summaryrefslogtreecommitdiff
path: root/provider_base/services
diff options
context:
space:
mode:
authorkwadronaut <kwadronaut@leap.se>2015-11-12 10:00:27 +0100
committerkwadronaut <kwadronaut@leap.se>2015-11-12 10:00:27 +0100
commit92cc2b1118e98a4fb086d7c62a140dbfc845f4b0 (patch)
tree92896619c0cf4ace177cecfbdea6cbbbb9bc8419 /provider_base/services
parent81467100826ad95266a4c29b11a2ecef759dd782 (diff)
parent7d0b6b25e49a1ccb70c4f502f7dfc58878b900cc (diff)
Merge remote-tracking branch 'origin/develop' into HEAD
Diffstat (limited to 'provider_base/services')
-rw-r--r--provider_base/services/couchdb.json5
-rw-r--r--provider_base/services/dns.json9
-rw-r--r--provider_base/services/monitor.json7
-rw-r--r--provider_base/services/mx.json20
-rw-r--r--provider_base/services/openvpn.json7
-rw-r--r--provider_base/services/soledad.json12
-rw-r--r--provider_base/services/static.json9
-rw-r--r--provider_base/services/webapp.json18
8 files changed, 74 insertions, 13 deletions
diff --git a/provider_base/services/couchdb.json b/provider_base/services/couchdb.json
index 8b1386f8..5e65b2ec 100644
--- a/provider_base/services/couchdb.json
+++ b/provider_base/services/couchdb.json
@@ -31,11 +31,6 @@
"password": "= secret :couch_soledad_password",
"salt": "= hex_secret :couch_soledad_password_salt, 128"
},
- "tapicero": {
- "username": "tapicero",
- "password": "= secret :couch_tapicero_password",
- "salt": "= hex_secret :couch_tapicero_password_salt, 128"
- },
"webapp": {
"username": "webapp",
"password": "= secret :couch_webapp_password",
diff --git a/provider_base/services/dns.json b/provider_base/services/dns.json
index 677d9b2c..67948ef8 100644
--- a/provider_base/services/dns.json
+++ b/provider_base/services/dns.json
@@ -3,5 +3,12 @@
"public": "= nodes['dns.public' => true].fields('domain.name', 'dns.aliases', 'ip_address')",
"private": "= nodes['dns.public' => false].fields('domain.name', 'dns.aliases', 'ip_address')"
},
- "service_type": "public_service"
+ "service_type": "public_service",
+ "firewall": {
+ "dns": {
+ "from": "*",
+ "to": "= ip_address",
+ "port": "53"
+ }
+ }
} \ No newline at end of file
diff --git a/provider_base/services/monitor.json b/provider_base/services/monitor.json
index 10d5ac81..28fb837c 100644
--- a/provider_base/services/monitor.json
+++ b/provider_base/services/monitor.json
@@ -18,5 +18,12 @@
"ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap cert ca`'",
"client_ca_cert": "= file :client_ca_cert, :missing => 'Certificate Authority. Run `leap cert ca`'",
"client_ca_key": "= file :client_ca_key, :missing => 'Certificate Authority. Run `leap cert ca`'"
+ },
+ "firewall": {
+ "monitor": {
+ "from": "sysadmin",
+ "to": "= ip_address",
+ "port": [443, 80]
+ }
}
}
diff --git a/provider_base/services/mx.json b/provider_base/services/mx.json
index 11293ae8..70acf5cb 100644
--- a/provider_base/services/mx.json
+++ b/provider_base/services/mx.json
@@ -1,4 +1,11 @@
{
+ "mx": {
+ // provider should define their own custom aliases.
+ // these are in *addition* to the standard reserved aliases for root and postmaster, etc.
