Merge branch 'develop'

25 files changed, 118 insertions, 117 deletions

diff --git a/CHANGES.md b/CHANGES.md
index 6540bd0c..67d8edc1 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -1,9 +1,9 @@
-Platform 0.7.0
+Platform 0.7.1
 -----------------------
 
 Compatibility:
 
-* Requires leap_cli version 1.7.2
+* Requires leap_cli version 1.7.4
 * Requires bitmask client version >= 0.7
 * Previous releases supported cookies when using the provider API. Now, only
   tokens are supported.
@@ -13,55 +13,12 @@ Compatibility:
   * webapp 0.7
   * soledad 0.7
 
-Commits: https://leap.se/git/leap_platform.git/shortlog/refs/tags/0.7.0
-Issues fixed: https://leap.se/code/versions/168
+Commits: https://leap.se/git/leap_platform.git/shortlog/refs/tags/0.7.1
+Issues fixed: https://leap.se/code/versions/159
 
 Upgrading:
 
-* `gem install leap_cli --version 1.7.2`.
-* `cd leap_platform; git pull; git checkout 0.7.0`.
+* `gem install leap_cli --version 1.7.4`.
+* `cd leap_platform; git pull; git checkout 0.7.1`.
 * `leap deploy`
-* `leap db destroy --db sessions,tokens` You can ignore message about needing to redeploy (since, in this case, we just want to permanently delete those databases).
 * `leap test` to make sure everything is working
-
-New features:
-
-* rotating couchdb databases: CouchDB is not designed to handle ephemeral data, like sessions, because documents are never really deleted (a tombstone document is always kept to record the deletion). To overcome this limitation, we now rotate the `sessions` and `tokens` databases monthly. The new database names are `tokens_XXX` and `sessions_XXX` where XXX is a counter since the epoch that increments every month (not a calendar month, but a month's worth of seconds). Additionally, nagios checks and `leap test run` now will create and destroy test users in the `tmp_users` database, which will get periodically deleted and recreated.
-* deployment logging: information on every deploy is logged to `/var/log/leap` on the node, including the user, leap_cli version, and platform version.
-* you must now run `leap deploy --downgrade` if you want to deploy an older version over a newer platform version.
-* the install source for each custom daemons (e.g. tapicero, etc) can now configured in `common.json`.
-* you can configure apt sources in common.json
-* improved nagios graphs integration (with pnp4nagios)
-* default MTU was reduced to 1400 for better overall compatibility
-* install haveged for some minimal entropy on depleted systems
-* switch to release branches for webapp, tapicero
-* implement weakdh recommendations, and update minimal cipher lists for web TLS connections
-* many bug bugfixes, security improvements, and tests
-
-
-Platform 0.6
--------------------------------------
-
-Compatibility:
-
-* Requires leap_cli version 1.6
-* Requires bitmask client version >= 0.5
-
-Commits: https://leap.se/git/leap_platform.git/shortlog/refs/tags/0.6.0
-
-New features:
-
-* single node deployment
-* include custom puppet modules and manifests
-* couch flexibility
-* stunnel rework
-* new debian repository structure
-* dependency pinning
-* leap_cli modularization
-* improved cert generation
-* monitoring improvements such as per-environment tooling and notifications
-* tor hidden service support
-* switch away from NIST curve and ensure TLSv1 is used
-* tests made significantly more robust
-* add support for webapp deployment to a subdomain
-* many, many bugfixes and stability improvements
diff --git a/Vagrantfile b/Vagrantfile
index 4a91c459..c9c68284 100644
--- a/Vagrantfile
+++ b/Vagrantfile
@@ -1,21 +1,23 @@
-Vagrant.configure("2") do |config|
-  config.vm.define :node1 do |config|
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+Vagrant.configure("2") do |vagrant_config|
+  vagrant_config.vm.define :node1 do |config|
 
     # Please verify the sha512 sum of the downloaded box before importing it into vagrant !
     # see https://leap.se/en/docs/platform/details/development#Verify.vagrantbox.download
     # for details
 
