Merge branch 'develop' (0.5.0)

Conflicts: .gitignore Change-Id: I778f3e1f1f4832f5894bc149ead67e9a4becf304
author: Micah Anderson <micah@leap.se> 2014-04-22 14:13:46 -0400
committer: Micah Anderson <micah@leap.se> 2014-04-22 14:13:46 -0400
commit: 327d5c934e408f90011d7949b89ab01fed88998e (patch)
tree: 77cfefffc8f9ffe160c4413b26dd5ca5cdd6f1e8 /provider_base
parent: ca11482dd7cd4ea8ffa69407ee2fd5b5e1b7981b (diff)
parent: 4295f334ea4f92d7fb47f7121a42633630c368d1 (diff)
14 files changed, 191 insertions, 93 deletions
diff --git a/provider_base/common.json b/provider_base/common.json
index 2313bd8b..a4d9c5f2 100644
--- a/provider_base/common.json
+++ b/provider_base/common.json
@@ -3,9 +3,10 @@
   "environment": null,
   "services": [],
   "tags": [],
+  "contacts": "= provider.contacts.default",
   "domain": {
-     "full_suffix": "= global.provider.domain",
-     "internal_suffix": "= global.provider.domain_internal",
+     "full_suffix": "= provider.domain",
+     "internal_suffix": "= provider.domain_internal",
      "full": "= node.name + '.' + domain.full_suffix",
      "internal": "= node.name + '.' + domain.internal_suffix",
      "name": "= node.name + '.' + (dns.public ? domain.full_suffix : domain.internal_suffix)"
@@ -15,7 +16,6 @@
   },
   "ssh": {
     "authorized_keys": "= authorized_keys",
-    "known_hosts": "=> known_hosts_file",
     "port": 22,
     "mosh": {
       "ports": "60000:61000",
@@ -24,7 +24,7 @@
   },
   "hosts": "=> hosts_file",
   "x509": {
-    "use": false,
+    "use": true,
     "cert": "= x509.use ? file(:node_x509_cert, :missing => 'x509 certificate for node $node. Run `leap cert update`') : nil",
     "key": "= x509.use ? file(:node_x509_key, :missing => 'x509 key for node $node. Run `leap cert update`') : nil",
     "ca_cert": "= try_file :ca_cert"
@@ -35,5 +35,8 @@
   },
   "name": "common",
   "location": null,
-  "enabled": true
+  "enabled": true,
+  "mail": {
+    "smarthost": "= nodes_like_me[:services => :mx].exclude(self).field('domain.full')"
+  }
 }
diff --git a/provider_base/files/service-definitions/provider.json.erb b/provider_base/files/service-definitions/provider.json.erb
index 5d4c63a0..3e055e9a 100644
--- a/provider_base/files/service-definitions/provider.json.erb
+++ b/provider_base/files/service-definitions/provider.json.erb
@@ -1,13 +1,13 @@
 <%=
   # grab some fields from provider.json
-  hsh = global.provider.pick(
-    :languages, :description, :name,
+  hsh = provider.pick(
+    :languages, :description, :name, :services,
     :enrollment_policy, :default_language, :service
   )
   hsh['domain'] = domain.full_suffix
 
   # advertise services that are 'user services' and for which there are actually nodes
-  hsh['services'] = global.services[:service_type => :user_service].field(:name).select do |service|
+  hsh['services'] ||= global.services[:service_type => :user_service].field(:name).select do |service|
     nodes_like_me[:services => service].any?
   end
 
diff --git a/provider_base/files/service-definitions/v1/eip-service.json.erb b/provider_base/files/service-definitions/v1/eip-service.json.erb
index feaea25b..3b8976fd 100644
--- a/provider_base/files/service-definitions/v1/eip-service.json.erb
+++ b/provider_base/files/service-definitions/v1/eip-service.json.erb
@@ -27,6 +27,7 @@
   hsh["version"] = 1
   locations = {}
   gateways = []
+  configuration = nil
   nodes_like_me[:services => 'openvpn'].each_node do |node|
     if node.openvpn.allow_limited && node.openvpn.allow_unlimited
       gateways << add_gateway(node, locations, :ip => node.openvpn.gateway_address, :limited => false)
@@ -36,13 +37,13 @@
     elsif node.openvpn.allow_limited
       gateways << add_gateway(node, locations, :ip => node.openvpn.gateway_address, :limited => true)
     end
+    if configuration && node.openvpn.configuration != configuration
+      log :error, "OpenVPN nodes in the environment `#{node.environment}` have conflicting `openvpn.configuration` values. This will result in bad errors."
