diff options
| author | elijah <elijah@riseup.net> | 2013-05-21 13:17:25 -0700 |
|---|---|---|
| committer | elijah <elijah@riseup.net> | 2013-05-21 13:17:25 -0700 |
| commit | aafeaecb26fbb05284558114332a89439261637b (patch) | |
| tree | 09ab1eedfb9c4f64e7c183737d58dc71baad25ee /puppet/modules/site_nickserver/manifests | |
| parent | c591f65a555a20bd6bc3a2171cffb55283dd9d0c (diff) | |
nickserver - added support for apache reverse proxy frontend to handle the TLS.
Diffstat (limited to 'puppet/modules/site_nickserver/manifests')
| -rw-r--r-- | puppet/modules/site_nickserver/manifests/init.pp | 54 |
1 files changed, 49 insertions, 5 deletions
diff --git a/puppet/modules/site_nickserver/manifests/init.pp b/puppet/modules/site_nickserver/manifests/init.pp index 03af4acb..7dfa2603 100644 --- a/puppet/modules/site_nickserver/manifests/init.pp +++ b/puppet/modules/site_nickserver/manifests/init.pp @@ -1,6 +1,10 @@ # -# TODO: currently, this is dependent on the HAProxy stuff that is in site_webapp. -# it would be good to factor that out into a site_haproxy, so that nickserver could be applied independently. +# TODO: currently, this is dependent on some things that are set up in site_webapp +# +# (1) HAProxy -> couchdb +# (2) Apache +# +# It would be good in the future to make nickserver installable independently of site_webapp. # class site_nickserver { @@ -12,12 +16,23 @@ class site_nickserver { # $nickserver = hiera('nickserver') - $nickserver_port = $nickserver['port'] + $nickserver_port = $nickserver['port'] # the port that public connects to (should be 6425) + $nickserver_local_port = '64250' # the port that nickserver is actually running on + $nickserver_domain = $nickserver['domain'] + $couchdb_user = $nickserver['couchdb_user']['username'] $couchdb_password = $nickserver['couchdb_user']['password'] $couchdb_host = 'localhost' # couchdb is available on localhost via haproxy, which is bound to 4096. $couchdb_port = '4096' # See site_webapp/templates/haproxy_couchdb.cfg.erg + # temporarily for now: + $domain = hiera('domain') + $address_domain = $domain['full_suffix'] + $x509 = hiera('x509') + $x509_key = $x509['key'] + $x509_cert = $x509['cert'] + $x509_ca = $x509['ca_cert'] + # # USER AND GROUP # @@ -30,16 +45,16 @@ class site_nickserver { ensure => present, allowdupe => false, gid => 'nickserver', - groups => 'ssl-cert', home => '/srv/leap/nickserver', require => Group['nickserver']; } # # NICKSERVER CODE + # NOTE: in order to support TLS, libssl-dev must be installed before EventMachine gem + # is built/installed. # - # libssl-dev must be installed before eventmachine gem in order to support TLS package { 'libssl-dev': ensure => installed; } @@ -100,6 +115,7 @@ class site_nickserver { # # FIREWALL + # poke a hole in the firewall to allow nickserver requests # file { '/etc/shorewall/macro.nickserver': @@ -115,4 +131,32 @@ class site_nickserver { order => 200; } + # + # APACHE REVERSE PROXY + # nickserver doesn't speak TLS natively, let Apache handle that. + # + + apache::module { + 'proxy': ensure => present; + 'proxy_http': ensure => present + } + + apache::vhost::file { + 'nickserver': content => template('site_nickserver/nickserver-proxy.conf.erb') + } + + x509::key { 'nickserver': + content => $x509_key, + notify => Service[apache]; + } + + x509::cert { 'nickserver': + content => $x509_cert, + notify => Service[apache]; + } + + x509::ca { 'nickserver': + content => $x509_ca, + notify => Service[apache]; + } }
\ No newline at end of file |