abe1a98..07ac481d 100644
--- a/puppet/modules/site_static/templates/apache.conf.erb
+++ b/puppet/modules/site_static/templates/apache.conf.erb
@@ -2,32 +2,45 @@
##
## An apache config for static websites.
##
+
def location_directory(name, location)
- if location['format'] == 'amber'
+ if ['amber', 'rack'].include?(location['format'])
File.join(@base_dir, name, 'public')
else
File.join(@base_dir, name)
end
end
- document_root = '/var/www'
- @locations.each do |name, location|
- if location['path'] == '/'
- document_root = location_directory(name, location)
+
+ @document_root = begin
+ root = '/var/www'
+ @locations && @locations.each do |name, location|
+ root = location_directory(name, location) if location['path'] == '/'
end
+ root.gsub(%r{^/|/$}, '')
end
- document_root = document_root.gsub(%r{^/|/$}, '')
+
+ bootstrap_domain = scope.lookupvar('site_static::bootstrap_domain')
+ bootstrap_client = scope.lookupvar('site_static::bootstrap_client')
-%>
<VirtualHost *:80>
ServerName <%= @domain %>
ServerAlias www.<%= @domain %>
+<%- @aliases && @aliases.each do |domain_alias| -%>
+ ServerAlias <%= domain_alias %>
+<%- end -%>
+<%- if @tls_only -%>
RewriteEngine On
RewriteRule ^.*$ https://<%= @domain -%>%{REQUEST_URI} [R=permanent,L]
+<%- end -%>
</VirtualHost>
<VirtualHost *:443>
ServerName <%= @domain %>
ServerAlias www.<%= @domain %>
+<%- @aliases && @aliases.each do |domain_alias| -%>
+ ServerAlias <%= domain_alias %>
+<%- end -%>
#RewriteLog "/var/log/apache2/rewrite.log"
#RewriteLogLevel 3
@@ -38,8 +51,12 @@
SSLCompression off
SSLCipherSuite "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK"
+<%- if @tls_only -%>
Header add Strict-Transport-Security: "max-age=15768000;includeSubdomains"
+<%- end -%>
Header set X-Frame-Options "deny"
+ Header always unset X-Powered-By
+ Header always unset X-Runtime
SSLCertificateKeyFile /etc/x509/keys/<%= @domain %>.key
SSLCertificateFile /etc/x509/certs/<%= @domain %>.crt
@@ -47,31 +64,30 @@
RequestHeader set X_FORWARDED_PROTO 'https'
- DocumentRoot "/<%= document_root %>/"
+ DocumentRoot "/<%= @document_root %>/"
AccessFileName .htaccess
-<%- @locations.each do |name, location| -%>
- <%- path = location['path'].gsub(%r{^/|/$}, '') -%>
- <%- directory = location_directory(name, location) -%>
+<%- if ([@aliases]+[@domain]).flatten.include?(bootstrap_domain) -%>
+ Alias /provider.json /srv/leap/provider.json
+ <Location /provider.json>
+ Header set X-Minimum-Client-Version <%= bootstrap_client['min'] %>
+ </Location>
+<%- end -%>
+
+<%- if @apache_config -%>
+<%= @apache_config.gsub(':percent:','%') %>
+<%- end -%>
+
+<%- @locations && @locations.each do |name, location| -%>
+<%- location_path = location['path'].gsub(%r{^/|/$}, '') -%>
+<%- directory = location_directory(name, location) -%>
+<%- local_vars = {'location_path'=>location_path, 'directory'=>directory, 'location'=>location, 'name'=>name} -%>
+<%- template_path = File.join(File.dirname(__FILE__), location['format']) + '.erb' -%>
+<%- break unless File.exists?(template_path) -%>
##
- ## <%= name %>
+ ## <%= name %> (<%= location['format'] %>)
##
- <%- if path == '' -%>
- <Directory "/<%= document_root %>/">
- AllowOverride FileInfo Indexes Options=All,MultiViews
- Order deny,allow
- Allow from all
- </Directory>
- <%- else -%>
