summaryrefslogtreecommitdiff
path: root/puppet/modules/site_nickserver
diff options
context:
space:
mode:
authorMicah Anderson <micah@riseup.net>2013-07-09 16:43:39 +0100
committerMicah Anderson <micah@riseup.net>2013-07-09 16:43:39 +0100
commitb4077083b971377636754b2988668a6ddd384da5 (patch)
treeb8e358b5f0f6dfa882d31d7446266111bc0d201b /puppet/modules/site_nickserver
parent625aaa11138bba365958391664299692402f8da4 (diff)
parent672154a8322901b86c9882854234eae53221a38e (diff)
Merge remote-tracking branch 'origin/develop'0.2.2
Conflicts: provider_base/services/webapp.json
Diffstat (limited to 'puppet/modules/site_nickserver')
-rw-r--r--puppet/modules/site_nickserver/manifests/init.pp162
-rw-r--r--puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb23
-rw-r--r--puppet/modules/site_nickserver/templates/nickserver.yml.erb19
3 files changed, 204 insertions, 0 deletions
diff --git a/puppet/modules/site_nickserver/manifests/init.pp b/puppet/modules/site_nickserver/manifests/init.pp
new file mode 100644
index 00000000..7dfa2603
--- /dev/null
+++ b/puppet/modules/site_nickserver/manifests/init.pp
@@ -0,0 +1,162 @@
+#
+# TODO: currently, this is dependent on some things that are set up in site_webapp
+#
+# (1) HAProxy -> couchdb
+# (2) Apache
+#
+# It would be good in the future to make nickserver installable independently of site_webapp.
+#
+
+class site_nickserver {
+ tag 'leap_service'
+ include site_config::ruby
+
+ #
+ # VARIABLES
+ #
+
+ $nickserver = hiera('nickserver')
+ $nickserver_port = $nickserver['port'] # the port that public connects to (should be 6425)
+ $nickserver_local_port = '64250' # the port that nickserver is actually running on
+ $nickserver_domain = $nickserver['domain']
+
+ $couchdb_user = $nickserver['couchdb_user']['username']
+ $couchdb_password = $nickserver['couchdb_user']['password']
+ $couchdb_host = 'localhost' # couchdb is available on localhost via haproxy, which is bound to 4096.
+ $couchdb_port = '4096' # See site_webapp/templates/haproxy_couchdb.cfg.erg
+
+ # temporarily for now:
+ $domain = hiera('domain')
+ $address_domain = $domain['full_suffix']
+ $x509 = hiera('x509')
+ $x509_key = $x509['key']
+ $x509_cert = $x509['cert']
+ $x509_ca = $x509['ca_cert']
+
+ #
+ # USER AND GROUP
+ #
+
+ group { 'nickserver':
+ ensure => present,
+ allowdupe => false;
+ }
+ user { 'nickserver':
+ ensure => present,
+ allowdupe => false,
+ gid => 'nickserver',
+ home => '/srv/leap/nickserver',
+ require => Group['nickserver'];
+ }
+
+ #
+ # NICKSERVER CODE
+ # NOTE: in order to support TLS, libssl-dev must be installed before EventMachine gem
+ # is built/installed.
