Merge branch 'develop' of ssh://leap.se/leap_platform into develop

13 files changed, 216 insertions, 93 deletions

diff --git a/provider_base/services/couchdb.json b/provider_base/services/couchdb.json
index e60f4e0f..ce46e3bb 100644
--- a/provider_base/services/couchdb.json
+++ b/provider_base/services/couchdb.json
@@ -4,11 +4,14 @@
     "use": true
   },
   "stunnel": {
-    "couch_server": "= stunnel_server(couch.port)"
+    "couch_server": "= stunnel_server(couch.port)",
+    "bigcouch_replication_server": "= stunnel_server(couch.bigcouch.port)",
+    "bigcouch_replication_clients": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.bigcouch.port)"
   },
   "couch": {
     "port": 5984,
     "bigcouch": {
+      "port": 4369,
       "cookie": "= secret :bigcouch_cookie"
     },
     "users": {
diff --git a/puppet/modules/site_config/manifests/hosts.pp b/puppet/modules/site_config/manifests/hosts.pp
index 81795f7d..1e1590f5 100644
--- a/puppet/modules/site_config/manifests/hosts.pp
+++ b/puppet/modules/site_config/manifests/hosts.pp
@@ -9,7 +9,7 @@ class site_config::hosts() {
     content => $hostname
   }
 
-  exec { "/bin/hostname $hostname":
+  exec { "/bin/hostname ${hostname}":
     subscribe   => [ File['/etc/hostname'], File['/etc/hosts'] ],
     refreshonly => true;
   }
diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp
index d317de65..e0f379cd 100644
--- a/puppet/modules/site_couchdb/manifests/init.pp
+++ b/puppet/modules/site_couchdb/manifests/init.pp
@@ -67,4 +67,5 @@ class site_couchdb ( $bigcouch = false ) {
   }
 
   include site_shorewall::couchdb
+  include site_shorewall::couchdb::bigcouch
 }
diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp
index 1afe25a4..1eb79293 100644
--- a/puppet/modules/site_couchdb/manifests/stunnel.pp
+++ b/puppet/modules/site_couchdb/manifests/stunnel.pp
@@ -1,43 +1,70 @@
 class site_couchdb::stunnel ($key, $cert, $ca) {
 
-  include x509::variables
-  include site_stunnel
+  $stunnel              = hiera('stunnel')
+
+  $couch_server         = $stunnel['couch_server']
+  $couch_server_accept  = $couch_server['accept']
+  $couch_server_connect = $couch_server['connect']
+
+  $bigcouch_replication_server         = $stunnel['bigcouch_replication_server']
+  $bigcouch_replication_server_accept  = $bigcouch_replication_server['accept']
+  $bigcouch_replication_server_connect = $bigcouch_replication_server['connect']
 
+  $bigcouch_replication_clients         = $stunnel['bigcouch_replication_clients']
+
+  include x509::variables
   $cert_name = 'leap_couchdb'
   $ca_name   = 'leap_ca'
   $ca_path   = "${x509::variables::local_CAs}/${ca_name}.crt"
   $cert_path = "${x509::variables::certs}/${cert_name}.crt"
   $key_path  = "${x509::variables::keys}/${cert_name}.key"
 
-  x509::key {
-    $cert_name:
-      content => $key,
-      notify  => Service['stunnel'];
+  # basic setup: ensure cert, key, ca files are in place, and some generic
+  # stunnel things are done
+  class { 'site_stunnel::setup':
+    cert_name => $cert_name,
+    key       => $key,
+    cert      => $cert,
+    ca        => $ca
   }
 
-  x509::cert {
-    $cert_name:
-      content => $cert,
-      notify  => Service['stunnel'];
+  # setup a stunnel server for the webapp to connect to couchdb
+  stunnel::service { 'couch_server':
+    accept     => $couch_server_accept,
+    connect    => $couch_server_connect,
+    client     => false,
+    cafile     => $ca_path,
+    key        => $key_path,
+    cert       => $cert_path,
+    verify     => '2',
+    pid        => '/var/run/stunnel4/couchserver.pid',
+    rndfile    => '/var/lib/stunnel4/.rnd',
+    debuglevel => '4'
   }
 
-  x509::ca {
-    $ca_name:
-      content => $ca,
-      notify  => Service['stunnel'];
-  }
 