+ "aliases": {},
+ // this is the domain that is used for the OpenPGP header
+ "key_lookup_domain": "= global.services[:webapp].webapp.domain"
+ },
"stunnel": {
"clients": {
"couch_client": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.port)"
@@ -16,6 +23,10 @@
"salt": "= hex_secret :couch_leap_mx_password_salt, 128"
},
"mynetworks": "= nodes['environment' => '!local'].map{|name, n| [n.ip_address, (global.facts[name]||{})['ec2_public_ipv4']]}.flatten.compact.uniq",
+ "rbls": ["zen.spamhaus.org"],
+ "clamav": {
+ "whitelisted_addresses": []
+ },
"x509": {
"use": true,
"use_commercial": true,
@@ -23,5 +34,12 @@
"client_ca_cert": "= file :client_ca_cert, :missing => 'Certificate Authority. Run `leap cert ca`'",
"client_ca_key": "= file :client_ca_key, :missing => 'Certificate Authority. Run `leap cert ca`'"
},
- "service_type": "user_service"
+ "service_type": "user_service",
+ "firewall": {
+ "mx": {
+ "from": "*",
+ "to": "= ip_address",
+ "port": [25, 465]
+ }
+ }
}
diff --git a/provider_base/services/openvpn.json b/provider_base/services/openvpn.json
index 11cb0dc2..6f73e31c 100644
--- a/provider_base/services/openvpn.json
+++ b/provider_base/services/openvpn.json
@@ -34,5 +34,12 @@
"port" : "= rand_range('scramblesuit_port_'+name, 18000..32000)"
},
"gateway_address": "= openvpn.gateway_address"
+ },
+ "firewall": {
+ "vpn": {
+ "from": "*",
+ "to": "= openvpn.gateway_address",
+ "port": "= openvpn.ports + [obfsproxy.scramblesuit.port]"
+ }
}
}
diff --git a/provider_base/services/soledad.json b/provider_base/services/soledad.json
index ed6fbc9f..99390d17 100644
--- a/provider_base/services/soledad.json
+++ b/provider_base/services/soledad.json
@@ -6,7 +6,17 @@
"username": "= global.services[:couchdb].couch.users[:soledad].username",
"password": "= secret :couch_soledad_password",
"salt": "= hex_secret :couch_soledad_password_salt, 128"
+ },
+ "couchdb_leap_mx_user": {
+ "username": "= global.services[:couchdb].couch.users[:leap_mx].username"
}
},
- "service_type": "public_service"
+ "service_type": "public_service",
+ "firewall": {
+ "soledad": {
+ "from": "*",
+ "to": "= ip_address",
+ "port": "= soledad.port"
+ }
+ }
}
diff --git a/provider_base/services/static.json b/provider_base/services/static.json
index d9f52b36..2f408ec1 100644
--- a/provider_base/services/static.json
+++ b/provider_base/services/static.json
@@ -9,5 +9,12 @@
"client_version": "= static.bootstrap_files.enabled ? provider.client_version : nil"
}
},
- "service_type": "public_service"
+ "service_type": "public_service",
+ "firewall": {
+ "static": {
+ "from": "*",
+ "to": "= ip_address",
+ "port": [80, 443]
+ }
+ }
} \ No newline at end of file
diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json
index 941f4f61..9e3d751b 100644
--- a/provider_base/services/webapp.json
+++ b/provider_base/services/webapp.json
@@ -9,7 +9,7 @@
"owner", "owners", "postmaster", "reply", "robot", "ssladmin", "staff",
"support", "tech-support", "tech_support", "techsupport", "ticket",
"tickets", "vmail", "www-data"],
- "domain": "= domain.full_suffix",
+ "domain": "= provider.domain",
"modules": ["user", "billing", "help"],
"couchdb_webapp_user": "= global.services[:couchdb].couch.users[:webapp]",
"couchdb_admin_user": "= global.services[:couchdb].couch.users[:admin]",
@@ -20,7 +20,7 @@
"allow_anonymous_certs": "= provider.service.allow_anonymous",
"allow_registration": "= provider.service.allow_registration",
"default_service_level": "= provider.service.default_service_level",
- "service_levels": "= provider.service.levels",
+ "service_levels": "= service_levels()",
"secret_token": "= secret :webapp_secret_token",
"api_version": 1,
"secure": false,
@@ -31,7 +31,9 @@
},
"engines": [
"support"
- ]
+ ],
+ "locales": "= provider.languages",
+ "default_locale": "= provider.default_language"
},
"stunnel": {
"clients": {
@@ -53,7 +55,8 @@
"service_type": "public_service",
"api": {
"domain": "= 'api.' + webapp.domain",
- "port": 4430
+ "port": 4430,
+ "ca_cert_uri": "= 'https://' + webapp.domain + '/ca.crt'"
},
"nickserver": {
"domain": "= 'nicknym.' + domain.full_suffix",
@@ -73,5 +76,12 @@
"ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap cert ca`'",
"client_ca_cert": "= file :client_ca_cert, :missing => 'Certificate Authority. Run `leap cert ca`.'",
"client_ca_key": "= file :client_ca_key, :missing => 'Certificate Authority. Run `leap cert ca`.'"
+ },
+ "firewall": {
+ "webapp": {
+ "from": "*",
+ "to": "= ip_address",
+ "port": "= [api.port, 443, 80, nickserver.port]"
+ }
}
}