Merge branch 'feature/mx' into develop

21 files changed, 411 insertions, 2 deletions

diff --git a/.gitmodules b/.gitmodules
index 717ae5ed..b84dfef2 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -73,3 +73,6 @@
 [submodule "puppet/modules/haproxy"]
 	path = puppet/modules/haproxy
 	url = git://code.leap.se/puppet_haproxy
+[submodule "puppet/modules/postfix"]
+	path = puppet/modules/postfix
+	url = git://labs.riseup.net/shared-postfix
diff --git a/provider_base/services/mx.json b/provider_base/services/mx.json
new file mode 100644
index 00000000..91ad3277
--- /dev/null
+++ b/provider_base/services/mx.json
@@ -0,0 +1,21 @@
+{
+  "mx": {
+    "contact": "= global.provider.contacts.default"
+  },
+  "stunnel": {
+    "couch_client": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.port)"
+  },
+  "haproxy": {
+    "local_ports": "= stunnel.couch_client.field(:accept_port)"
+  },
+  "x509": {
+    "use": true,
+    "ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap cert ca`'",
+    "client_ca_cert": "= file_path :client_ca_cert",
+    "client_ca_key": "= file_path :client_ca_key",
+    "commercial_cert": "= file [:commercial_cert, domain.full_suffix]",
+    "commercial_key": "= file [:commercial_key, domain.full_suffix]",
+    "commercial_ca_cert": "= try_file :commercial_ca_cert"
+  },
+  "service_type": "user_service"
+}
diff --git a/provider_base/services/soledad.json b/provider_base/services/soledad.json
index 10657563..de24d8ef 100644
--- a/provider_base/services/soledad.json
+++ b/provider_base/services/soledad.json
@@ -3,4 +3,4 @@
   "soledad": {
     "port": 1111
   }
-}
\ No newline at end of file
+}
diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp
index 08cbbb9e..c7d00c61 100644
--- a/puppet/manifests/site.pp
+++ b/puppet/manifests/site.pp
@@ -11,7 +11,6 @@ Package { require => Exec['apt_updated'] }
 
 include stdlib
 
-import 'common'
 include site_config::default
 include site_config::slow
 
@@ -30,6 +29,10 @@ if $services =~ /\bwebapp\b/ {
   include site_nickserver
 }
 
+if $services =~ /\bsoledad\b/ {
+  include soledad::server
+}
+
 if $services =~ /\bmonitor\b/ {
   include site_nagios
 }
@@ -37,3 +40,8 @@ if $services =~ /\bmonitor\b/ {
 if $services =~ /\btor\b/ {
   include site_tor
 }
+
+if $services =~ /\bmx\b/ {
+  include site_mx
+}
+
diff --git a/puppet/modules/leap_mx/manifests/init.pp b/puppet/modules/leap_mx/manifests/init.pp
new file mode 100644
index 00000000..652eb85b
--- /dev/null
+++ b/puppet/modules/leap_mx/manifests/init.pp
@@ -0,0 +1,56 @@
+class leap_mx {
+
+  $couchdb_host     = 'localhost'
+  $couchdb_port     = '4096'
+  $couchdb_user     = $soledad::couchdb::user
+  $couchdb_password = $soledad::couchdb::password
+
+  #
+  # USER AND GROUP
+  #
+
+  group { 'leap-mx':
+    ensure    => present,
+    allowdupe => false;
+  }
+
+  user { 'leap-mx':
+    ensure    => present,
+    allowdupe => false,
+    gid       => 'leap-mx',
+    home      => '/etc/leap',
+    require   => Group['leap-mx'];
+  }
+
+  #
+  # LEAP-MX CONFIG
+  #
+
+  file { '/etc/leap/mx.conf':
+    content => template('leap_mx/mx.conf.erb'),
+    owner   => 'leap-mx',
+    group   => 'leap-mx',
+    mode    => '0600',
+    notify  => Service['leap-mx'];
+  }
+
+  #
+  # LEAP-MX CODE
+  #
+
+  package { 'leap-mx':
+    ensure => installed;
+  }
+
+  #
+  # LEAP-MX DAEMON
+  #
+
+  service { 'leap_mx':
+    ensure     => running,
+    enable     => true,
+    hasstatus  => true,
+    hasrestart => true,
+    require    => [ Package['leap-mx'] ];
+  }
+}
diff --git a/puppet/modules/leap_mx/templates/mx.conf.erb b/puppet/modules/leap_mx/templates/mx.conf.erb
new file mode 100644
index 00000000..bf1e6421
--- /dev/null
+++ b/puppet/modules/leap_mx/templates/mx.conf.erb
@@ -0,0 +1,15 @@
+[mail1]
+path=/var/mail/vmail
+recursive=True
+
+[couchdb]
+user=<%= @couchdb_user %>
