summaryrefslogtreecommitdiff
path: root/provider_base/services
diff options
context:
space:
mode:
authorMicah <micah@leap.se>2016-05-10 14:48:26 -0400
committerMicah <micah@leap.se>2016-05-10 14:48:26 -0400
commit86c85582065c391aa13c0b9b397dfd1aa2e2ac7b (patch)
tree7c027409a517d862864bf3650f4a8a66f615162d /provider_base/services
parent70b1c648b94e6c007b9241a4661f33881e74485f (diff)
parent66b4c6b5ec6fe2f242020845fe92715ae2cdcc1e (diff)
Merge tag '0.8.0'
Release 0.8.0
Diffstat (limited to 'provider_base/services')
-rw-r--r--provider_base/services/_api_tester.json13
-rw-r--r--provider_base/services/_couchdb_master.json8
-rw-r--r--provider_base/services/_couchdb_mirror.json1
-rw-r--r--provider_base/services/_couchdb_multimaster.json2
-rw-r--r--provider_base/services/couchdb.json7
-rw-r--r--provider_base/services/couchdb.rb71
-rw-r--r--provider_base/services/dns.json9
-rw-r--r--provider_base/services/monitor.json9
-rw-r--r--provider_base/services/monitor.rb3
-rw-r--r--provider_base/services/mx.json30
-rw-r--r--provider_base/services/mx.rb1
-rw-r--r--provider_base/services/openvpn.json7
-rw-r--r--provider_base/services/soledad.json13
-rw-r--r--provider_base/services/soledad.rb3
-rw-r--r--provider_base/services/static.json9
-rw-r--r--provider_base/services/webapp.json24
16 files changed, 132 insertions, 78 deletions
diff --git a/provider_base/services/_api_tester.json b/provider_base/services/_api_tester.json
new file mode 100644
index 00000000..790aa7d8
--- /dev/null
+++ b/provider_base/services/_api_tester.json
@@ -0,0 +1,13 @@
+//
+// This partial should be added to any service that runs tests that rely on
+// accessing the bonafide webapp API.
+//
+{
+ "testing": {
+ "monitor_auth_token": "= secret :api_monitor_auth_token",
+ "api_uri": "= global.services[:webapp].api.uri",
+ // api_hosts is not used directly, but calling hostnames() will ensure
+ // that the hostnames are added to /etc/hosts
+ "api_hosts": "= hostnames(nodes_like_me[:services => 'webapp'])"
+ }
+} \ No newline at end of file
diff --git a/provider_base/services/_couchdb_master.json b/provider_base/services/_couchdb_master.json
deleted file mode 100644
index 20c6f99b..00000000
--- a/provider_base/services/_couchdb_master.json
+++ /dev/null
@@ -1,8 +0,0 @@
-//
-// Applied to master couchdb node when there is a single master
-//
-{
- "couch": {
- "mode": "master"
- }
-} \ No newline at end of file
diff --git a/provider_base/services/_couchdb_mirror.json b/provider_base/services/_couchdb_mirror.json
index 6a3402bd..da496bae 100644
--- a/provider_base/services/_couchdb_mirror.json
+++ b/provider_base/services/_couchdb_mirror.json
@@ -1,5 +1,6 @@
//
// Applied to all non-master couchdb nodes
+// NOT CURRENTLY SUPPORTED
//
{
"stunnel": {
diff --git a/provider_base/services/_couchdb_multimaster.json b/provider_base/services/_couchdb_multimaster.json
index 0f340e00..803a9416 100644
--- a/provider_base/services/_couchdb_multimaster.json
+++ b/provider_base/services/_couchdb_multimaster.json
@@ -1,6 +1,6 @@
//
// Only applied to master couchdb nodes when there are multiple masters
-//
+// NOT CURRENTLY USED.
{
"stunnel": {
"servers": {
diff --git a/provider_base/services/couchdb.json b/provider_base/services/couchdb.json
index 8b1386f8..30cb53d1 100644
--- a/provider_base/services/couchdb.json
+++ b/provider_base/services/couchdb.json
@@ -8,8 +8,8 @@
}
},
"couch": {
- "master": false,
"port": 5984,
+ "mode": "plain",
"users": {
"admin": {
"username": "admin",
@@ -31,11 +31,6 @@
"password": "= secret :couch_soledad_password",
"salt": "= hex_secret :couch_soledad_password_salt, 128"
},
- "tapicero": {
- "username": "tapicero",
- "password": "= secret :couch_tapicero_password",
- "salt": "= hex_secret :couch_tapicero_password_salt, 128"
- },
"webapp": {
"username": "webapp",
"password": "= secret :couch_webapp_password",
diff --git a/provider_base/services/couchdb.rb b/provider_base/services/couchdb.rb
index 3bee3a67..ba7e5ae5 100644
--- a/provider_base/services/couchdb.rb
+++ b/provider_base/services/couchdb.rb
@@ -1,60 +1,27 @@
-#######################################################################
-###
-### NOTE!