+    end
+    configuration = node.openvpn.configuration
   end
   hsh["gateways"] = gateways.compact
   hsh["locations"] = locations
-  hsh["openvpn_configuration"] = {
-    "tls-cipher" => "DHE-RSA-AES128-SHA",
-    "auth" => "SHA1",
-    "cipher" => "AES-128-CBC"
-  }
+  hsh["openvpn_configuration"] = configuration
   JSON.sorted_generate hsh
 %>
 \ No newline at end of file
diff --git a/provider_base/files/service-definitions/v1/smtp-service.json.erb b/provider_base/files/service-definitions/v1/smtp-service.json.erb
index 60129f5f..45f240ac 100644
--- a/provider_base/files/service-definitions/v1/smtp-service.json.erb
+++ b/provider_base/files/service-definitions/v1/smtp-service.json.erb
@@ -15,7 +15,7 @@
     host = {}
     host["hostname"] = node.domain.full
     host["ip_address"] = node.ip_address
-    host["port"] = 25 # hard coded for now, later node.smtp.port
+    host["port"] = 465 # hard coded for now, later node.smtp.port
     if node['location']
       location_name = underscore(node.location.name)
       host["location"] = location_name
@@ -26,4 +26,4 @@
   hsh["hosts"] = hosts
   hsh["locations"] = locations
   JSON.sorted_generate hsh
-%>
-\ No newline at end of file
+%>
diff --git a/provider_base/provider.json b/provider_base/provider.json
index b6a7af21..fa69318b 100644
--- a/provider_base/provider.json
+++ b/provider_base/provider.json
@@ -8,8 +8,8 @@
     "en": "REQUIRED"
   },
   "contacts": {
-    "default": "REQUIRED",
-    "english": "= contacts.default.split('@').join(' at the domain ')"
+    "default": ["REQUIRED"],
+    "english": "= contacts.default.map {|email| email.split('@').join(' at the domain ')}.join(', ')"
   },
   "languages": ["en"],
   "default_language": "en",
@@ -23,32 +23,36 @@
     ],
     "default_service_level": 1,
     "bandwidth_limit": 102400,
-    "allow_free": "= global.provider.service.levels.select {|l| l['rate'].nil?}.any?",
-    "allow_paid": "= global.provider.service.levels.select {|l| !l['rate'].nil?}.any?",
-    "allow_anonymous": "= global.provider.service.levels.select {|l| l['name'] == 'anonymous'}.any?",
-    "allow_registration": "= global.provider.service.levels.select {|l| l['name'] != 'anonymous'}.any?",
-    "allow_limited_bandwidth": "= global.provider.service.levels.select {|l| l['bandwidth'] == 'limited'}.any?",
-    "allow_unlimited_bandwidth": "= global.provider.service.levels.select {|l| l['bandwidth'].nil?}.any?"
+    "allow_free": "= provider.service.levels.select {|l| l['rate'].nil?}.any?",
+    "allow_paid": "= provider.service.levels.select {|l| !l['rate'].nil?}.any?",
+    "allow_anonymous": "= provider.service.levels.select {|l| l['name'] == 'anonymous'}.any?",
+    "allow_registration": "= provider.service.levels.select {|l| l['name'] != 'anonymous'}.any?",
+    "allow_limited_bandwidth": "= provider.service.levels.select {|l| l['bandwidth'] == 'limited'}.any?",
+    "allow_unlimited_bandwidth": "= provider.service.levels.select {|l| l['bandwidth'].nil?}.any?"