+ #
+
+ package {
+ 'libssl-dev': ensure => installed;
+ }
+ vcsrepo { '/srv/leap/nickserver':
+ ensure => present,
+ revision => 'origin/master',
+ provider => git,
+ source => 'git://code.leap.se/nickserver',
+ owner => 'nickserver',
+ group => 'nickserver',
+ require => [ User['nickserver'], Group['nickserver'] ],
+ notify => Exec['nickserver_bundler_update'];
+ }
+ exec { 'nickserver_bundler_update':
+ cwd => '/srv/leap/nickserver',
+ command => '/bin/bash -c "/usr/bin/bundle check || /usr/bin/bundle install --path vendor/bundle"',
+ unless => '/usr/bin/bundle check',
+ user => 'nickserver',
+ timeout => 600,
+ require => [ Class['bundler::install'], Vcsrepo['/srv/leap/nickserver'], Package['libssl-dev'] ],
+ notify => Service['nickserver'];
+ }
+
+ #
+ # NICKSERVER CONFIG
+ #
+
+ file { '/etc/leap/nickserver.yml':
+ content => template('site_nickserver/nickserver.yml.erb'),
+ owner => nickserver,
+ group => nickserver,
+ mode => '0600',
+ notify => Service['nickserver'];
+ }
+
+ #
+ # NICKSERVER DAEMON
+ #
+
+ file {
+ '/usr/bin/nickserver':
+ ensure => link,
+ target => '/srv/leap/nickserver/bin/nickserver',
+ require => Vcsrepo['/srv/leap/nickserver'];
+ '/etc/init.d/nickserver':
+ owner => root, group => 0, mode => '0755',
+ source => '/srv/leap/nickserver/dist/debian-init-script',
+ require => Vcsrepo['/srv/leap/nickserver'];
+ }
+
+ service { 'nickserver':
+ ensure => running,
+ enable => true,
+ hasrestart => true,
+ hasstatus => true,
+ require => File['/etc/init.d/nickserver'];
+ }
+
+ #
+ # FIREWALL
+ # poke a hole in the firewall to allow nickserver requests
+ #
+
+ file { '/etc/shorewall/macro.nickserver':
+ content => "PARAM - - tcp $nickserver_port",
+ notify => Service['shorewall'],
+ require => Package['shorewall'];
+ }
+
+ shorewall::rule { 'net2fw-nickserver':
+ source => 'net',
+ destination => '$FW',
+ action => 'nickserver(ACCEPT)',
+ order => 200;
+ }
+
+ #
+ # APACHE REVERSE PROXY
+ # nickserver doesn't speak TLS natively, let Apache handle that.
+ #
+
+ apache::module {
+ 'proxy': ensure => present;
+ 'proxy_http': ensure => present
+ }
+
+ apache::vhost::file {
+ 'nickserver': content => template('site_nickserver/nickserver-proxy.conf.erb')
+ }
+
+ x509::key { 'nickserver':
+ content => $x509_key,
+ notify => Service[apache];
+ }
+
+ x509::cert { 'nickserver':
+ content => $x509_cert,
+ notify => Service[apache];
+ }
+
+ x509::ca { 'nickserver':
+ content => $x509_ca,
+ notify => Service[apache];
+ }
+} \ No newline at end of file
diff --git a/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb b/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb
new file mode 100644
index 00000000..67896cd3
--- /dev/null
+++ b/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb
@@ -0,0 +1,23 @@
+#
+# Apache reverse proxy configuration for the Nickserver
+#
+
+Listen 0.0.0.0:<%= @nickserver_port -%>
+
+<VirtualHost *:<%= @nickserver_port -%>>
+ ServerName <%= @nickserver_domain %>
+ ServerAlias <%= @address_domain %>
+
+ SSLEngine on
+ SSLProtocol -all +SSLv3 +TLSv1
+ SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH
+ SSLHonorCipherOrder on
+
+ SSLCACertificatePath /etc/ssl/certs
+ SSLCertificateChainFile /etc/ssl/certs/nickserver.pem
+ SSLCertificateKeyFile /etc/x509/keys/nickserver.key
+ SSLCertificateFile /etc/x509/certs/nickserver.crt
+
+ ProxyPass / http://localhost:<%= @nickserver_local_port %>/
+ ProxyPreserveHost On # preserve Host header in HTTP request
+</VirtualHost>
diff --git a/puppet/modules/site_nickserver/templates/nickserver.yml.erb b/puppet/modules/site_nickserver/templates/nickserver.yml.erb
new file mode 100644
index 00000000..7aab5605
--- /dev/null
+++ b/puppet/modules/site_nickserver/templates/nickserver.yml.erb
@@ -0,0 +1,19 @@
+#
+# configuration for nickserver.
+#
+
+domain: "<%= @address_domain %>"
+
+couch_host: "<%= @couchdb_host %>"
+couch_port: <%= @couchdb_port %>
+couch_database: "users"
+couch_user: "<%= @couchdb_user %>"
+couch_password: "<%= @couchdb_password %>"
+
+hkp_url: "https://hkps.pool.sks-keyservers.net:/pks/lookup"
+
+user: "nickserver"
+port: <%= @nickserver_local_port %>
+pid_file: "/var/run/nickserver"
+log_file: "/var/log/nickserver.log"
+