summaryrefslogtreecommitdiff
path: root/puppet/modules
diff options
context:
space:
mode:
authorelijah <elijah@riseup.net>2013-05-21 13:17:25 -0700
committerelijah <elijah@riseup.net>2013-05-21 13:17:25 -0700
commitaafeaecb26fbb05284558114332a89439261637b (patch)
tree09ab1eedfb9c4f64e7c183737d58dc71baad25ee /puppet/modules
parentc591f65a555a20bd6bc3a2171cffb55283dd9d0c (diff)
nickserver - added support for apache reverse proxy frontend to handle the TLS.
Diffstat (limited to 'puppet/modules')
-rw-r--r--puppet/modules/site_nickserver/manifests/init.pp54
-rw-r--r--puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb23
-rw-r--r--puppet/modules/site_nickserver/templates/nickserver.yml.erb27
3 files changed, 90 insertions, 14 deletions
diff --git a/puppet/modules/site_nickserver/manifests/init.pp b/puppet/modules/site_nickserver/manifests/init.pp
index 03af4acb..7dfa2603 100644
--- a/puppet/modules/site_nickserver/manifests/init.pp
+++ b/puppet/modules/site_nickserver/manifests/init.pp
@@ -1,6 +1,10 @@
#
-# TODO: currently, this is dependent on the HAProxy stuff that is in site_webapp.
-# it would be good to factor that out into a site_haproxy, so that nickserver could be applied independently.
+# TODO: currently, this is dependent on some things that are set up in site_webapp
+#
+# (1) HAProxy -> couchdb
+# (2) Apache
+#
+# It would be good in the future to make nickserver installable independently of site_webapp.
#
class site_nickserver {
@@ -12,12 +16,23 @@ class site_nickserver {
#
$nickserver = hiera('nickserver')
- $nickserver_port = $nickserver['port']
+ $nickserver_port = $nickserver['port'] # the port that public connects to (should be 6425)
+ $nickserver_local_port = '64250' # the port that nickserver is actually running on
+ $nickserver_domain = $nickserver['domain']
+
$couchdb_user = $nickserver['couchdb_user']['username']
$couchdb_password = $nickserver['couchdb_user']['password']
$couchdb_host = 'localhost' # couchdb is available on localhost via haproxy, which is bound to 4096.
$couchdb_port = '4096' # See site_webapp/templates/haproxy_couchdb.cfg.erg
+ # temporarily for now:
+ $domain = hiera('domain')
+ $address_domain = $domain['full_suffix']
+ $x509 = hiera('x509')
+ $x509_key = $x509['key']
+ $x509_cert = $x509['cert']
+ $x509_ca = $x509['ca_cert']
+
#
# USER AND GROUP
#
@@ -30,16 +45,16 @@ class site_nickserver {
ensure => present,
allowdupe => false,
gid => 'nickserver',
- groups => 'ssl-cert',
home => '/srv/leap/nickserver',
require => Group['nickserver'];
}
#
# NICKSERVER CODE
+ # NOTE: in order to support TLS, libssl-dev must be installed before EventMachine gem
+ # is built/installed.
#
- # libssl-dev must be installed before eventmachine gem in order to support TLS
package {
'libssl-dev': ensure => installed;
}
@@ -100,6 +115,7 @@ class site_nickserver {
#
# FIREWALL
+ # poke a hole in the firewall to allow nickserver requests
#
file { '/etc/shorewall/macro.nickserver':
@@ -115,4 +131,32 @@ class site_nickserver {
order => 200;
}
+ #
+ # APACHE REVERSE PROXY
+ # nickserver doesn't speak TLS natively, let Apache handle that.
+ #
+
+ apache::module {
+ 'proxy': ensure => present;
+ 'proxy_http': ensure => present
+ }
+
+ apache::vhost::file {
+ 'nickserver': content => template('site_nickserver/nickserver-proxy.conf.erb')
+ }
+
+ x509::key { 'nickserver':
+ content => $x509_key,
+ notify => Service[apache];
+ }
+
+ x509::cert { 'nickserver':
+ content => $x509_cert,
+ notify => Service[apache];
+ }
+
+ x509::ca { 'nickserver':
+ content => $x509_ca,
+ notify => Service[apache];
+ }
} \ No newline at end of file
diff --git a/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb b/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb
new file mode 100644
index 00000000..67896cd3
--- /dev/null
+++ b/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb
@@ -0,0 +1,23 @@
+#
+# Apache reverse proxy configuration for the Nickserver
+#
+
+Listen 0.0.0.0:<%= @nickserver_port -%>
+
+<VirtualHost *:<%= @nickserver_port -%>>
+ ServerName <%= @nickserver_domain %>
+ ServerAlias <%= @address_domain %>
+
+ SSLEngine on
+ SSLProtocol -all +SSLv3 +TLSv1
+ SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH
+ SSLHonorCipherOrder on
+
+ SSLCACertificatePath /etc/ssl/certs
+ SSLCertificateChainFile /etc/ssl/certs/nickserver.pem
+ SSLCertificateKeyFile /etc/x509/keys/nickserver.key
+ SSLCertificateFile /etc/x509/certs/nickserver.crt
+
+ ProxyPass / http://localhost:<%= @nickserver_local_port %>/
+ ProxyPreserveHost On # preserve Host header in HTTP request
+</VirtualHost>
diff --git a/puppet/modules/site_nickserver/templates/nickserver.yml.erb b/puppet/modules/site_nickserver/templates/nickserver.yml.erb
index b6e0b3bf..7aab5605 100644
--- a/puppet/modules/site_nickserver/templates/nickserver.yml.erb
+++ b/puppet/modules/site_nickserver/templates/nickserver.yml.erb
@@ -1,10 +1,19 @@
-couch_host: <%= @couchdb_host %>
+#
+# configuration for nickserver.
+#
+
+domain: "<%= @address_domain %>"
+
+couch_host: "<%= @couchdb_host %>"
couch_port: <%= @couchdb_port %>
-couch_database: 'users'
-couch_user: <%= @couchdb_user %>
-couch_password: <%= @couchdb_password %>
-hkp_url: 'https://hkps.pool.sks-keyservers.net:/pks/lookup'
-port: <%= @nickserver_port %>
-pid_file: '/var/run/nickserver'
-user: 'nickserver'
-log_file: '/var/log/nickserver.log'
+couch_database: "users"
+couch_user: "<%= @couchdb_user %>"
+couch_password: "<%= @couchdb_password %>"
+
+hkp_url: "https://hkps.pool.sks-keyservers.net:/pks/lookup"
+
+user: "nickserver"
+port: <%= @nickserver_local_port %>
+pid_file: "/var/run/nickserver"
+log_file: "/var/log/nickserver.log"
+