-  stunnel::service { 'couchdb':
-    accept     => '6984',
-    connect    => '127.0.0.1:5984',
+  # setup stunnels for bigcouch clustering between each bigcouchdb node
+  # server
+  stunnel::service { 'bigcouch_replication_server':
+    accept     => $bigcouch_replication_server_accept,
+    connect    => $bigcouch_replication_server_connect,
     client     => false,
     cafile     => $ca_path,
     key        => $key_path,
     cert       => $cert_path,
     verify     => '2',
-    pid        => '/var/run/stunnel4/couchdb.pid',
+    pid        => '/var/run/stunnel4/bigcouchreplication_server.pid',
     rndfile    => '/var/lib/stunnel4/.rnd',
     debuglevel => '4'
   }
-}
 
+  # clients
+  $bigcouch_replication_client_defaults = {
+    'client'       => true,
+    'cafile'       => $ca_path,
+    'key'          => $key_path,
+    'cert'         => $cert_path,
+  }
+
+  create_resources(site_stunnel::clients, $bigcouch_replication_clients, $bigcouch_replication_client_defaults)
+}
diff --git a/puppet/modules/site_shorewall/manifests/couchdb.pp b/puppet/modules/site_shorewall/manifests/couchdb.pp
index 9fa59569..1ef91bb0 100644
--- a/puppet/modules/site_shorewall/manifests/couchdb.pp
+++ b/puppet/modules/site_shorewall/manifests/couchdb.pp
@@ -2,16 +2,20 @@ class site_shorewall::couchdb {
 
   include site_shorewall::defaults
 
-  $couchdb_port = '6984'
+  $stunnel = hiera('stunnel')
+  $couch_server = $stunnel['couch_server']
+  $couch_stunnel_port = $couch_server['accept']
+
+  # see http://stackoverflow.com/questions/8459949/bigcouch-cluster-connection-issue#comment10467603_8463814
+  $erlang_vm_port = '9001'
 
   # define macro for incoming services
   file { '/etc/shorewall/macro.leap_couchdb':
-    content => "PARAM   -       -       tcp    $couchdb_port",
+    content => "PARAM   -       -       tcp    ${couch_stunnel_port},${erlang_vm_port}",
     notify  => Service['shorewall'],
     require => Package['shorewall']
   }
 