-    config.vm.box = "leap-wheezy"
-    config.vm.box_url = "https://downloads.leap.se/platform/vagrant/virtualbox/leap-wheezy.box"
+    config.vm.box = "LEAP/wheezy"
     #config.vm.network :private_network, ip: "10.5.5.102"
     config.vm.provider "virtualbox" do |v|
+      v.memory = 1024
       v.customize ["modifyvm", :id, "--natdnshostresolver1", "on"]
       v.name = "node1"
     end
 
     config.vm.provision "puppet" do |puppet|
       puppet.manifests_path = "./vagrant"
-      puppet.module_path = "./puppet/modules" 
+      puppet.module_path = "./puppet/modules"
       puppet.manifest_file = "install-platform.pp"
       puppet.options = "--verbose"
     end
diff --git a/doc/tutorials/single-node-email.md b/doc/tutorials/single-node-email.md
index 872d1da8..b47496b9 100644
--- a/doc/tutorials/single-node-email.md
+++ b/doc/tutorials/single-node-email.md
@@ -145,7 +145,7 @@ A "node" is a server that is part of your infrastructure. Every node can have on
 
 Create a node, with `all the services needed for Email: "couchdb", "mx", "soledad" and "webapp"`
 
-    $ leap node add node1 ip_address:x.x.x.w services:couchdb,mx,soledad,webapp
+    $ leap node add node1 ip_address:x.x.x.w services:couchdb,mx,soledad,webapp tags:production
 
 NOTE: replace x.x.x.w with the actual IP address of this node
 
diff --git a/platform.rb b/platform.rb
index bb77b0d9..0c3de2a0 100644
--- a/platform.rb
+++ b/platform.rb
@@ -4,7 +4,7 @@
 #
 
 Leap::Platform.define do
-  self.version = "0.7"
+  self.version = "0.7.1"
   self.compatible_cli = "1.7.0".."1.7.99"
 
   #
@@ -75,8 +75,11 @@ Leap::Platform.define do
     :commercial_key   => 'files/cert/#{arg}.key',
     :commercial_csr   => 'files/cert/#{arg}.csr',
     :commercial_cert  => 'files/cert/#{arg}.crt',
-    :commercial_ca_cert  => 'files/cert/commercial_ca.crt',
-    :vagrantfile      => 'test/Vagrantfile',
+    :commercial_ca_cert       => 'files/cert/commercial_ca.crt',
+    :vagrantfile              => 'test/Vagrantfile',
+    :static_web_provider_json => 'files/web/bootstrap/#{arg}/provider.json',
+    :static_web_htaccess      => 'files/web/bootstrap/#{arg}/htaccess',
+    :static_web_readme        => 'files/web/bootstrap/README',
 
     # node output files
     :hiera             => 'hiera/#{arg}.yaml',
@@ -102,7 +105,7 @@ Leap::Platform.define do
 
   self.monitor_username = 'monitor'
 
-  self.reserved_usernames = ['monitor']
+  self.reserved_usernames = ['monitor', 'root']
 
   self.default_puppet_tags = ['leap_base','leap_service']
 end
diff --git a/provider_base/common.json b/provider_base/common.json
index c7be5cf4..3d2965d7 100644
--- a/provider_base/common.json
+++ b/provider_base/common.json
@@ -80,7 +80,7 @@
     "webapp": {
       "type": "git",
       "source": "https://leap.se/git/leap_web",
-      "revision": "origin/version/0.7"
+      "revision": "origin/version/0.7.1"
     }
   }
 }
diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb
-Subproject 23b557c6fb07929a9b04e5fb75375a85a473437
+Subproject 3c20a3169e77e5a5f9abc06788c3a7730d5530c
diff --git a/puppet/modules/leap_mx/manifests/init.pp b/puppet/modules/leap_mx/manifests/init.pp
index 6bcdd19a..284662d2 100644
--- a/puppet/modules/leap_mx/manifests/init.pp
+++ b/puppet/modules/leap_mx/manifests/init.pp
@@ -77,16 +77,18 @@ class leap_mx {
   }
 
