Merge branch 'develop'

Conflicts: platform.rb Change-Id: Ic2e08e594d29a585691341c8667ac0b64933a505
author: Micah Anderson <micah@leap.se> 2014-12-23 16:47:35 -0500
committer: Micah Anderson <micah@leap.se> 2014-12-23 16:47:35 -0500
commit: 574a0554a95ba74867ebd0ca4a93195bfa104c14 (patch)
tree: fd07b5b2ec8b32e82aa665dad117ee6e51791884 /provider_base/services
parent: 126faf8606f4911ccc3c1f55a9e0f381a46d536a (diff)
parent: fc9a8af17d927085486052a53233401c42b0caab (diff)
11 files changed, 181 insertions, 35 deletions
diff --git a/provider_base/services/_couchdb_master.json b/provider_base/services/_couchdb_master.json
new file mode 100644
index 00000000..20c6f99b
--- /dev/null
+++ b/provider_base/services/_couchdb_master.json
@@ -0,0 +1,8 @@
+//
+// Applied to master couchdb node when there is a single master
+//
+{
+  "couch": {
+    "mode": "master"
+  }
+}
+\ No newline at end of file
diff --git a/provider_base/services/_couchdb_mirror.json b/provider_base/services/_couchdb_mirror.json
new file mode 100644
index 00000000..6a3402bd
--- /dev/null
+++ b/provider_base/services/_couchdb_mirror.json
@@ -0,0 +1,21 @@
+//
+// Applied to all non-master couchdb nodes
+//
+{
+  "stunnel": {
+    "clients": {
+      "couch_client": "= stunnel_client(nodes[couch.replication.masters.keys], couch.port)"
+    }
+  },
+  "couch": {
+    "mode": "mirror",
+    "replication": {
+      // for now, pick the first close one, or the first one.
+      // in the future, maybe use haproxy to balance among all the masters
+      "masters": "= try{pick_node(:couch_master,nodes_near_me['services' => 'couchdb']['couch.master' => true]).pick_fields('domain.internal', 'couch.port')} || try{pick_node(:couch_master,nodes_like_me['services' => 'couchdb']['couch.master' => true]).pick_fields('domain.internal', 'couch.port')}",
+      "username": "replication",
+      "password": "= secret :couch_replication_password",
+      "role": "replication"
+    }
+  }
+}
diff --git a/provider_base/services/_couchdb_multimaster.json b/provider_base/services/_couchdb_multimaster.json
new file mode 100644
index 00000000..0f340e00
--- /dev/null
+++ b/provider_base/services/_couchdb_multimaster.json
@@ -0,0 +1,24 @@
+//
+// Only applied to master couchdb nodes when there are multiple masters
+//
+{
+  "stunnel": {
+    "servers": {
+      "epmd_server": "= stunnel_server(couch.bigcouch.epmd_port)",
+      "ednp_server": "= stunnel_server(couch.bigcouch.ednp_port)"
+    },
+    "clients": {
+      "epmd_clients": "= stunnel_client(nodes_like_me['services' => 'couchdb']['couch.mode' => 'multimaster'], couch.bigcouch.epmd_port)",
+      "ednp_clients": "= stunnel_client(nodes_like_me['services' => 'couchdb']['couch.mode' => 'multimaster'], couch.bigcouch.ednp_port)"
+    }
+  },
+  "couch": {
+    "mode": "multimaster",
+    "bigcouch": {
+      "epmd_port": 4369,
+      "ednp_port": 9002,
+      "cookie": "= secret :bigcouch_cookie",
+      "neighbors": "= nodes_like_me['services' => 'couchdb']['couch.mode' => 'multimaster'].exclude(self).field('domain.full')"
+    }
+  }
+}
diff --git a/provider_base/services/couchdb.json b/provider_base/services/couchdb.json
index 5f1b5381..8b1386f8 100644
--- a/provider_base/services/couchdb.json
+++ b/provider_base/services/couchdb.json
@@ -3,20 +3,13 @@
         "use": true
     },
     "stunnel": {
-        "couch_server": "= stunnel_server(couch.port)",
-        "epmd_server": "= stunnel_server(couch.bigcouch.epmd_port)",
-        "epmd_clients": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.bigcouch.epmd_port)",
-        "ednp_server": "= stunnel_server(couch.bigcouch.ednp_port)",
-        "ednp_clients": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.bigcouch.ednp_port)"
+        "servers": {
+          "couch_server": "= stunnel_server(couch.port)"
+        }
     },
     "couch": {
+        "master": false,
         "port": 5984,
-        "bigcouch": {
-            "epmd_port": 4369,