- AliasMatch ^/[a-z]{2}/<%=path%>(/.+|/|)$ "/<%=directory%>/$1"
- Alias /<%=path%> "/<%=directory%>/"
- <Directory "/<%=directory%>/">
- AllowOverride FileInfo Indexes Options=All,MultiViews
- Order deny,allow
- Allow from all
- </Directory>
- <%- end -%>
-
+<%= scope.function_templatewlv([template_path, local_vars]) %>
<%- end -%>
</VirtualHost>
diff --git a/puppet/modules/site_static/templates/rack.erb b/puppet/modules/site_static/templates/rack.erb
new file mode 100644
index 00000000..aae91f1c
--- /dev/null
+++ b/puppet/modules/site_static/templates/rack.erb
@@ -0,0 +1,21 @@
+ #PassengerLogLevel 1
+ #PassengerAppEnv production
+ #PassengerFriendlyErrorPages on
+<%- if @location_path == '' -%>
+ <Directory "<%=@directory%>">
+ Order deny,allow
+ Allow from all
+ Options -MultiViews
+ </Directory>
+<%- else -%>
+ Alias /<%=@location_path%> "<%=@directory%>"
+ <Location /<%=@location_path%>>
+ PassengerBaseURI /<%=@location_path%>
+ PassengerAppRoot "<%=File.dirname(@directory)%>"
+ </Location>
+ <Directory "<%=@directory%>">
+ Order deny,allow
+ Allow from all
+ Options -MultiViews
+ </Directory>
+<%- end -%>
diff --git a/puppet/modules/site_webapp/manifests/haproxy.pp b/puppet/modules/site_webapp/manifests/haproxy.pp
deleted file mode 100644
index b69c69da..00000000
--- a/puppet/modules/site_webapp/manifests/haproxy.pp
+++ /dev/null
@@ -1,13 +0,0 @@
-class site_webapp::haproxy {
-
- include site_haproxy
-
- $haproxy = hiera('haproxy')
-
- # Template uses $global_options, $defaults_options
- concat::fragment { 'leap_haproxy_webapp_couchdb':
- target => '/etc/haproxy/haproxy.cfg',
- order => '20',
- content => template('site_webapp/haproxy_couchdb.cfg.erb'),
- }
-}
diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp
index d02a7261..d6f1d7ae 100644
--- a/puppet/modules/site_webapp/manifests/init.pp
+++ b/puppet/modules/site_webapp/manifests/init.pp
@@ -16,7 +16,7 @@ class site_webapp {
include site_config::ruby::dev
include site_webapp::apache
include site_webapp::couchdb
- include site_webapp::haproxy
+ include site_haproxy
include site_webapp::cron
include site_config::x509::cert
include site_config::x509::key
diff --git a/puppet/modules/sshd b/puppet/modules/sshd
-Subproject 1eabfe1b590f6663c2558f949408a08fc5f58fa
+Subproject 5c23b33200fc6229ada7f4e13672b5da0d4bdd8
diff --git a/puppet/modules/templatewlv/Modulefile b/puppet/modules/templatewlv/Modulefile
new file mode 100644
index 00000000..8007a070
--- /dev/null
+++ b/puppet/modules/templatewlv/Modulefile
@@ -0,0 +1,11 @@
+name 'duritong-templatewlv'
+version '0.0.1'
+source 'https://github.com/duritong/puppet-templatewlv.git'
+author 'duritong'
+license 'Apache License, Version 2.0'
+summary 'Template With Local Variables'
+description 'Pass local variables to templates'
+project_page 'https://github.com/duritong/puppet-templatewlv'
+
+## Add dependencies, if any:
+# dependency 'username/name', '>= 1.2.0'
diff --git a/puppet/modules/templatewlv/README.md b/puppet/modules/templatewlv/README.md
new file mode 100644
index 00000000..5ab01e45
--- /dev/null
+++ b/puppet/modules/templatewlv/README.md
@@ -0,0 +1,21 @@
+# templatewlv
+
+## Template With Local Variables
+
+A wrapper around puppet's template function. See
+[the templating docs](http://docs.puppetlabs.com/guides/templating.html) for
+the basic functionality.