   augeas {
-    "logrotate_mx":
-      context => "/files/etc/logrotate.d/leap-mx/rule",
+    'logrotate_mx':
+      context => '/files/etc/logrotate.d/leap-mx/rule',
       changes => [
-        "set file /var/log/leap/mx.log",
-        'set rotate 5',
-        'set schedule daily',
-        'set compress compress',
-        'set missingok missingok',
-        'set ifempty notifempty',
-        'set copytruncate copytruncate'
-      ]
+                  'set file /var/log/leap/mx.log',
+                  'set rotate 5',
+                  'set schedule daily',
+                  'clear nocreate',
+                  'rm create',
+                  'rm ifempty',
+                  'set compress compress',
+                  'set missingok missingok',
+                  'set copytruncate copytruncate'
+                  ]
   }
 }
diff --git a/puppet/modules/site_apt/manifests/preferences/passenger.pp b/puppet/modules/site_apt/manifests/preferences/passenger.pp
index af501b6b..8cd41f91 100644
--- a/puppet/modules/site_apt/manifests/preferences/passenger.pp
+++ b/puppet/modules/site_apt/manifests/preferences/passenger.pp
@@ -1,10 +1,14 @@
+#
+# currently, this is only used by static_site to get passenger v4.
+#
+# UPGRADE: this is not needed for jessie.
+#
 class site_apt::preferences::passenger {
 
   apt::preferences_snippet { 'passenger':
     package  => 'libapache2-mod-passenger',
     release  => "${::lsbdistcodename}-backports",
-    priority => 999,
-    require  => [Package['apache'], Class['ruby']];
+    priority => 999;
   }
 
 }
diff --git a/puppet/modules/site_check_mk/files/agent/local_checks/couchdb/leap_couch_stats.sh b/puppet/modules/site_check_mk/files/agent/local_checks/couchdb/leap_couch_stats.sh
index 95474ccb..83b407e0 100755
--- a/puppet/modules/site_check_mk/files/agent/local_checks/couchdb/leap_couch_stats.sh
+++ b/puppet/modules/site_check_mk/files/agent/local_checks/couchdb/leap_couch_stats.sh
@@ -117,3 +117,6 @@ end_time=$(date +%s.%N)
 duration=$( echo "scale = 2; $end_time - $start_time" | bc -l )
 
 printf "${exitcode} ${PREFIX}global_stats ${global_stats_perf}|script_duration=%02.2fs ${STATE[exitcode]}: global couchdb status\n" "$duration"
+
+rm "$TMPFILE"
+
diff --git a/puppet/modules/site_check_mk/files/agent/logwatch/openvpn.cfg b/puppet/modules/site_check_mk/files/agent/logwatch/openvpn.cfg
index ed50f420..d99dcde9 100644
--- a/puppet/modules/site_check_mk/files/agent/logwatch/openvpn.cfg
+++ b/puppet/modules/site_check_mk/files/agent/logwatch/openvpn.cfg
@@ -8,6 +8,11 @@
  I ovpn-.*TLS Error: TLS object -> incoming plaintext read error
  I ovpn-.*Fatal TLS error \(check_tls_errors_co\), restarting
  I ovpn-.*TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate
+ I ovpn-.*TLS_ERROR: BIO read tls_read_plaintext error: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
+ I ovpn-.*TLS Error: unknown opcode received from
+ I ovpn-.*Authenticate/Decrypt packet error: packet HMAC authentication failed
+ I ovpn-.*TLS Error: reading acknowledgement record from packet
+ I ovpn-.*TLS Error: session-id not found in packet from
 
  I ovpn-.*SIGUSR1\[soft,tls-error\] received, client-instance restarting
  I ovpn-.*VERIFY ERROR: depth=0, error=certificate has expired
diff --git a/puppet/modules/site_check_mk/manifests/agent/tapicero.pp b/puppet/modules/site_check_mk/manifests/agent/tapicero.pp
index 4a5ec68e..8505b34a 100644
--- a/puppet/modules/site_check_mk/manifests/agent/tapicero.pp
+++ b/puppet/modules/site_check_mk/manifests/agent/tapicero.pp
@@ -1,3 +1,4 @@
+# sets up tapicero monitoring
 class site_check_mk::agent::tapicero {
 