   },
   "ca": {
-    "name": "= global.provider.ca.organization + ' Root CA'",
-    "organization": "= global.provider.name[global.provider.default_language]",
-    "organizational_unit": "= 'https://' + global.provider.domain",
+    "name": "= provider.ca.organization + ' Root CA'",
+    "organization": "= provider.name[provider.default_language]",
+    "organizational_unit": "= 'https://' + provider.domain",
     "bit_size": 4096,
     "digest": "SHA256",
     "life_span": "10y",
     "server_certificates": {
-      "bit_size": 2024,
+      "bit_size": 2048,
       "digest": "SHA256",
       "life_span": "1y"
     },
     "client_certificates": {
-      "bit_size": 2024,
+      "bit_size": 2048,
       "digest": "SHA256",
       "life_span": "2m",
       "limited_prefix": "LIMITED",
       "unlimited_prefix": "UNLIMITED"
     }
   },
-  "hiera_sync_destination": "/etc/leap"
+  "hiera_sync_destination": "/etc/leap",
+  "client_version": {
+    "min": "0.5",
+    "max": null
+  }
 }
diff --git a/provider_base/services/couchdb.json b/provider_base/services/couchdb.json
index a26579c8..5f1b5381 100644
--- a/provider_base/services/couchdb.json
+++ b/provider_base/services/couchdb.json
@@ -1,38 +1,56 @@
 {
-  "x509": {
-    "use": true
-  },
-  "stunnel": {
-    "couch_server": "= stunnel_server(couch.port)",
-    "epmd_server": "= stunnel_server(couch.bigcouch.epmd_port)",
-    "epmd_clients": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.bigcouch.epmd_port)",
-    "ednp_server": "= stunnel_server(couch.bigcouch.ednp_port)",
-    "ednp_clients": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.bigcouch.ednp_port)"
-  },
-  "couch": {
-    "port": 5984,
-    "bigcouch": {
-      "epmd_port": 4369,
-      "ednp_port": 9002,
-      "cookie": "= secret :bigcouch_cookie",
-      "neighbors": "= nodes_like_me[:services => :couchdb].exclude(self).field('domain.full')"
+    "x509": {
+        "use": true
     },
-    "users": {
-      "admin": {
-        "username": "admin",
-        "password": "= secret :couch_admin_password",
-        "salt": "= hex_secret :couch_admin_password_salt, 128"
-      },
-      "webapp": {
-        "username": "webapp",
-        "password": "= secret :couch_webapp_password",
-        "salt": "= hex_secret :couch_webapp_password_salt, 128"
-      },
-      "soledad": {
-        "username": "soledad",
-        "password": "= secret :couch_soledad_password",
-        "salt": "= hex_secret :couch_soledad_password_salt, 128"
-      }
+    "stunnel": {
+        "couch_server": "= stunnel_server(couch.port)",
+        "epmd_server": "= stunnel_server(couch.bigcouch.epmd_port)",
+        "epmd_clients": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.bigcouch.epmd_port)",
+        "ednp_server": "= stunnel_server(couch.bigcouch.ednp_port)",
+        "ednp_clients": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.bigcouch.ednp_port)"
+    },
+    "couch": {
+        "port": 5984,
+        "bigcouch": {
+            "epmd_port": 4369,
+            "ednp_port": 9002,
+            "cookie": "= secret :bigcouch_cookie",
+            "neighbors": "= nodes_like_me[:services => :couchdb].exclude(self).field('domain.full')"
+        },
+        "users": {
+            "admin": {
+                "username": "admin",
+                "password": "= secret :couch_admin_password",
+                "salt": "= hex_secret :couch_admin_password_salt, 128"
+            },
+            "leap_mx": {
+                "username": "leap_mx",
+                "password": "= secret :couch_leap_mx_password",
+                "salt": "= hex_secret :couch_leap_mx_password_salt, 128"
+            },
+            "nickserver": {