-            "ednp_port": 9002,
-            "cookie": "= secret :bigcouch_cookie",
-            "neighbors": "= nodes_like_me[:services => :couchdb].exclude(self).field('domain.full')"
-        },
         "users": {
             "admin": {
                 "username": "admin",
@@ -47,10 +40,15 @@
                 "username": "webapp",
                 "password": "= secret :couch_webapp_password",
                 "salt": "= hex_secret :couch_webapp_password_salt, 128"
+            },
+            "replication": {
+                "username": "replication",
+                "password": "= secret :couch_replication_password",
+                "salt": "= hex_secret :couch_replication_password_salt, 128"
             }
         },
-    "webapp": {
-         "nagios_test_pw": "= secret :nagios_test_password"
+        "webapp": {
+            "nagios_test_pw": "= secret :nagios_test_password"
         }
     }
 }
diff --git a/provider_base/services/couchdb.rb b/provider_base/services/couchdb.rb
new file mode 100644
index 00000000..3bee3a67
--- /dev/null
+++ b/provider_base/services/couchdb.rb
@@ -0,0 +1,60 @@
+#######################################################################
+###
+### NOTE!
+###
+###  Currently, mirrors do not work! The only thing that works is all
+###  nodes multimaster or a single master.
+###
+#######################################################################
+#
+# custom logic for couchdb json resolution
+# ============================================
+#
+# There are three modes for a node:
+#
+# Multimaster
+# -----------
+#
+#    Multimaster uses bigcouch (soon to use couchdb in replication mode
+#    similar to bigcouch).
+#
+#    Use "multimaster" mode when:
+#
+#     * multiple nodes are marked couch.master
+#     * OR no nodes are marked couch.master
+#
+# Master
+# ------
+#
+#    Master uses plain couchdb that is readable and writable.
+#
+#    Use "master" mode when:
+#
+#     * Exactly one node, this one, is marked as master.
+#
+# Mirror
+# ------
+#
+#    Mirror creates a read-only copy of the database. It uses plain coucdhb
+#    with legacy couchdb replication (http based).
+#
+#    This does not currently work, because http replication can't handle
+#    the number of user databases.
+#
+#    Use "mirror" mode when:
+#
+#     * some nodes are marked couch.master
+#     * AND this node is not a master
+#
+
+master_count = nodes_like_me['services' => 'couchdb']['couch.master' => true].size
+
+if master_count == 0
+  apply_partial 'services/_couchdb_multimaster.json'
+elsif couch.master && master_count > 1
+  apply_partial 'services/_couchdb_multimaster.json'
+elsif couch.master && master_count == 1
+  apply_partial 'services/_couchdb_master.json'
+else
+  apply_partial 'services/_couchdb_mirror.json'
+end
diff --git a/provider_base/services/monitor.json b/provider_base/services/monitor.json
index 03f6c6d1..10d5ac81 100644
--- a/provider_base/services/monitor.json
+++ b/provider_base/services/monitor.json
@@ -1,7 +1,9 @@
 {
   "nagios": {
     "nagiosadmin_pw": "= secret :nagios_admin_password",
-    "hosts": "= (self.environment == 'local' ? nodes_like_me : nodes[:environment => '!local']).pick_fields('domain.internal', 'domain.full_suffix', 'ip_address', 'services', 'openvpn.gateway_address', 'ssh.port')"
+    "domains_internal": "= nagios.hosts.values.map{|h|h['domain_internal_suffix']}.uniq",
+    "environments": "= Hash[ nagios.hosts.values.map{|h|h['environment']}.uniq.map{|e| [e||'default',{'contact_emails'=>global.env(e).provider.contacts.default}]} ]",
+    "hosts": "= (self.environment == 'local' ? nodes_like_me : nodes[:environment => '!local']).pick_fields('environment', 'domain.internal', 'domain.internal_suffix', 'domain.full_suffix', 'ip_address', 'services', 'openvpn.gateway_address', 'ssh.port')"
   },
   "hosts": "= self.environment == 'local' ? hosts_file(nodes_like_me) : hosts_file(nodes[:environment => '!local'])",