-###
-### Currently, mirrors do not work! The only thing that works is all
-### nodes multimaster or a single master.
-###
-#######################################################################
#
# custom logic for couchdb json resolution
# ============================================
#
-# There are three modes for a node:
-#
-# Multimaster
-# -----------
-#
-# Multimaster uses bigcouch (soon to use couchdb in replication mode
-# similar to bigcouch).
-#
-# Use "multimaster" mode when:
-#
-# * multiple nodes are marked couch.master
-# * OR no nodes are marked couch.master
-#
-# Master
-# ------
-#
-# Master uses plain couchdb that is readable and writable.
-#
-# Use "master" mode when:
-#
-# * Exactly one node, this one, is marked as master.
-#
-# Mirror
-# ------
-#
-# Mirror creates a read-only copy of the database. It uses plain coucdhb
-# with legacy couchdb replication (http based).
-#
-# This does not currently work, because http replication can't handle
-# the number of user databases.
-#
-# Use "mirror" mode when:
-#
-# * some nodes are marked couch.master
-# * AND this node is not a master
+# bigcouch is no longer maintained, so now couchdb is required...
+# no matter what!
#
-master_count = nodes_like_me['services' => 'couchdb']['couch.master' => true].size
+if self.couch['master']
+ LeapCli::log :warning, %("The node property {couch.master:true} is deprecated.\n) +
+ %( Only {couch.mode:plain} is supported. (node #{self.name}))
+end
-if master_count == 0
- apply_partial 'services/_couchdb_multimaster.json'
-elsif couch.master && master_count > 1
- apply_partial 'services/_couchdb_multimaster.json'
-elsif couch.master && master_count == 1
- apply_partial 'services/_couchdb_master.json'
-else
- apply_partial 'services/_couchdb_mirror.json'
+couchdb_nodes = nodes_like_me['services' => 'couchdb']
+
+if couchdb_nodes.size > 1
+ LeapCli::log :error, "Having multiple nodes with {services:couchdb} is no longer supported (nodes #{couchdb_nodes.keys.join(', ')})."
+elsif self.couch.mode == "multimaster"
+ LeapCli::log :error, "Nodes with {couch.mode:multimaster} are no longer supported (node #{self.name})."
end
+
+#
+# This is needed for the "test" that creates and removes the storage db
+# for test_user_email. If that test is removed, then this is no longer
+# necessary:
+#
+apply_partial('_api_tester') \ No newline at end of file
diff --git a/provider_base/services/dns.json b/provider_base/services/dns.json
index 677d9b2c..67948ef8 100644
--- a/provider_base/services/dns.json
+++ b/provider_base/services/dns.json
@@ -3,5 +3,12 @@
"public": "= nodes['dns.public' => true].fields('domain.name', 'dns.aliases', 'ip_address')",
"private": "= nodes['dns.public' => false].fields('domain.name', 'dns.aliases', 'ip_address')"
},
- "service_type": "public_service"
+ "service_type": "public_service",
+ "firewall": {
+ "dns": {
+ "from": "*",
+ "to": "= ip_address",
+ "port": "53"
+ }
+ }
} \ No newline at end of file
diff --git a/provider_base/services/monitor.json b/provider_base/services/monitor.json
index 10d5ac81..9ddc0ec7 100644
--- a/provider_base/services/monitor.json
+++ b/provider_base/services/monitor.json
@@ -2,7 +2,7 @@
"nagios": {
"nagiosadmin_pw": "= secret :nagios_admin_password",
"domains_internal": "= nagios.hosts.values.map{|h|h['domain_internal_suffix']}.uniq",
- "environments": "= Hash[ nagios.hosts.values.map{|h|h['environment']}.uniq.map{|e| [e||'default',{'contact_emails'=>global.env(e).provider.contacts.default}]} ]",
+ "environments": "= Hash[ nagios.hosts.values.map{|h|h['environment']}.uniq.map{|e| [e||'default',{'contact_emails'=>manager.env(e).provider.contacts.default}]} ]",
"hosts": "= (self.environment == 'local' ? nodes_like_me : nodes[:environment => '!local']).pick_fields('environment', 'domain.internal', 'domain.internal_suffix', 'domain.full_suffix', 'ip_address', 'services', 'openvpn.gateway_address', 'ssh.port')"
},
"hosts": "= self.environment == 'local' ? hosts_file(nodes_like_me) : hosts_file(nodes[:environment => '!local'])",
@@ -18,5 +18,12 @@
"ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap cert ca`'",
"client_ca_cert": "= file :client_ca_cert, :missing => 'Certificate Authority. Run `leap cert ca`'",
"client_ca_key": "= file :client_ca_key, :missing => 'Certificate Authority. Run `leap cert ca`'"
+ },
+ "firewall": {
+ "monitor": {
+ "from": "sysadmin",
+ "to": "= ip_address",
+ "port": [443, 80]
+ }
}
}
diff --git a/provider_base/services/monitor.rb b/provider_base/services/monitor.rb
new file mode 100644
index 00000000..01590d5c
--- /dev/null
+++ b/provider_base/services/monitor.rb
@@ -0,0 +1,3 @@
+unless self.services.include? "webapp"
+ LeapCli.log :error, "service `monitor` requires service `webapp` on the same node (node #{self.name})."