   include ::site_nagios::plugins
@@ -14,12 +15,12 @@ class site_check_mk::agent::tapicero {
       lens    => 'Spacevars.lns',
       changes => [
         'rm /files/etc/check_mk/mrpe.cfg/Tapicero_Procs',
-        'set Tapicero_Procs "/usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 -a tapicero"' ],
+        "set Tapicero_Procs \"/usr/lib/nagios/plugins/check_procs -w 1:1 -c 1:1 --ereg-argument-array='^tapicero$'\"" ],
       require => File['/etc/check_mk/mrpe.cfg'];
     'Tapicero_Heartbeat':
       incl    => '/etc/check_mk/mrpe.cfg',
       lens    => 'Spacevars.lns',
-      changes => 'set Tapicero_Heartbeat \'/usr/local/lib/nagios/plugins/check_last_regex_in_log -f /var/log/leap/tapicero.log -r "tapicero" -w 300 -c 600\'',
+      changes => 'set Tapicero_Heartbeat \'/usr/local/lib/nagios/plugins/check_last_regex_in_log -f /var/log/leap/tapicero.log -r "tapicero" -w 1200 -c 2400\'',
       require => File['/etc/check_mk/mrpe.cfg'];
   }
 }
diff --git a/puppet/modules/site_check_mk/manifests/server.pp b/puppet/modules/site_check_mk/manifests/server.pp
index 171f1576..67519513 100644
--- a/puppet/modules/site_check_mk/manifests/server.pp
+++ b/puppet/modules/site_check_mk/manifests/server.pp
@@ -1,3 +1,4 @@
+# setup check_mk on the monitoring server
 class site_check_mk::server {
 
   $ssh_hash = hiera('ssh')
@@ -6,10 +7,9 @@ class site_check_mk::server {
   $seckey   = $ssh_hash['monitor']['private_key']
 
   $nagios_hiera     = hiera_hash('nagios')
-  $nagios_hosts     = $nagios_hiera['hosts']
+  $hosts            = $nagios_hiera['hosts']
 
-  $hosts            = hiera_hash('hosts')
-  $all_hosts        = inline_template ('<% @hosts.keys.sort.each do |key| -%>"<%= @hosts[key]["domain_internal"] %>", <% end -%>')
+  $all_hosts        = inline_template ('<% @hosts.keys.sort.each do |key| -%><% if @hosts[key]["environment"] != "disabled" %>"<%= @hosts[key]["domain_internal"] %>", <% end -%><% end -%>')
   $domains_internal = $nagios_hiera['domains_internal']
   $environments     = $nagios_hiera['environments']
 
diff --git a/puppet/modules/site_config/manifests/caching_resolver.pp b/puppet/modules/site_config/manifests/caching_resolver.pp
index 1b8bd1a2..cdebbad0 100644
--- a/puppet/modules/site_config/manifests/caching_resolver.pp
+++ b/puppet/modules/site_config/manifests/caching_resolver.pp
@@ -1,32 +1,12 @@
 class site_config::caching_resolver {
   tag 'leap_base'
 
-  # Setup a conf.d directory to place additional unbound configuration files.
-  # There must be at least one file in the directory, or unbound will not start,
-  # so create an empty placeholder to ensure this.
-
-  # Note: the version of unbound we are working with does not accept a wildcard
-  # for an include directive, so we are not able to use this. When we can use
-  # the newer unbound, then we will add 'include: /etc/unbound.d/*' to the
-  # configuration file
-
   include site_apt::preferences::unbound
 
-  file {
-    # cleanup from how we used to do it
-    '/etc/unbound/conf.d':
-      force   => true,
-      ensure  => absent;
-
-    '/etc/unbound/conf.d/placeholder':
-      ensure  => absent;
-  }
-
   class { 'unbound':
     root_hints => false,
     anchor     => false,
     ssl        => false,
-    require    => File['/etc/unbound/conf.d/placeholder'],
     settings   => {
       server       => {
         verbosity      => '1',
diff --git a/puppet/modules/site_config/manifests/dhclient.pp b/puppet/modules/site_config/manifests/dhclient.pp
index dbe2ef1c..7755413b 100644
--- a/puppet/modules/site_config/manifests/dhclient.pp
+++ b/puppet/modules/site_config/manifests/dhclient.pp
@@ -22,11 +22,19 @@ class site_config::dhclient {
     require     => File['/usr/local/sbin/reload_dhclient'],
   }
 