-
   shorewall::rule {
       'net2fw-couchdb':
         source      => 'net',
diff --git a/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp b/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp
new file mode 100644
index 00000000..85272657
--- /dev/null
+++ b/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp
@@ -0,0 +1,36 @@
+class site_shorewall::couchdb::bigcouch {
+
+  include site_shorewall::defaults
+
+  $stunnel = hiera('stunnel')
+  $bigcouch_replication_clients         = $stunnel['bigcouch_replication_clients']
+
+  $bigcouch_replication_server          = $stunnel['bigcouch_replication_server']
+  $bigcouch_replication_server_port     = $bigcouch_replication_server['accept']
+  $bigcouch_replication_connect         = $bigcouch_replication_server['connect']
+
+  # define macro for incoming services
+  file { '/etc/shorewall/macro.leap_bigcouch':
+    content => "PARAM   -       -       tcp    ${bigcouch_replication_server_port}",
+    notify  => Service['shorewall'],
+    require => Package['shorewall']
+  }
+
+  shorewall::rule {
+      'net2fw-bigcouch':
+        source      => 'net',
+        destination => '$FW',
+        action      => 'leap_bigcouch(ACCEPT)',
+        order       => 300;
+  }
+
+  $bigcouch_shorewall_dnat_defaults = {
+    'source'          => '$FW',
+    'proto'           => 'tcp',
+    'destinationport' => regsubst($bigcouch_replication_connect, '^([0-9.]+:)([0-9]+)$', '\2')
+  }
+
+  create_resources(site_shorewall::couchdb::dnat, $bigcouch_replication_clients, $bigcouch_shorewall_dnat_defaults)
+
+}
+
diff --git a/puppet/modules/site_shorewall/manifests/couchdb/dnat.pp b/puppet/modules/site_shorewall/manifests/couchdb/dnat.pp
new file mode 100644
index 00000000..f1bc9acf
--- /dev/null
+++ b/puppet/modules/site_shorewall/manifests/couchdb/dnat.pp
@@ -0,0 +1,21 @@
+define site_shorewall::couchdb::dnat (
+  $source,
+  $connect,
+  $connect_port,
+  $accept_port,
+  $proto,
+  $destinationport )
+{
+
+
+  shorewall::rule {
+    "dnat_${name}_${destinationport}":
+      action          => 'DNAT',
+      source          => $source,
+      destination     => "\$FW:127.0.0.1:${accept_port}",
+      proto           => $proto,
+      destinationport => $destinationport,
+      originaldest    => $connect,
+      order           => 200
+  }
+}
diff --git a/puppet/modules/site_shorewall/manifests/dnat.pp b/puppet/modules/site_shorewall/manifests/dnat.pp
new file mode 100644
index 00000000..a73294cc
--- /dev/null
+++ b/puppet/modules/site_shorewall/manifests/dnat.pp
@@ -0,0 +1,19 @@
+define site_shorewall::dnat (
+  $source,
+  $destination,
+  $proto,
+  $destinationport,
+  $originaldest ) {
+
+
+  shorewall::rule {
+    "dnat_${name}_${destinationport}":
+      action          => 'DNAT',
+      source          => $source,
+      destination     => $destination,
+      proto           => $proto,
+      destinationport => $destinationport,
+      originaldest    => $originaldest,
+      order           => 200
+  }
+}
diff --git a/puppet/modules/site_stunnel/manifests/clients.pp b/puppet/modules/site_stunnel/manifests/clients.pp
new file mode 100644
index 00000000..ed766e1a
--- /dev/null
+++ b/puppet/modules/site_stunnel/manifests/clients.pp
@@ -0,0 +1,26 @@
+define site_stunnel::clients (
+  $accept_port,
+  $connect_port,
+  $connect,
+  $cafile,
+  $key,
+  $cert,
+  $client     = true,
+  $verify     = '2',
+  $pid        = $name,
+  $rndfile    = '/var/lib/stunnel4/.rnd',
+  $debuglevel = '4' ) {
+
+  stunnel::service { $name:
+    accept     => "127.0.0.1:${accept_port}",
+    connect    => "${connect}:${connect_port}",
+    client     => $client,
+    cafile     => $cafile,
+    key        => $key,
+    cert       => $cert,
+    verify     => $verify,
+    pid        => "/var/run/stunnel4/${pid}.pid",
+    rndfile    => $rndfile,
+    debuglevel => $debuglevel
+  }
+}
diff --git a/puppet/modules/site_stunnel/manifests/setup.pp b/puppet/modules/site_stunnel/manifests/setup.pp
new file mode 100644
index 00000000..7ec2378f
--- /dev/null
+++ b/puppet/modules/site_stunnel/manifests/setup.pp
@@ -0,0 +1,24 @@
+class site_stunnel::setup ($cert_name, $key, $cert, $ca) {
+
+  include site_stunnel
+
+  x509::key {
+    $cert_name:
+      content => $key,
+      notify  => Service['stunnel'];
+  }
+
+  x509::cert {
+    $cert_name:
+      content => $cert,
+      notify  => Service['stunnel'];
+  }
+
+  x509::ca {
+    $ca_name:
+      content => $ca,
+      notify  => Service['stunnel'];
+  }
+
+}
+
diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp
index ef61aeb6..e956fd54 100644
--- a/puppet/modules/site_webapp/manifests/couchdb.pp
+++ b/puppet/modules/site_webapp/manifests/couchdb.pp
@@ -1,9 +1,5 @@
 class site_webapp::couchdb {
 
-  $x509                    = hiera('x509')
-  $key                     = $x509['key']
-  $cert                    = $x509['cert']
-  $ca                      = $x509['ca_cert']
   $webapp                  = hiera('webapp')
   # haproxy listener on port localhost:4096, see site_webapp::haproxy
   $couchdb_host            = 'localhost'
@@ -13,6 +9,21 @@ class site_webapp::couchdb {
   $couchdb_webapp_user     = $webapp['couchdb_webapp_user']['username']
   $couchdb_webapp_password = $webapp['couchdb_webapp_user']['password']
 