+                "username": "nickserver",
+                "password": "= secret :couch_nickserver_password",
+                "salt": "= hex_secret :couch_nickserver_password_salt, 128"
+            },
+            "soledad": {
+                "username": "soledad",
+                "password": "= secret :couch_soledad_password",
+                "salt": "= hex_secret :couch_soledad_password_salt, 128"
+            },
+            "tapicero": {
+                "username": "tapicero",
+                "password": "= secret :couch_tapicero_password",
+                "salt": "= hex_secret :couch_tapicero_password_salt, 128"
+            },
+            "webapp": {
+                "username": "webapp",
+                "password": "= secret :couch_webapp_password",
+                "salt": "= hex_secret :couch_webapp_password_salt, 128"
+            }
+        },
+    "webapp": {
+         "nagios_test_pw": "= secret :nagios_test_password"
+        }
     }
-  }
 }
diff --git a/provider_base/services/monitor.json b/provider_base/services/monitor.json
index f5e4d922..03f6c6d1 100644
--- a/provider_base/services/monitor.json
+++ b/provider_base/services/monitor.json
@@ -1,6 +1,22 @@
 {
   "nagios": {
     "nagiosadmin_pw": "= secret :nagios_admin_password",
-    "hosts": "= nodes_like_me.fields('domain.internal', 'ip_address', 'services', 'openvpn.gateway_address')"
+    "hosts": "= (self.environment == 'local' ? nodes_like_me : nodes[:environment => '!local']).pick_fields('domain.internal', 'domain.full_suffix', 'ip_address', 'services', 'openvpn.gateway_address', 'ssh.port')"
+  },
+  "hosts": "= self.environment == 'local' ? hosts_file(nodes_like_me) : hosts_file(nodes[:environment => '!local'])",
+  "ssh": {
+    "monitor": {
+      "username": "= Leap::Platform.monitor_username",
+      "private_key": "= file(:monitor_priv_key)"
+    }
+  },
+  "x509": {
+    "use": true,
+    "ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap cert ca`'",
+    "client_ca_cert": "= file :client_ca_cert, :missing => 'Certificate Authority. Run `leap cert ca`'",
+    "client_ca_key": "= file :client_ca_key, :missing => 'Certificate Authority. Run `leap cert ca`'",
+    "commercial_cert": "= file [:commercial_cert, domain.full_suffix]",
+    "commercial_key": "= file [:commercial_key, domain.full_suffix]",
+    "commercial_ca_cert": "= try_file :commercial_ca_cert"
   }
 }
diff --git a/provider_base/services/mx.json b/provider_base/services/mx.json
new file mode 100644
index 00000000..731dee9a
--- /dev/null
+++ b/provider_base/services/mx.json
@@ -0,0 +1,24 @@
+{
+  "stunnel": {
+    "couch_client": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.port)"
+  },
+  "haproxy": {
+    "servers": "= haproxy_servers(nodes_like_me[:services => :couchdb], stunnel.couch_client)"
+  },
+  "couchdb_leap_mx_user": {
+    "username": "= global.services[:couchdb].couch.users[:leap_mx].username",
+    "password": "= secret :couch_leap_mx_password",
+    "salt": "= hex_secret :couch_leap_mx_password_salt, 128"
+  },
+  "mynetworks": "= nodes['environment' => '!local'].map{|name, n| [n.ip_address, (global.facts[name]||{})['ec2_public_ipv4']]}.flatten.compact.uniq",
+  "x509": {
+    "use": true,
+    "ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap cert ca`'",
+    "client_ca_cert": "= file :client_ca_cert, :missing => 'Certificate Authority. Run `leap cert ca`'",
+    "client_ca_key": "= file :client_ca_key, :missing => 'Certificate Authority. Run `leap cert ca`'",
+    "commercial_cert": "= file [:commercial_cert, domain.full_suffix]",
+    "commercial_key": "= file [:commercial_key, domain.full_suffix]",
+    "commercial_ca_cert": "= try_file :commercial_ca_cert"