+  file { '/etc/dhcp/dhclient-enter-hooks.d':
+    ensure  => directory,
+    mode    => '0755',
+    owner   => 'root',
+    group   => 'root',
+  }
+
   file { '/etc/dhcp/dhclient-enter-hooks.d/disable_resolvconf':
     content => 'make_resolv_conf() { : ; } ; set_hostname() { : ; }',
     mode    => '0644',
     owner   => 'root',
     group   => 'root',
+    require => File['/etc/dhcp/dhclient-enter-hooks.d'],
     notify  => Exec['reload_dhclient'];
   }
 }
diff --git a/puppet/modules/site_config/manifests/packages/base.pp b/puppet/modules/site_config/manifests/packages/base.pp
index f20d04a4..c23495fc 100644
--- a/puppet/modules/site_config/manifests/packages/base.pp
+++ b/puppet/modules/site_config/manifests/packages/base.pp
@@ -1,3 +1,4 @@
+# install default packages and remove unwanted packages
 class site_config::packages::base {
 
 
@@ -7,7 +8,7 @@ class site_config::packages::base {
   }
 
   # base set of packages that we want to remove everywhere
-  package { [ 'acpi', 'acpid', 'acpi-support-base',  'eject', 'ftp',
+  package { [ 'acpi', 'eject', 'ftp',
               'laptop-detect', 'lpr', 'nfs-common', 'nfs-kernel-server',
               'portmap', 'pppconfig', 'pppoe', 'pump', 'qstat', 'rpcbind',
               'samba-common', 'samba-common-bin', 'smbclient', 'tcl8.5',
diff --git a/puppet/modules/site_config/manifests/remove_files.pp b/puppet/modules/site_config/manifests/remove_files.pp
index 3f46659c..b339e6af 100644
--- a/puppet/modules/site_config/manifests/remove_files.pp
+++ b/puppet/modules/site_config/manifests/remove_files.pp
@@ -27,6 +27,10 @@ class site_config::remove_files {
       path => '/var/log/',
       recurse => true,
       matches => 'leap_mx*';
+    'leap_mx_rotate':
+      path => '/var/log/leap/',
+      recurse => true,
+      matches => [ 'mx.log.[0-9]', 'mx.log.[0-9]?', 'mx.log.[6-9]?gz'];
     '/srv/leap/webapp/public/provider.json':;
     '/srv/leap/couchdb/designs/tmp_users':
       recurse => true,
diff --git a/puppet/modules/site_couchdb/manifests/bigcouch.pp b/puppet/modules/site_couchdb/manifests/bigcouch.pp
index 82c85b52..469a2783 100644
--- a/puppet/modules/site_couchdb/manifests/bigcouch.pp
+++ b/puppet/modules/site_couchdb/manifests/bigcouch.pp
@@ -1,3 +1,4 @@
+# sets up bigcouch on couchdb node
 class site_couchdb::bigcouch {
 
   $config         = $::site_couchdb::couchdb_config['bigcouch']
@@ -24,6 +25,7 @@ class site_couchdb::bigcouch {
     -> Class['site_couchdb::setup']
     -> Class['site_couchdb::bigcouch::add_nodes']
     -> Class['site_couchdb::bigcouch::settle_cluster']
+    -> Class['site_couchdb::create_dbs']
 
   include site_couchdb::bigcouch::add_nodes
   include site_couchdb::bigcouch::settle_cluster
diff --git a/puppet/modules/site_couchdb/manifests/create_dbs.pp b/puppet/modules/site_couchdb/manifests/create_dbs.pp
index b743127a..eea4bbf5 100644
--- a/puppet/modules/site_couchdb/manifests/create_dbs.pp
+++ b/puppet/modules/site_couchdb/manifests/create_dbs.pp
@@ -1,13 +1,13 @@
+# creates neccesary databases
 class site_couchdb::create_dbs {
 
   Class['site_couchdb::setup']
-    -> Class['site_couchdb::bigcouch::settle_cluster']
     -> Class['site_couchdb::create_dbs']
 
   ### customer database
   ### r/w: webapp,
   couchdb::create_db { 'customers':
-    members => "{ \"names\": [\"$site_couchdb::couchdb_webapp_user\"], \"roles\": [\"replication\"] }",
+    members => "{ \"names\": [\"${site_couchdb::couchdb_webapp_user}\"], \"roles\": [\"replication\"] }",
     require => Couchdb::Query::Setup['localhost']
   }
 
@@ -30,27 +30,27 @@ class site_couchdb::create_dbs {
   ## r/w: webapp
   $sessions_db = rotated_db_name('sessions', 'monthly')
   couchdb::create_db { $sessions_db:
-    members => "{ \"names\": [\"$site_couchdb::couchdb_webapp_user\"], \"roles\": [\"replication\"] }",
+    members => "{ \"names\": [\"${site_couchdb::couchdb_webapp_user}\"], \"roles\": [\"replication\"] }",
     require => Couchdb::Query::Setup['localhost']
   }
 