+end
diff --git a/provider_base/services/mx.json b/provider_base/services/mx.json
index 11293ae8..c7e99d85 100644
--- a/provider_base/services/mx.json
+++ b/provider_base/services/mx.json
@@ -1,4 +1,19 @@
{
+ "mx": {
+ // provider should define their own custom aliases.
+ // these are in *addition* to the standard reserved aliases for root and postmaster, etc.
+ "aliases": {},
+ // this is the domain that is used for the OpenPGP header
+ "key_lookup_domain": "= global.services[:webapp].webapp.domain",
+ "dkim": {
+ // bit sizes larger than 2048 are not necessarily supported
+ "bit_size": 2048,
+ "public_key": "= remote_file_path(:dkim_pub_key) { generate_dkim_key(mx.dkim.bit_size) }",
+ "private_key": "= remote_file_path(:dkim_priv_key) { generate_dkim_key(mx.dkim.bit_size) }",
+ // generate selector based on first ten digits of pub key fingerprint:
+ "selector": "= fingerprint(local_file_path(:dkim_pub_key) { generate_dkim_key(mx.dkim.bit_size) }, :mode => :rsa).slice(0,10)"
+ }
+ },
"stunnel": {
"clients": {
"couch_client": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.port)"
@@ -15,7 +30,11 @@
"password": "= secret :couch_leap_mx_password",
"salt": "= hex_secret :couch_leap_mx_password_salt, 128"
},
- "mynetworks": "= nodes['environment' => '!local'].map{|name, n| [n.ip_address, (global.facts[name]||{})['ec2_public_ipv4']]}.flatten.compact.uniq",
+ "mynetworks": "= host_ips(nodes)",
+ "rbls": ["zen.spamhaus.org"],
+ "clamav": {
+ "whitelisted_addresses": []
+ },
"x509": {
"use": true,
"use_commercial": true,
@@ -23,5 +42,12 @@
"client_ca_cert": "= file :client_ca_cert, :missing => 'Certificate Authority. Run `leap cert ca`'",
"client_ca_key": "= file :client_ca_key, :missing => 'Certificate Authority. Run `leap cert ca`'"
},
- "service_type": "user_service"
+ "service_type": "user_service",
+ "firewall": {
+ "mx": {
+ "from": "*",
+ "to": "= ip_address",
+ "port": [25, 465]
+ }
+ }
}
diff --git a/provider_base/services/mx.rb b/provider_base/services/mx.rb
new file mode 100644
index 00000000..03ee561f
--- /dev/null
+++ b/provider_base/services/mx.rb
@@ -0,0 +1 @@
+apply_partial('_api_tester')
diff --git a/provider_base/services/openvpn.json b/provider_base/services/openvpn.json
index 11cb0dc2..6f73e31c 100644
--- a/provider_base/services/openvpn.json
+++ b/provider_base/services/openvpn.json
@@ -34,5 +34,12 @@
"port" : "= rand_range('scramblesuit_port_'+name, 18000..32000)"
},
"gateway_address": "= openvpn.gateway_address"
+ },
+ "firewall": {
+ "vpn": {
+ "from": "*",
+ "to": "= openvpn.gateway_address",
+ "port": "= openvpn.ports + [obfsproxy.scramblesuit.port]"
+ }
}
}
diff --git a/provider_base/services/soledad.json b/provider_base/services/soledad.json
index ed6fbc9f..169588c8 100644
--- a/provider_base/services/soledad.json
+++ b/provider_base/services/soledad.json
@@ -1,12 +1,21 @@
{
"soledad": {
"port": 2323,
- "require_couchdb": "=> assert %(services.include? 'couchdb')",
"couchdb_soledad_user": {
"username": "= global.services[:couchdb].couch.users[:soledad].username",
"password": "= secret :couch_soledad_password",
"salt": "= hex_secret :couch_soledad_password_salt, 128"
+ },
+ "couchdb_leap_mx_user": {
