diff options
| author | varac <varacanero@zeromail.org> | 2013-03-16 15:01:48 +0100 | 
|---|---|---|
| committer | varac <varacanero@zeromail.org> | 2013-03-16 15:01:48 +0100 | 
| commit | 8c91365ca62d6f7e970f7a1fbda7be82a1fc83c3 (patch) | |
| tree | 5ca58ed2e9d52f7bd4071b6902cba064a75d81f6 /puppet/modules/site_couchdb | |
| parent | a275999ab39b49afa2bb0c998c58aec424b4a8c0 (diff) | |
| parent | 90c5b205c4764351e6ea707b965c5e6daca1c0b7 (diff) | |
Merge branch 'stunnel_switch' into develop
Diffstat (limited to 'puppet/modules/site_couchdb')
| -rw-r--r-- | puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp | 30 | ||||
| -rw-r--r-- | puppet/modules/site_couchdb/manifests/init.pp | 13 | ||||
| -rw-r--r-- | puppet/modules/site_couchdb/manifests/stunnel.pp | 42 | 
3 files changed, 60 insertions, 25 deletions
| diff --git a/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp b/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp index 7739473e..536dd8db 100644 --- a/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp +++ b/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp @@ -1,25 +1,13 @@ -define site_couchdb::apache_ssl_proxy ($key, $cert) { +class site_couchdb::apache_ssl_proxy { -  $apache_no_default_site = true -  include apache -  apache::module { -    'proxy':        ensure => present; -    'proxy_http':   ensure => present; -    'rewrite':      ensure => present; -    'ssl':          ensure => present; -  } -  apache::vhost::file { 'couchdb_proxy': } +# This is here to disable the previously configured apache ssl proxy +# we were using this, but have switched to stunnel instead. +# +# Unfortunately, the current apache shared module doesn't handle +# ensure=>absent, so this is going to be done the crude way, and will only +# work for debian+derivitives, which is fine for now, but not good for the +# future -  x509::key { -    'leap_couchdb': -      content => $key, -      notify  => Service[apache]; -  } - -  x509::cert { -    'leap_couchdb': -      content => $cert, -      notify  => Service[apache]; -  } +  package { 'apache2': ensure => absent }  } diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 25956938..d317de65 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -4,6 +4,7 @@ class site_couchdb ( $bigcouch = false ) {    $x509                   = hiera('x509')    $key                    = $x509['key']    $cert                   = $x509['cert'] +  $ca                     = $x509['ca_cert']    $couchdb_config         = hiera('couch')    $couchdb_users          = $couchdb_config['users']    $couchdb_admin          = $couchdb_users['admin'] @@ -30,11 +31,15 @@ class site_couchdb ( $bigcouch = false ) {      -> Couchdb::Create_db['client_certificates']      -> Couchdb::Add_user[$couchdb_webapp_user]      -> Couchdb::Add_user[$couchdb_ca_daemon_user] -    -> Site_couchdb::Apache_ssl_proxy['apache_ssl_proxy'] -  site_couchdb::apache_ssl_proxy { 'apache_ssl_proxy': -    key   => $key, -    cert  => $cert +  # this is here to disable and remove the proxy +  include site_couchdb::apache_ssl_proxy + +  # the above apache_ssl_proxy is replaced by the following stunnel +  class { 'site_couchdb::stunnel': +    key  => $key, +    cert => $cert, +    ca   => $ca    }    couchdb::query::setup { 'localhost': diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp new file mode 100644 index 00000000..b4635951 --- /dev/null +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -0,0 +1,42 @@ +class site_couchdb::stunnel ($key, $cert, $ca) { + +  include x509::variables +  include site_stunnel + +  $cert_name = 'leap_couchdb' +  $ca_path = "${x509::variables::certs}/leap_client_ca.crt" +  $cert_path = "${x509::variables::certs}/${cert_name}.crt" +  $key_path = "${x509::variables::keys}/${cert_name}.key" + +  x509::key { +    $cert_name: +      content => $key, +      notify  => Service['stunnel']; +  } + +  x509::cert { +    $cert_name: +      content => $cert, +      notify  => Service['stunnel']; +  } + +  x509::ca { +    $cert_name: +      content => $ca, +      notify  => Service['stunnel']; +  } + +  stunnel::service { 'couchdb': +    accept     => '6984', +    connect    => '127.0.0.1:5984', +    client     => false, +    cafile     => $ca_path, +    key        => $key_path, +    cert       => $cert_path, +    verify     => '2', +    pid        => '/var/run/stunnel4/couchdb.pid', +    rndfile    => '/var/lib/stunnel4/.rnd', +    debuglevel => '4' +  } +} + | 