   $sessions_next_db = rotated_db_name('sessions', 'monthly', 'next')
   couchdb::create_db { $sessions_next_db:
-    members => "{ \"names\": [\"$site_couchdb::couchdb_webapp_user\"], \"roles\": [\"replication\"] }",
+    members => "{ \"names\": [\"${site_couchdb::couchdb_webapp_user}\"], \"roles\": [\"replication\"] }",
     require => Couchdb::Query::Setup['localhost']
   }
 
   ## shared database
   ## r/w: soledad
   couchdb::create_db { 'shared':
-    members => "{ \"names\": [\"$site_couchdb::couchdb_soledad_user\"], \"roles\": [\"replication\"] }",
+    members => "{ \"names\": [\"${site_couchdb::couchdb_soledad_user}\"], \"roles\": [\"replication\"] }",
     require => Couchdb::Query::Setup['localhost']
   }
 
   ## tickets database
   ## r/w: webapp
   couchdb::create_db { 'tickets':
-    members => "{ \"names\": [\"$site_couchdb::couchdb_webapp_user\"], \"roles\": [\"replication\"] }",
+    members => "{ \"names\": [\"${site_couchdb::couchdb_webapp_user}\"], \"roles\": [\"replication\"] }",
     require => Couchdb::Query::Setup['localhost']
   }
 
@@ -87,7 +87,7 @@ class site_couchdb::create_dbs {
   ## store messages to the clients such as payment reminders
   ## r/w: webapp
   couchdb::create_db { 'messages':
-    members => "{ \"names\": [\"$site_couchdb::couchdb_webapp_user\"], \"roles\": [\"replication\"] }",
+    members => "{ \"names\": [\"${site_couchdb::couchdb_webapp_user}\"], \"roles\": [\"replication\"] }",
     require => Couchdb::Query::Setup['localhost']
   }
 }
diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp
index a11f6309..6b6ddd3a 100644
--- a/puppet/modules/site_couchdb/manifests/init.pp
+++ b/puppet/modules/site_couchdb/manifests/init.pp
@@ -1,3 +1,5 @@
+# entry class for configuring couchdb/bigcouch node
+# couchdb node
 class site_couchdb {
   tag 'leap_service'
 
@@ -41,6 +43,7 @@ class site_couchdb {
 
   $couchdb_backup           = $couchdb_config['backup']
   $couchdb_mode             = $couchdb_config['mode']
+  $couchdb_pwhash_alg       = $couchdb_config['pwhash_alg']
 
   if $couchdb_mode == 'multimaster' { include site_couchdb::bigcouch }
   if $couchdb_mode == 'master'      { include site_couchdb::master }
diff --git a/puppet/modules/site_couchdb/manifests/master.pp b/puppet/modules/site_couchdb/manifests/master.pp
index a0a6633d..c28eee7d 100644
--- a/puppet/modules/site_couchdb/manifests/master.pp
+++ b/puppet/modules/site_couchdb/manifests/master.pp
@@ -1,9 +1,9 @@
+# this class sets up a single, plain couchdb node
 class site_couchdb::master {
-
   class { 'couchdb':
     admin_pw            => $site_couchdb::couchdb_admin_pw,
     admin_salt          => $site_couchdb::couchdb_admin_salt,
-    chttpd_bind_address => '127.0.0.1'
+    chttpd_bind_address => '127.0.0.1',
+    pwhash_alg          => $site_couchdb::couchdb_pwhash_alg
   }
-
-}
\ No newline at end of file
+}
diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp
index ce79c00f..1efc510b 100644
--- a/puppet/modules/site_static/manifests/init.pp
+++ b/puppet/modules/site_static/manifests/init.pp
@@ -33,6 +33,9 @@ class site_static {
   include site_apache::module::expires
   include site_apache::module::removeip
   include site_apache::module::rewrite
+  apache::config::include{ 'ssl_common.inc': }
+
+  include site_config::ruby::dev
 
   if (member($formats, 'rack')) {
     include site_apt::preferences::passenger
@@ -43,8 +46,13 @@ class site_static {
   }
 