+  },
+  "service_type": "user_service"
+}
diff --git a/provider_base/services/openvpn.json b/provider_base/services/openvpn.json
index 5d77f946..04e19aa2 100644
--- a/provider_base/services/openvpn.json
+++ b/provider_base/services/openvpn.json
@@ -14,10 +14,16 @@
     "filter_dns": false,
     "adblock": false,
     "user_ips": false,
-    "allow_limited": "= global.provider.service.allow_limited_bandwidth",
-    "allow_unlimited": "= global.provider.service.allow_unlimited_bandwidth",
-    "limited_prefix": "= global.provider.ca.client_certificates.limited_prefix",
-    "unlimited_prefix": "= global.provider.ca.client_certificates.unlimited_prefix",
-    "rate_limit": "= openvpn.allow_limited ? global.provider.service.bandwidth_limit : nil"
+    "allow_limited": "= provider.service.allow_limited_bandwidth",
+    "allow_unlimited": "= provider.service.allow_unlimited_bandwidth",
+    "limited_prefix": "= provider.ca.client_certificates.limited_prefix",
+    "unlimited_prefix": "= provider.ca.client_certificates.unlimited_prefix",
+    "rate_limit": "= openvpn.allow_limited ? provider.service.bandwidth_limit : nil",
+    "configuration": {
+      "tls-cipher": "DHE-RSA-AES128-SHA",
+      "auth": "SHA1",
+      "cipher": "AES-128-CBC",
+      "keepalive": "10 30"
+    }
   }
 }
diff --git a/provider_base/services/soledad.json b/provider_base/services/soledad.json
index 10657563..ed6fbc9f 100644
--- a/provider_base/services/soledad.json
+++ b/provider_base/services/soledad.json
@@ -1,6 +1,12 @@
 {
-  "service_type": "public_service",
   "soledad": {
-    "port": 1111
-  }
-}
-\ No newline at end of file
+    "port": 2323,
+    "require_couchdb": "=> assert %(services.include? 'couchdb')",
+    "couchdb_soledad_user": {
+      "username": "= global.services[:couchdb].couch.users[:soledad].username",
+      "password": "= secret :couch_soledad_password",
+      "salt": "= hex_secret :couch_soledad_password_salt, 128"
+    }
+  },
+  "service_type": "public_service"
+}
diff --git a/provider_base/services/static.json b/provider_base/services/static.json
new file mode 100644
index 00000000..d9155a84
--- /dev/null
+++ b/provider_base/services/static.json
@@ -0,0 +1,6 @@
+{
+  "static": {
+    "formats": "=> (self.static.domains||{}).values.collect{|d| (d.locations||{}).values.collect{|l|l['format']}}.flatten.uniq"
+  },
+  "service_type": "public_service"
+}
+\ No newline at end of file
diff --git a/provider_base/services/tor.json b/provider_base/services/tor.json
index 9173b8d4..ae4da46d 100644
--- a/provider_base/services/tor.json
+++ b/provider_base/services/tor.json
@@ -1,6 +1,6 @@
 {
   "tor": {
     "bandwidth_rate": 6550,
-    "contacts": "= global.provider.contacts['tor'] || global.provider.contacts.default"
+    "contacts": "= [provider.contacts['tor'] || provider.contacts.default].flatten"
   }
 }
diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json
index 93396ec7..29c0cbf9 100644
--- a/provider_base/services/webapp.json
+++ b/provider_base/services/webapp.json
@@ -1,25 +1,35 @@
 {
   "webapp": {
+    "admins": [],
     "modules": ["user", "billing", "help"],
-    "couchdb_admin_user": "= global.services[:couchdb].couch.users[:admin]",
-//    "couchdb_webapp_user": "= global.services[:couchdb].couch.users[:webapp]",
-    "couchdb_webapp_user": "= global.services[:couchdb].couch.users[:admin]",
-    "favicon": "= file_path 'branding/favicon.ico'",
-    "tail_scss": "= file_path 'branding/tail.scss'",
-    "head_scss": "= file_path 'branding/head.scss'",
-    "img_dir": "= file_path 'branding/img'",
-    "client_certificates": "= global.provider.ca.client_certificates",