+password=<%= @couchdb_password %>
+server=<%= @couchdb_host %>
+port=<%= @couchdb_port %>
+
+[alias map]
+port=4242
+
+[check recipient]
+port=2244
\ No newline at end of file
diff --git a/puppet/modules/postfix b/puppet/modules/postfix
new file mode 160000
+Subproject 8e43dc85da5a5e45e88aef5f7c32c9cc1c35201
diff --git a/puppet/modules/site_mx/manifests/couchdb.pp b/puppet/modules/site_mx/manifests/couchdb.pp
new file mode 100644
index 00000000..f842ceab
--- /dev/null
+++ b/puppet/modules/site_mx/manifests/couchdb.pp
@@ -0,0 +1,35 @@
+class site_mx::couchdb {
+
+  $stunnel = hiera('stunnel')
+  $couch_client            = $stunnel['couch_client']
+  $couch_client_connect    = $couch_client['connect']
+
+  include x509::variables
+  $x509                    = hiera('x509')
+  $key                     = $x509['key']
+  $cert                    = $x509['cert']
+  $ca                      = $x509['ca_cert']
+  $cert_name               = 'leap_couchdb'
+  $ca_name                 = 'leap_ca'
+  $ca_path                 = "${x509::variables::local_CAs}/${ca_name}.crt"
+  $cert_path               = "${x509::variables::certs}/${cert_name}.crt"
+  $key_path                = "${x509::variables::keys}/${cert_name}.key"
+
+  class { 'site_stunnel::setup':
+    cert_name => $cert_name,
+    key       => $key,
+    cert      => $cert,
+    ca_name   => $ca_name,
+    ca        => $ca
+  }
+
+  $couchdb_stunnel_client_defaults = {
+    'connect_port' => $couch_client_connect,
+    'client'     => true,
+    'cafile'     => $ca_path,
+    'key'        => $key_path,
+    'cert'       => $cert_path,
+  }
+
+  create_resources(site_stunnel::clients, $couch_client, $couchdb_stunnel_client_defaults)
+}
diff --git a/puppet/modules/site_mx/manifests/haproxy.pp b/puppet/modules/site_mx/manifests/haproxy.pp
new file mode 100644
index 00000000..988eeaf3
--- /dev/null
+++ b/puppet/modules/site_mx/manifests/haproxy.pp
@@ -0,0 +1,14 @@
+class site_mx::haproxy {
+
+  include site_haproxy
+
+  $haproxy     = hiera('haproxy')
+  $local_ports = $haproxy['local_ports']
+
+  # Template uses $global_options, $defaults_options
+  concat::fragment { 'leap_haproxy_webapp_couchdb':
+    target  => '/etc/haproxy/haproxy.cfg',
+    order   => '20',
+    content => template('site_webapp/haproxy_couchdb.cfg.erb'),
+  }
+}
diff --git a/puppet/modules/site_mx/manifests/init.pp b/puppet/modules/site_mx/manifests/init.pp
new file mode 100644
index 00000000..4cf3f41a
--- /dev/null
+++ b/puppet/modules/site_mx/manifests/init.pp
@@ -0,0 +1,10 @@
+class site_mx {
+  tag 'leap_service'
+
+  include site_postfix::mx
+  include site_mx::haproxy
+  include site_shorewall::mx
+  include site_shorewall::service::smtp
+  include site_mx::couchdb
+  include leap_mx
+}
diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp
new file mode 100644
index 00000000..0581f147
--- /dev/null
+++ b/puppet/modules/site_postfix/manifests/mx.pp
@@ -0,0 +1,41 @@
+class site_postfix::mx {
+
+  $domain_hash         = hiera ('domain')
+  $domain              = $domain_hash['full_suffix']
+  $mx_hash             = hiera('mx')
+  $cert_name           = hiera('name')
+
+  $root_mail_recipient = $mx_hash['contact']
+  $postfix_smtp_listen = 'all'
+
+  postfix::config {
+    'mydestination':
+      value => "\$myorigin, localhost, localhost.\$mydomain, ${domain}";
+    'smtpd_recipient_restrictions':
+      value => 'check_recipient_access tcp:localhost:2244,permit_tls_all_clientcerts,reject_unauth_destination';
+    'mailbox_size_limit':   value => '0';
+    'home_mailbox':         value => 'Maildir/';
+    'virtual_alias_maps':   value => 'tcp:localhost:4242';
+    'luser_relay':          value => 'vmail';
+    'local_recipient_maps': value => '';
+    'debug_peer_list':      value => '127.0.0.1';
+  }
+
+  include site_postfix::mx::smtpd_checks
+  include site_postfix::mx::tls
+