+
+Additionally, you can pass a hash, as the last argument, which will be turned into
+local variables and available to the template itself. This will allow you to define
+variables in a template and pass them down to a template you include in the current
+template. An example:
+
+ scope.function_templatewlv(['sub_template', { 'local_var' => 'value' }])
+
+Note that if multiple templates are specified, their output is all
+concatenated and returned as the output of the function.
+
+# Who - License
+
+duritong - Apache License, Version 2.0
diff --git a/puppet/modules/templatewlv/lib/puppet/parser/functions/templatewlv.rb b/puppet/modules/templatewlv/lib/puppet/parser/functions/templatewlv.rb
new file mode 100644
index 00000000..c9579e2c
--- /dev/null
+++ b/puppet/modules/templatewlv/lib/puppet/parser/functions/templatewlv.rb
@@ -0,0 +1,41 @@
+require File.join(File.dirname(__FILE__),'../templatewrapperwlv')
+Puppet::Parser::Functions::newfunction(:templatewlv, :type => :rvalue, :arity => -2, :doc =>
+ "A wrapper around puppet's template function. See
+ [the templating docs](http://docs.puppetlabs.com/guides/templating.html) for
+ the basic functionality.
+
+ Additionally, you can pass a hash, as the last argument, which will be turned into
+ local variables and available to the template itself. This will allow you to define
+ variables in a template and pass them down to a template you include in the current
+ template. An example:
+
+ scope.function_templatewlv(['sub_template', { 'local_var' => 'value' }])
+
+ Note that if multiple templates are specified, their output is all
+ concatenated and returned as the output of the function.") do |vals|
+
+ if vals.last.is_a?(Hash)
+ local_vars = vals.last
+ local_vals = vals[0..-2]
+ else
+ local_vars = {}
+ local_vals = vals
+ end
+
+ result = nil
+ local_vals.collect do |file|
+ # Use a wrapper, so the template can't get access to the full
+ # Scope object.
+ debug "Retrieving template #{file}"
+
+ wrapper = Puppet::Parser::TemplateWrapperWlv.new(self,local_vars)
+ wrapper.file = file
+ begin
+ wrapper.result
+ rescue => detail
+ info = detail.backtrace.first.split(':')
+ raise Puppet::ParseError,
+ "Failed to parse template #{file}:\n Filepath: #{info[0]}\n Line: #{info[1]}\n Detail: #{detail}\n"
+ end
+ end.join("")
+end
diff --git a/puppet/modules/templatewlv/lib/puppet/parser/templatewrapperwlv.rb b/puppet/modules/templatewlv/lib/puppet/parser/templatewrapperwlv.rb
new file mode 100644
index 00000000..f1753e18
--- /dev/null
+++ b/puppet/modules/templatewlv/lib/puppet/parser/templatewrapperwlv.rb
@@ -0,0 +1,39 @@
+# A wrapper for templates, that allows you to additionally define
+# local variables
+class Puppet::Parser::TemplateWrapperWlv < Puppet::Parser::TemplateWrapper
+ attr_reader :local_vars
+ def initialize(scope, local_vars)
+ super(scope)
+ @local_vars = local_vars
+ end
+
+ # Should return true if a variable is defined, false if it is not
+ def has_variable?(name)
+ super(name) || local_vars.keys.include?(name.to_s)
+ end
+
+ def method_missing(name, *args)
+ if local_vars.keys.include?(n=name.to_s)
+ local_vars[n]
+ else
+ super(name, *args)
+ end
+ end
+
+ def result(string = nil)
+ # Expose all the variables in our scope as instance variables of the
+ # current object, making it possible to access them without conflict
+ # to the regular methods.
+ benchmark(:debug, "Bound local template variables for #{@__file__}") do
+ local_vars.each do |name, value|
+ if name.kind_of?(String)
+ realname = name.gsub(/[^\w]/, "_")
+ else
+ realname = name
+ end
+ instance_variable_set("@#{realname}", value)
+ end
+ end
+ super(string)
+ end
+end