   "ssh": {
@@ -12,11 +14,9 @@
   },
   "x509": {
     "use": true,
+    "use_commercial": true,
     "ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap cert ca`'",
     "client_ca_cert": "= file :client_ca_cert, :missing => 'Certificate Authority. Run `leap cert ca`'",
-    "client_ca_key": "= file :client_ca_key, :missing => 'Certificate Authority. Run `leap cert ca`'",
-    "commercial_cert": "= file [:commercial_cert, domain.full_suffix]",
-    "commercial_key": "= file [:commercial_key, domain.full_suffix]",
-    "commercial_ca_cert": "= try_file :commercial_ca_cert"
+    "client_ca_key": "= file :client_ca_key, :missing => 'Certificate Authority. Run `leap cert ca`'"
   }
 }
diff --git a/provider_base/services/mx.json b/provider_base/services/mx.json
index 731dee9a..11293ae8 100644
--- a/provider_base/services/mx.json
+++ b/provider_base/services/mx.json
@@ -1,9 +1,14 @@
 {
   "stunnel": {
-    "couch_client": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.port)"
+    "clients": {
+      "couch_client": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.port)"
+    }
   },
   "haproxy": {
-    "servers": "= haproxy_servers(nodes_like_me[:services => :couchdb], stunnel.couch_client)"
+    "couch": {
+      "listen_port": 4096,
+      "servers": "= haproxy_servers(nodes_like_me[:services => :couchdb], stunnel.clients.couch_client, global.services[:couchdb].couch.port)"
+    }
   },
   "couchdb_leap_mx_user": {
     "username": "= global.services[:couchdb].couch.users[:leap_mx].username",
@@ -13,12 +18,10 @@
   "mynetworks": "= nodes['environment' => '!local'].map{|name, n| [n.ip_address, (global.facts[name]||{})['ec2_public_ipv4']]}.flatten.compact.uniq",
   "x509": {
     "use": true,
+    "use_commercial": true,
     "ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap cert ca`'",
     "client_ca_cert": "= file :client_ca_cert, :missing => 'Certificate Authority. Run `leap cert ca`'",
-    "client_ca_key": "= file :client_ca_key, :missing => 'Certificate Authority. Run `leap cert ca`'",
-    "commercial_cert": "= file [:commercial_cert, domain.full_suffix]",
-    "commercial_key": "= file [:commercial_key, domain.full_suffix]",
-    "commercial_ca_cert": "= try_file :commercial_ca_cert"
+    "client_ca_key": "= file :client_ca_key, :missing => 'Certificate Authority. Run `leap cert ca`'"
   },
   "service_type": "user_service"
 }
diff --git a/provider_base/services/obfsproxy.json b/provider_base/services/obfsproxy.json
new file mode 100644
index 00000000..979d0ef9
--- /dev/null
+++ b/provider_base/services/obfsproxy.json
@@ -0,0 +1,9 @@
+{
+  "obfsproxy": {
+    "scramblesuit": {
+      "password": "= base32_secret('scramblesuit_password_'+name)",
+      "port" : "= rand_range('scramblesuit_port_'+name, 18000..32000)"
+    },
+    "gateway_address": "= try{pick_node(:obfs_gateway,nodes_near_me['services' => 'openvpn']).pick_fields('openvpn.gateway_address')} || try{pick_node(:obfs_gateway,nodes_like_me['services' => 'openvpn']).pick_fields('openvpn.gateway_address')}"
+  }
+}
diff --git a/provider_base/services/openvpn.json b/provider_base/services/openvpn.json
index 090afcd6..11cb0dc2 100644
--- a/provider_base/services/openvpn.json
+++ b/provider_base/services/openvpn.json
@@ -24,7 +24,15 @@
       "auth": "SHA1",
       "cipher": "AES-128-CBC",
       "keepalive": "10 30",
-      "tun-ipv6": true
+      "tun-ipv6": true,
+      "fragment": 1500
     }
+  },
+  "obfsproxy": {
+    "scramblesuit": {
+      "password": "= base32_secret('scramblesuit_password_'+name)",
+      "port" : "= rand_range('scramblesuit_port_'+name, 18000..32000)"
+    },
+    "gateway_address": "= openvpn.gateway_address"
   }
 }
diff --git a/provider_base/services/tor.json b/provider_base/services/tor.json
index fc365a19..55d3d2ee 100644
--- a/provider_base/services/tor.json
+++ b/provider_base/services/tor.json
@@ -3,6 +3,13 @@
     "bandwidth_rate": 6550,