+  user { 'vmail':
+    ensure     => present,
+    comment    => 'Leap Mailspool',
+    home       => '/var/mail/vmail',
+    shell      => '/bin/false',
+    managehome => true,
+  }
+
+  class { 'postfix':
+    root_mail_recipient => $root_mail_recipient,
+    smtp_listen         => 'all',
+    require             => [ X509::Key[$cert_name], X509::Cert[$cert_name],
+                             User['vmail'] ]
+  }
+}
diff --git a/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp b/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp
new file mode 100644
index 00000000..ab75130e
--- /dev/null
+++ b/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp
@@ -0,0 +1,10 @@
+class site_postfix::mx::smtp_auth {
+  $x509 = hiera('x509')
+
+  postfix::config {
+    'smtpd_tls_cert_file': value => $x509['client_ca_cert'];
+    'smtpd_tls_key_file':  value => $x509['client_ca_key'];
+    'smtpd_tls_ask_ccert': value => 'yes';
+    #'smtpd_tls_CAfile':    value =>
+  }
+}
diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp
new file mode 100644
index 00000000..b2f2d7c2
--- /dev/null
+++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp
@@ -0,0 +1,9 @@
+class site_postfix::mx::smtpd_checks {
+
+  postfix::config {
+    'smtpd_delay_reject': value => 'yes';
+    'smtpd_data_restrictions':
+      value => 'permit_mynetworks, reject_unauth_pipelining, permit';
+  }
+
+}
diff --git a/puppet/modules/site_postfix/manifests/mx/tls.pp b/puppet/modules/site_postfix/manifests/mx/tls.pp
new file mode 100644
index 00000000..7da38100
--- /dev/null
+++ b/puppet/modules/site_postfix/manifests/mx/tls.pp
@@ -0,0 +1,31 @@
+class site_postfix::mx::tls {
+
+  $x509                = hiera('x509')
+  $key                 = $x509['key']
+  $cert                = $x509['cert']
+  $client_ca           = $x509['client_ca_cert']
+
+  include x509::variables
+  $cert_name = hiera('name')
+  $cert_path = "${x509::variables::certs}/${cert_name}.crt"
+  $key_path  = "${x509::variables::keys}/${cert_name}.key"
+
+  x509::key { $cert_name:
+    content => $key,
+  }
+
+  x509::cert { $cert_name:
+    content => $cert,
+  }
+
+  postfix::config {
+    'smtpd_use_tls':        value  => 'yes';
+    'smtpd_tls_CAfile':     value  => $client_ca;
+    'smtpd_tls_cert_file':  value  => $cert_path;
+    'smtpd_tls_key_file':   value  => $key_path;
+    'smtpd_tls_req_ccert':  value  => 'yes';
+    'smtpd_tls_security_level':
+      value  => 'encrypt';
+  }
+
+}
diff --git a/puppet/modules/site_shorewall/manifests/mx.pp b/puppet/modules/site_shorewall/manifests/mx.pp
new file mode 100644
index 00000000..5ec95fdd
--- /dev/null
+++ b/puppet/modules/site_shorewall/manifests/mx.pp
@@ -0,0 +1,24 @@
+class site_shorewall::mx {
+
+  include site_shorewall::defaults
+
+  $smtpd_ports = '25'
+
+  # define macro for incoming services
+  file { '/etc/shorewall/macro.leap_mx':
+    content => "PARAM   -       -       tcp    ${smtpd_ports} ",
+    notify  => Service['shorewall'],
+    require => Package['shorewall']
+  }
+
+
+  shorewall::rule {
+      'net2fw-mx':
+        source      => 'net',
+        destination => '$FW',
+        action      => 'leap_mx(ACCEPT)',
+        order       => 200;
+  }
+
+  include site_shorewall::service::smtp
+}
diff --git a/puppet/modules/site_shorewall/manifests/service/smtp.pp b/puppet/modules/site_shorewall/manifests/service/smtp.pp
new file mode 100644
index 00000000..7fbdf14e
--- /dev/null
+++ b/puppet/modules/site_shorewall/manifests/service/smtp.pp
@@ -0,0 +1,13 @@
+class site_shorewall::service::smtp {
+
+  include site_shorewall::defaults
+
+  shorewall::rule {
+      'fw2net-http':
+        source      => '$FW',
+        destination => 'net',
+        action      => 'SMTP(ACCEPT)',
+        order       => 200;
+  }
+
+}
diff --git a/puppet/modules/site_shorewall/manifests/soledad.pp b/puppet/modules/site_shorewall/manifests/soledad.pp