+ "username": "= global.services[:couchdb].couch.users[:leap_mx].username"
}
},
- "service_type": "public_service"
+ "service_type": "public_service",
+ "firewall": {
+ "soledad": {
+ "from": "*",
+ "to": "= ip_address",
+ "port": "= soledad.port"
+ }
+ }
}
diff --git a/provider_base/services/soledad.rb b/provider_base/services/soledad.rb
new file mode 100644
index 00000000..9b220c39
--- /dev/null
+++ b/provider_base/services/soledad.rb
@@ -0,0 +1,3 @@
+unless self.services.include? "couchdb"
+ LeapCli.log :error, "service `soledad` requires service `couchdb` on the same node (node #{self.name})."
+end
diff --git a/provider_base/services/static.json b/provider_base/services/static.json
index d9f52b36..2f408ec1 100644
--- a/provider_base/services/static.json
+++ b/provider_base/services/static.json
@@ -9,5 +9,12 @@
"client_version": "= static.bootstrap_files.enabled ? provider.client_version : nil"
}
},
- "service_type": "public_service"
+ "service_type": "public_service",
+ "firewall": {
+ "static": {
+ "from": "*",
+ "to": "= ip_address",
+ "port": [80, 443]
+ }
+ }
} \ No newline at end of file
diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json
index 941f4f61..b1d2ca59 100644
--- a/provider_base/services/webapp.json
+++ b/provider_base/services/webapp.json
@@ -9,7 +9,7 @@
"owner", "owners", "postmaster", "reply", "robot", "ssladmin", "staff",
"support", "tech-support", "tech_support", "techsupport", "ticket",
"tickets", "vmail", "www-data"],
- "domain": "= domain.full_suffix",
+ "domain": "= provider.domain",
"modules": ["user", "billing", "help"],
"couchdb_webapp_user": "= global.services[:couchdb].couch.users[:webapp]",
"couchdb_admin_user": "= global.services[:couchdb].couch.users[:admin]",
@@ -20,7 +20,7 @@
"allow_anonymous_certs": "= provider.service.allow_anonymous",
"allow_registration": "= provider.service.allow_registration",
"default_service_level": "= provider.service.default_service_level",
- "service_levels": "= provider.service.levels",
+ "service_levels": "= service_levels()",
"secret_token": "= secret :webapp_secret_token",
"api_version": 1,
"secure": false,
@@ -31,7 +31,13 @@
},
"engines": [
"support"
- ]
+ ],
+ "locales": "= provider.languages",
+ "default_locale": "= provider.default_language",
+ "api_tokens": {
+ "monitor": "= secret :api_monitor_auth_token",
+ "allowed_ips": "= host_ips(nodes_like_me)"
+ }
},
"stunnel": {
"clients": {
@@ -53,7 +59,10 @@
"service_type": "public_service",
"api": {
"domain": "= 'api.' + webapp.domain",
- "port": 4430
+ "version": 1,
+ "port": 4430,
+ "ca_cert_uri": "= 'https://' + webapp.domain + '/ca.crt'",
+ "uri": "= %(https://#{api.domain}:#{api.port}/#{api.version})"
},
"nickserver": {
"domain": "= 'nicknym.' + domain.full_suffix",
@@ -73,5 +82,12 @@
"ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap cert ca`'",
"client_ca_cert": "= file :client_ca_cert, :missing => 'Certificate Authority. Run `leap cert ca`.'",
"client_ca_key": "= file :client_ca_key, :missing => 'Certificate Authority. Run `leap cert ca`.'"
+ },
+ "firewall": {
+ "webapp": {
+ "from": "*",
+ "to": "= ip_address",
+ "port": "= [api.port, 443, 80, nickserver.port]"
+ }
}
}