summaryrefslogtreecommitdiff
path: root/puppet/modules/site_nickserver/manifests
diff options
context:
space:
mode:
authorelijah <elijah@riseup.net>2013-05-21 13:17:25 -0700
committerelijah <elijah@riseup.net>2013-05-21 13:17:25 -0700
commitaafeaecb26fbb05284558114332a89439261637b (patch)
tree09ab1eedfb9c4f64e7c183737d58dc71baad25ee /puppet/modules/site_nickserver/manifests
parentc591f65a555a20bd6bc3a2171cffb55283dd9d0c (diff)
nickserver - added support for apache reverse proxy frontend to handle the TLS.
Diffstat (limited to 'puppet/modules/site_nickserver/manifests')
-rw-r--r--puppet/modules/site_nickserver/manifests/init.pp54
1 files changed, 49 insertions, 5 deletions
diff --git a/puppet/modules/site_nickserver/manifests/init.pp b/puppet/modules/site_nickserver/manifests/init.pp
index 03af4acb..7dfa2603 100644
--- a/puppet/modules/site_nickserver/manifests/init.pp
+++ b/puppet/modules/site_nickserver/manifests/init.pp
@@ -1,6 +1,10 @@
#
-# TODO: currently, this is dependent on the HAProxy stuff that is in site_webapp.
-# it would be good to factor that out into a site_haproxy, so that nickserver could be applied independently.
+# TODO: currently, this is dependent on some things that are set up in site_webapp
+#
+# (1) HAProxy -> couchdb
+# (2) Apache
+#
+# It would be good in the future to make nickserver installable independently of site_webapp.
#
class site_nickserver {
@@ -12,12 +16,23 @@ class site_nickserver {
#
$nickserver = hiera('nickserver')
- $nickserver_port = $nickserver['port']
+ $nickserver_port = $nickserver['port'] # the port that public connects to (should be 6425)
+ $nickserver_local_port = '64250' # the port that nickserver is actually running on
+ $nickserver_domain = $nickserver['domain']
+
$couchdb_user = $nickserver['couchdb_user']['username']
$couchdb_password = $nickserver['couchdb_user']['password']
$couchdb_host = 'localhost' # couchdb is available on localhost via haproxy, which is bound to 4096.
$couchdb_port = '4096' # See site_webapp/templates/haproxy_couchdb.cfg.erg
+ # temporarily for now:
+ $domain = hiera('domain')
+ $address_domain = $domain['full_suffix']
+ $x509 = hiera('x509')
+ $x509_key = $x509['key']
+ $x509_cert = $x509['cert']
+ $x509_ca = $x509['ca_cert']
+
#
# USER AND GROUP
#
@@ -30,16 +45,16 @@ class site_nickserver {
ensure => present,
allowdupe => false,
gid => 'nickserver',
- groups => 'ssl-cert',
home => '/srv/leap/nickserver',
require => Group['nickserver'];
}
#
# NICKSERVER CODE
+ # NOTE: in order to support TLS, libssl-dev must be installed before EventMachine gem
+ # is built/installed.
#
- # libssl-dev must be installed before eventmachine gem in order to support TLS
package {
'libssl-dev': ensure => installed;
}
@@ -100,6 +115,7 @@ class site_nickserver {
#
# FIREWALL
+ # poke a hole in the firewall to allow nickserver requests
#
file { '/etc/shorewall/macro.nickserver':
@@ -115,4 +131,32 @@ class site_nickserver {
order => 200;
}
+ #
+ # APACHE REVERSE PROXY
+ # nickserver doesn't speak TLS natively, let Apache handle that.
+ #
+
+ apache::module {
+ 'proxy': ensure => present;
+ 'proxy_http': ensure => present
+ }
+
+ apache::vhost::file {
+ 'nickserver': content => template('site_nickserver/nickserver-proxy.conf.erb')
+ }
+
+ x509::key { 'nickserver':
+ content => $x509_key,
+ notify => Service[apache];
+ }
+
+ x509::cert { 'nickserver':
+ content => $x509_cert,
+ notify => Service[apache];
+ }
+
+ x509::ca { 'nickserver':
+ content => $x509_ca,
+ notify => Service[apache];
+ }
} \ No newline at end of file