new file mode 100644
index 00000000..f3272c04
--- /dev/null
+++ b/puppet/modules/site_shorewall/manifests/soledad.pp
@@ -0,0 +1,20 @@
+class site_shorewall::soledad {
+
+  include site_shorewall::defaults
+
+  # define macro for incoming services
+  file { '/etc/shorewall/macro.leap_soledad':
+    content => 'PARAM   -       -       tcp    2424',
+    notify  => Service['shorewall'],
+    require => Package['shorewall']
+  }
+
+  shorewall::rule {
+    'net2fw-soledad':
+      source      => 'net',
+      destination => '$FW',
+      action      => 'leap_soledad(ACCEPT)',
+      order       => 200;
+  }
+}
+
diff --git a/puppet/modules/soledad/manifests/init.pp b/puppet/modules/soledad/manifests/init.pp
new file mode 100644
index 00000000..08ba88a7
--- /dev/null
+++ b/puppet/modules/soledad/manifests/init.pp
@@ -0,0 +1,34 @@
+class soledad {
+
+  group { 'soledad':
+    ensure    => present,
+    allowdupe => false;
+  }
+
+  user { 'soledad':
+    ensure    => present,
+    allowdupe => false,
+    gid       => 'soledad',
+    home      => '/srv/leap/soledad',
+    require   => Group['soledad'];
+  }
+
+  file {
+    '/srv/leap/soledad':
+      ensure  => directory,
+      owner   => 'soledad',
+      group   => 'soledad',
+      require => User['soledad'];
+
+    '/var/lib/soledad':
+      ensure  => directory,
+      owner   => 'soledad',
+      group   => 'soledad',
+      require => User['soledad'];
+  }
+
+  package { 'soledad-common':
+    ensure  => installed,
+    require => User['soledad'];
+  }
+}
diff --git a/puppet/modules/soledad/manifests/server.pp b/puppet/modules/soledad/manifests/server.pp
new file mode 100644
index 00000000..06de8642
--- /dev/null
+++ b/puppet/modules/soledad/manifests/server.pp
@@ -0,0 +1,62 @@
+class soledad::server {
+  tag 'leap_service'
+  include soledad
+
+  $couchdb          = hiera('couch')
+  $couchdb_host     = 'localhost'
+  $couchdb_port     = '4096'
+  $couchdb_user     = $couchdb['users']['soledad']['username']
+  $couchdb_password = $couchdb['users']['soledad']['password']
+
+  $x509      = hiera('x509')
+  $x509_key  = $x509['key']
+  $x509_cert = $x509['cert']
+  $x509_ca   = $x509['ca_cert']
+
+  x509::key { 'soledad':
+    content => $x509_key,
+    notify  => Service['soledad-server'];
+  }
+
+  x509::cert { 'soledad':
+    content => $x509_cert,
+    notify  => Service['soledad-server'];
+  }
+
+  x509::ca { 'soledad':
+    content => $x509_ca,
+    notify  => Service['soledad-server'];
+  }
+
+  #
+  # SOLEDAD CONFIG
+  #
+
+  file { '/etc/leap/soledad-server.conf':
+    content => template('soledad/soledad-server.conf.erb'),
+    owner   => 'soledad',
+    group   => 'soledad',
+    mode    => '0600',
+    notify  => Service['soledad-server'],
+    require => Class['soledad'];
+  }
+
+  package { 'soledad-server':
+    ensure => installed
+  }
+
+  file { '/etc/default/soledad':
+    content => "CERT_PATH=/etc/x509/certs/soledad.crt\nPRIVKEY_PATH=/etc/x509/keys/soledad.key\n",
+    require => Package['soledad-server']
+  }
+
+  service { 'soledad-server':
+    ensure     => running,
+    enable     => true,
+    hasstatus  => true,
+    hasrestart => true,
+    require    => [ Class['soledad'], Package['soledad-server'] ];
+  }
+
+  include site_shorewall::soledad
+}
diff --git a/puppet/modules/soledad/templates/soledad-server.conf.erb b/puppet/modules/soledad/templates/soledad-server.conf.erb
new file mode 100644
index 00000000..47d1f6e4
--- /dev/null
+++ b/puppet/modules/soledad/templates/soledad-server.conf.erb
@@ -0,0 +1,3 @@
+[soledad-server]
+couch_url = http://<%= @couchdb_user %>:<%= @couchdb_password %>@<%= @couchdb_host %>:<%= @couchdb_port %>
+
diff --git a/puppet/modules/stunnel b/puppet/modules/stunnel
-Subproject fc1589a5f09d80f58d730d4e1f6a8058483f61f
+Subproject 75d387fc8aff12232fdeae2efbbfccdd91f9465