+  $stunnel                 = hiera('stunnel')
+  $couch_client            = $stunnel['couch_client']
+  $couch_client_connect    = $couch_client['connect']
+
+  include x509::variable
+  $x509                    = hiera('x509')
+  $key                     = $x509['key']
+  $cert                    = $x509['cert']
+  $ca                      = $x509['ca_cert']
+  $cert_name               = 'leap_couchdb'
+  $ca_name                 = 'leap_ca'
+  $ca_path                 = "${x509::variables::local_CAs}/${ca_name}.crt"
+  $cert_path               = "${x509::variables::certs}/${cert_name}.crt"
+  $key_path                = "${x509::variables::keys}/${cert_name}.key"
+
   file {
     '/srv/leap-webapp/config/couchdb.yml.admin':
       content => template('site_webapp/couchdb.yml.admin.erb'),
@@ -33,10 +44,11 @@ class site_webapp::couchdb {
       mode   => '0744';
   }
 
-  class { 'site_webapp::couchdb_stunnel':
-    key  => $key,
-    cert => $cert,
-    ca   => $ca
+  class { 'site_stunnel::setup':
+    cert_name => $cert_name,
+    key       => $key,
+    cert      => $cert,
+    ca        => $ca
   }
 
   exec { 'migrate_design_documents':
@@ -45,4 +57,14 @@ class site_webapp::couchdb {
     require  => Exec['bundler_update'],
     notify   => Service['apache'];
   }
+
+  $couchdb_stunnel_client_defaults = {
+    'connect_port' => $couch_client_connect,
+    'client'     => true,
+    'cafile'     => $ca_path,
+    'key'        => $key_path,
+    'cert'       => $cert_path,
+  }
+
+  create_resources(site_stunnel::clients, $couch_client, $couchdb_stunnel_client_defaults)
 }
diff --git a/puppet/modules/site_webapp/manifests/couchdb_stunnel.pp b/puppet/modules/site_webapp/manifests/couchdb_stunnel.pp
deleted file mode 100644
index 325b18ee..00000000
--- a/puppet/modules/site_webapp/manifests/couchdb_stunnel.pp
+++ /dev/null
@@ -1,43 +0,0 @@
-class site_webapp::couchdb_stunnel ($key, $cert, $ca) {
-
-  include x509::variables
-  include site_stunnel
-
-  $cert_name = 'leap_couchdb'
-  $ca_name   = 'leap_ca'
-  $ca_path   = "${x509::variables::local_CAs}/${ca_name}.crt"
-  $cert_path = "${x509::variables::certs}/${cert_name}.crt"
-  $key_path  = "${x509::variables::keys}/${cert_name}.key"
-
-  x509::key {
-    $cert_name:
-      content => $key,
-      notify  => Service['stunnel'];
-  }
-
-  x509::cert {
-    $cert_name:
-      content => $cert,
-      notify  => Service['stunnel'];
-  }
-
-  x509::ca {
-    $ca_name:
-      content => $ca,
-      notify => Service['stunnel'];
-  }
-
-  $couchdb_stunnel_client_defaults = {
-    'client'     => true,
-    'cafile'     => $ca_path,
-    'key'        => $key_path,
-    'cert'       => $cert_path,
-    'verify'     => '2',
-    'rndfile'    => '/var/lib/stunnel4/.rnd',
-    'debuglevel' => '4'
-  }
-
-  create_resources(site_webapp::couchdb_stunnel::clients, hiera('stunnel'), $couchdb_stunnel_client_defaults)
-
-}
-
diff --git a/puppet/modules/site_webapp/manifests/couchdb_stunnel/clients.pp b/puppet/modules/site_webapp/manifests/couchdb_stunnel/clients.pp
deleted file mode 100644
index eac43b08..00000000
--- a/puppet/modules/site_webapp/manifests/couchdb_stunnel/clients.pp
+++ /dev/null
@@ -1,17 +0,0 @@
-define site_webapp::couchdb_stunnel::clients
-    ( $accept_port, $connect, $client, $cafile, $key, $cert,
-      $verify, $pid = $name, $rndfile, $debuglevel ) {
-
-    stunnel::service { $name:
-      accept     => "127.0.0.1:${accept_port}",
-      connect    => "${connect}:6984",
-      client     => $client,
-      cafile     => $cafile,
-      key        => $key,
-      cert       => $cert,
-      verify     => $verify,
-      pid        => "/var/run/stunnel4/${pid}.pid",
-      rndfile    => $rndfile,
-      debuglevel => $debuglevel
-    }
-  }