     "contacts": "= [provider.contacts['tor'] || provider.contacts.default].flatten",
     "nickname": "= (self.name + secret(:tor_family)).sub('_','')[0..18]",
-    "family": "= nodes[:services => 'tor'][:environment => '!local'].field('tor.nickname').join(',')"
+    "family": "= nodes[:services => 'tor'][:environment => '!local'].field('tor.nickname').join(',')",
+    "hidden_service": {
+      "active": null,
+      "key_type": "RSA",
+      "public_key": "= tor_public_key_path(:node_tor_pub_key, tor.hidden_service.key_type) if tor.hidden_service.active",
+      "private_key": "= tor_private_key_path(:node_tor_priv_key, tor.hidden_service.key_type) if tor.hidden_service.active",
+      "address": "= onion_address(:node_tor_pub_key) if tor.hidden_service.active"
+    }
   }
 }
diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json
index bbb52094..67744f99 100644
--- a/provider_base/services/webapp.json
+++ b/provider_base/services/webapp.json
@@ -1,6 +1,7 @@
 {
   "webapp": {
     "admins": [],
+    "forbidden_usernames": ["admin", "administrator", "arin-admin", "certmaster", "contact", "info", "maildrop", "postmaster", "ssladmin", "www-data"],
     "domain": "= domain.full_suffix",
     "modules": ["user", "billing", "help"],
     "couchdb_webapp_user": {
@@ -13,6 +14,7 @@
     "allow_limited_certs": "= provider.service.allow_limited_bandwidth",
     "allow_unlimited_certs": "= provider.service.allow_unlimited_bandwidth",
     "allow_anonymous_certs": "= provider.service.allow_anonymous",
+    "allow_registration": "= provider.service.allow_registration",
     "default_service_level": "= provider.service.default_service_level",
     "service_levels": "= provider.service.levels",
     "secret_token": "= secret :webapp_secret_token",
@@ -20,19 +22,27 @@
     "secure": false,
     "git": {
       "source": "https://leap.se/git/leap_web",
-      "revision": "origin/master"
+      "revision": "origin/version/0.6"
     },
     "client_version": "= provider.client_version",
     "nagios_test_user": {
       "username": "nagios_test",
       "password": "= secret :nagios_test_password"
-    }
+    },
+    "engines": [
+      "support"
+    ]
   },
   "stunnel": {
-    "couch_client": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.port)"
+    "clients": {
+      "couch_client": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.port)"
+    }
   },
   "haproxy": {
-    "servers": "= haproxy_servers(nodes_like_me[:services => :couchdb], stunnel.couch_client, global.services[:couchdb].couch.port)"
+    "couch": {
+      "listen_port": 4096,
+      "servers": "= haproxy_servers(nodes_like_me[:services => :couchdb], stunnel.clients.couch_client, global.services[:couchdb].couch.port)"
+    }
   },
   "definition_files": {
     "provider": "= file :provider_json_template",
@@ -59,11 +69,9 @@
   },
   "x509": {
     "use": true,
+    "use_commercial": true,
     "ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap cert ca`'",
-    "client_ca_cert": "= file :client_ca_cert, :missing => 'Certificate Authority. Run `leap cert ca`'",
-    "client_ca_key": "= file :client_ca_key, :missing => 'Certificate Authority. Run `leap cert ca`'",
-    "commercial_cert": "= file [:commercial_cert, webapp.domain]",
-    "commercial_key": "= file [:commercial_key, webapp.domain]",
-    "commercial_ca_cert": "= try_file :commercial_ca_cert"
+    "client_ca_cert": "= file :client_ca_cert, :missing => 'Certificate Authority. Run `leap cert ca`.'",
+    "client_ca_key": "= file :client_ca_key, :missing => 'Certificate Authority. Run `leap cert ca`.'"
   }
 }
author	Micah Anderson <micah@leap.se>	2014-12-23 16:47:35 -0500
committer	Micah Anderson <micah@leap.se>	2014-12-23 16:47:35 -0500
commit	574a0554a95ba74867ebd0ca4a93195bfa104c14 (patch)
tree	fd07b5b2ec8b32e82aa665dad117ee6e51791884 /provider_base/services
parent	126faf8606f4911ccc3c1f55a9e0f381a46d536a (diff)
parent	fc9a8af17d927085486052a53233401c42b0caab (diff)