-    "allow_limited_certs": "= global.provider.service.allow_limited_bandwidth",
-    "allow_unlimited_certs": "= global.provider.service.allow_unlimited_bandwidth",
-    "allow_anonymous_certs": "= global.provider.service.allow_anonymous",
+    "couchdb_webapp_user": {
+      "username": "= global.services[:couchdb].couch.users[:webapp].username",
+      "password": "= secret :couch_webapp_password",
+      "salt": "= hex_secret :couch_webapp_password_salt, 128"
+    },
+    "customization_dir": "= file_path 'webapp'",
+    "client_certificates": "= provider.ca.client_certificates",
+    "allow_limited_certs": "= provider.service.allow_limited_bandwidth",
+    "allow_unlimited_certs": "= provider.service.allow_unlimited_bandwidth",
+    "allow_anonymous_certs": "= provider.service.allow_anonymous",
     "secret_token": "= secret :webapp_secret_token",
-    "api_version": 1
+    "api_version": 1,
+    "secure": false,
+    "git": {
+      "source": "https://leap.se/git/leap_web",
+      "revision": "origin/master"
+    },
+    "client_version": "= provider.client_version",
+    "nagios_test_user": {
+      "username": "nagios_test",
+      "password": "= secret :nagios_test_password"
+    }
   },
   "stunnel": {
     "couch_client": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.port)"
   },
   "haproxy": {
-    "local_ports": "= stunnel.couch_client.field(:accept_port)"
+    "servers": "= haproxy_servers(nodes_like_me[:services => :couchdb], stunnel.couch_client, global.services[:couchdb].couch.port)"
   },
   "definition_files": {
     "provider": "= file :provider_json_template",
@@ -34,8 +44,12 @@
   },
   "nickserver": {
     "domain": "= 'nicknym.' + domain.full_suffix",
-    "port": 6425,
-    "couchdb_user": "= global.services[:couchdb].couch.users[:admin]"
+    "couchdb_nickserver_user": {
+      "username": "= global.services[:couchdb].couch.users[:nickserver].username",
+      "password": "= secret :couch_nickserver_password",
+      "salt": "= hex_secret :couch_nickserver_password_salt, 128"
+    },
+    "port": 6425
   },
   "dns": {
     "aliases": "= [domain.full_suffix, domain.full, api.domain, nickserver.domain]"
@@ -43,8 +57,8 @@
   "x509": {
     "use": true,
     "ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap cert ca`'",
-    "client_ca_cert": "= file_path :client_ca_cert",
-    "client_ca_key": "= file_path :client_ca_key",
+    "client_ca_cert": "= file :client_ca_cert, :missing => 'Certificate Authority. Run `leap cert ca`'",
+    "client_ca_key": "= file :client_ca_key, :missing => 'Certificate Authority. Run `leap cert ca`'",
     "commercial_cert": "= file [:commercial_cert, domain.full_suffix]",
     "commercial_key": "= file [:commercial_key, domain.full_suffix]",
     "commercial_ca_cert": "= try_file :commercial_ca_cert"
diff --git a/provider_base/tags/development.json b/provider_base/tags/development.json
index 6d4f9e25..d9c2c007 100644
--- a/provider_base/tags/development.json
+++ b/provider_base/tags/development.json
@@ -1,7 +1,7 @@
 {
   "environment": "development",
   "domain": {
-     "full_suffix": "= 'dev.' + global.provider.domain",
-     "internal_suffix": "= 'dev.' + global.provider.domain_internal"
+     "full_suffix": "= 'dev.' + provider.domain",
+     "internal_suffix": "= 'dev.' + provider.domain_internal"
   }
 }
 \ No newline at end of file
author	Micah Anderson <micah@leap.se>	2014-04-22 14:13:46 -0400
committer	Micah Anderson <micah@leap.se>	2014-04-22 14:13:46 -0400
commit	327d5c934e408f90011d7949b89ab01fed88998e (patch)
tree	77cfefffc8f9ffe160c4413b26dd5ca5cdd6f1e8 /provider_base
parent	ca11482dd7cd4ea8ffa69407ee2fd5b5e1b7981b (diff)
parent	4295f334ea4f92d7fb47f7121a42633630c368d1 (diff)