   if (member($formats, 'amber')) {
-    include site_config::ruby::dev
-    rubygems::gem{'amber-0.3.4': }
+    rubygems::gem{'amber-0.3.7':  
+       require =>  Package['zlib1g-dev']
+     }
+
+    package { 'zlib1g-dev':
+        ensure => installed
+    }
   }
 
   create_resources(site_static::domain, $domains)
@@ -52,4 +60,4 @@ class site_static {
   include site_shorewall::defaults
   include site_shorewall::service::http
   include site_shorewall::service::https
-}
\ No newline at end of file
+}
diff --git a/puppet/modules/unbound b/puppet/modules/unbound
-Subproject ca7eb732064ce29fc83d4c32a4df7d9512d4580
+Subproject 00646b0ffc71a86981b05f983c86ace0979d1b6
diff --git a/tests/helpers/network_helper.rb b/tests/helpers/network_helper.rb
index ff92d382..713d57aa 100644
--- a/tests/helpers/network_helper.rb
+++ b/tests/helpers/network_helper.rb
@@ -70,7 +70,7 @@ class LeapTest
       #try_tcp_write(socket,1)
       #try_tcp_read(socket,1)
     rescue StandardError => exc
-      fail ["Failed to open socket #{host}:#{port}", exc].join("\n")
+      fail ["Failed to open socket #{host}:#{port}", exc, msg].compact.join("\n")
     ensure
       socket.close if socket
     end
diff --git a/tests/white-box/network.rb b/tests/white-box/network.rb
index f2041710..acb5c5e6 100644
--- a/tests/white-box/network.rb
+++ b/tests/white-box/network.rb
@@ -46,7 +46,10 @@ class Network < LeapTest
       assert accept_port = stunnel_conf['accept_port'], "Field `accept` must be present in property `stunnel.servers.#{stunnel_name}`"
       assert_tcp_socket('localhost', accept_port)
       assert connect_port = stunnel_conf['connect_port'], "Field `connect` must be present in property `stunnel.servers.#{stunnel_name}`"
-      assert_tcp_socket('localhost', connect_port)
+      assert_tcp_socket('localhost', connect_port,
+        "The local connect endpoint for stunnel `#{stunnel_name}` is unavailable.\n"+
+        "This is probably caused by a daemon that died or failed to start on\n"+
+        "port `#{connect_port}`, not stunnel itself.")
     end
     all_stunnel_pids = pgrep('/usr/bin/stunnel').collect{|process| process[:pid]}.uniq
     assert_equal good_stunnel_pids.sort, all_stunnel_pids.sort, "There should not be any extra stunnel processes that are not configured in /etc/stunnel"
diff --git a/tests/white-box/webapp.rb b/tests/white-box/webapp.rb
index 1e78c8a5..9956eb35 100644
--- a/tests/white-box/webapp.rb
+++ b/tests/white-box/webapp.rb
@@ -99,18 +99,33 @@ class Webapp < LeapTest
   # we try three times, and give up after that.
   #
   def assert_user_db_exists(user)
+    db_name = "user-#{user.id}"
+    repeatedly_try("/#{db_name}") do |body, response, error|
+      assert false, "Could not find user db `#{db_name}` for test user `#{user.username}`\nuuid=#{user.id}\nHTTP #{response.code} #{error} #{body}"
+    end
+    repeatedly_try("/#{db_name}/_design/docs") do |body, response, error|
+      assert false, "Could not find design docs for user db `#{db_name}` for test user `#{user.username}`\nuuid=#{user.id}\nHTTP #{response.code} #{error} #{body}"
+    end
+  end
+
+  #
+  # tries the URL repeatedly, giving up and yield the last response if
+  # no try returned a 200 http status code.
+  #
+  def repeatedly_try(url, &block)
     last_body, last_response, last_error = nil
     3.times do
       sleep 0.2
-      get(couchdb_url("/user-#{user.id}/_design/docs")) do |body, response, error|
+      get(couchdb_url(url)) do |body, response, error|
         last_body, last_response, last_error = body, response, error
         if response.code.to_i == 200
           return
         end
       end
-      sleep 0.5
+      sleep 1
     end
-    assert false, "Could not find user db for test user #{user.username}\nuuid=#{user.id}\nHTTP #{last_response.code} #{last_error} #{last_body}"
+    yield last_body, last_response, last_error
+    return
   end
 
   #