new generic system for stunnel: just `include site_stunnel` and stunnel + needed shorewall will be automatically set up. requires new leap_cli

author: elijah <elijah@riseup.net> 2014-06-20 01:58:39 -0700
committer: elijah <elijah@riseup.net> 2014-06-25 18:17:22 -0700
commit: 49f0c54a05f6b542367f8ef4538316ba2eaac6cd (patch)
tree: c4d26dee9c7fb9f0056da062371ca30d292ce082 /puppet/modules
parent: 6df59b9f579134a9521aafb71727a98fdc92e19a (diff)
11 files changed, 206 insertions, 259 deletions
diff --git a/puppet/modules/site_couchdb/manifests/bigcouch/stunnel.pp b/puppet/modules/site_couchdb/manifests/bigcouch/stunnel.pp
deleted file mode 100644
index 5166ba93..00000000
--- a/puppet/modules/site_couchdb/manifests/bigcouch/stunnel.pp
+++ /dev/null
@@ -1,89 +0,0 @@
-class site_couchdb::bigcouch::stunnel {
-
-  $stunnel              = hiera('stunnel')
-
-  include site_config::x509::cert
-  include site_config::x509::key
-  include site_config::x509::ca
-
-  include x509::variables
-  $ca_path   = "${x509::variables::local_CAs}/${site_config::params::ca_name}.crt"
-  $cert_path = "${x509::variables::certs}/${site_config::params::cert_name}.crt"
-  $key_path  = "${x509::variables::keys}/${site_config::params::cert_name}.key"
-
-
-  # Erlang Port Mapper Daemon (epmd) stunnel server/clients
-  $epmd_server          = $stunnel['epmd_server']
-  $epmd_server_accept   = $epmd_server['accept']
-  $epmd_server_connect  = $epmd_server['connect']
-  $epmd_clients         = $stunnel['epmd_clients']
-
-  # Erlang Distributed Node Protocol (ednp) stunnel server/clients
-  $ednp_server          = $stunnel['ednp_server']
-  $ednp_server_accept   = $ednp_server['accept']
-  $ednp_server_connect  = $ednp_server['connect']
-  $ednp_clients         = $stunnel['ednp_clients']
-
-
-  # setup stunnel server for Erlang Port Mapper Daemon (epmd), necessary for
-  # bigcouch clustering between each bigcouchdb node
-  stunnel::service { 'epmd_server':
-    accept     => $epmd_server_accept,
-    connect    => $epmd_server_connect,
-    client     => false,
-    cafile     => $ca_path,
-    key        => $key_path,
-    cert       => $cert_path,
-    verify     => '2',
-    pid        => '/var/run/stunnel4/epmd_server.pid',
-    rndfile    => '/var/lib/stunnel4/.rnd',
-    debuglevel => '4',
-    require    => [
-      Class['Site_config::X509::Key'],
-      Class['Site_config::X509::Cert'],
-      Class['Site_config::X509::Ca'] ];
-  }
-
-  # setup stunnel clients for Erlang Port Mapper Daemon (epmd) to connect
-  # to the above epmd stunnel server.
-  $epmd_client_defaults = {
-    'client'       => true,
-    'cafile'       => $ca_path,
-    'key'          => $key_path,
-    'cert'         => $cert_path,
-  }
-
-  create_resources(site_stunnel::clients, $epmd_clients, $epmd_client_defaults)
-
-  # setup stunnel server for Erlang Distributed Node Protocol (ednp), necessary
-  # for bigcouch clustering between each bigcouchdb node
-  stunnel::service { 'ednp_server':
-    accept     => $ednp_server_accept,
-    connect    => $ednp_server_connect,
-    client     => false,
-    cafile     => $ca_path,
-    key        => $key_path,
-    cert       => $cert_path,
-    verify     => '2',
-    pid        => '/var/run/stunnel4/ednp_server.pid',
-    rndfile    => '/var/lib/stunnel4/.rnd',
-    debuglevel => '4',
-    require    => [
-      Class['Site_config::X509::Key'],
-      Class['Site_config::X509::Cert'],
-      Class['Site_config::X509::Ca'] ];
-  }
-
-  # setup stunnel clients for Erlang Distributed Node Protocol (ednp) to connect
-  # to the above ednp stunnel server.
-  $ednp_client_defaults = {
-    'client'       => true,
-    'cafile'       => $ca_path,
-    'key'          => $key_path,
-    'cert'         => $cert_path,
-  }
-
-  create_resources(site_stunnel::clients, $ednp_clients, $ednp_client_defaults)
-
-  include site_check_mk::agent::stunnel
-}
diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp
deleted file mode 100644
index 484a0c00..00000000
--- a/puppet/modules/site_couchdb/manifests/stunnel.pp
+++ /dev/null
@@ -1,43 +0,0 @@
-class site_couchdb::stunnel {
-
-  $stunnel              = hiera('stunnel')
-  $couchdb_config       = hiera('couch')
-  $couchdb_bigcouch     = $couchdb_config['mode'] == "multimaster"
-
-  $couch_server         = $stunnel['couch_server']
-  $couch_server_accept  = $couch_server['accept']
-  $couch_server_connect = $couch_server['connect']
-
-  include site_config::x509::cert
-  include site_config::x509::key
-  include site_config::x509::ca
-
-  if $couchdb_bigcouch {
-    include site_couchdb::bigcouch::stunnel
-  }
-
-  include x509::variables
-  $ca_path   = "${x509::variables::local_CAs}/${site_config::params::ca_name}.crt"
-  $cert_path = "${x509::variables::certs}/${site_config::params::cert_name}.crt"
-  $key_path  = "${x509::variables::keys}/${site_config::params::cert_name}.key"
-
-  # setup a stunnel server for the webapp to connect to couchdb
-  stunnel::service { 'couch_server':
-    accept     => $couch_server_accept,
-    connect    => $couch_server_connect,
-    client     => false,
-    cafile     => $ca_path,
-    key        => $key_path,
-    cert       => $cert_path,
-    verify     => '2',
-    pid        => '/var/run/stunnel4/couchserver.pid',
-    rndfile    => '/var/lib/stunnel4/.rnd',
-    debuglevel => '4',
-    require    => [
-      Class['Site_config::X509::Key'],
-      Class['Site_config::X509::Cert'],
-      Class['Site_config::X509::Ca'] ];
-  }
-
-  include site_check_mk::agent::stunnel
-}
diff --git a/puppet/modules/site_shorewall/manifests/couchdb.pp b/puppet/modules/site_shorewall/manifests/couchdb.pp
deleted file mode 100644
index 73bed62b..00000000
--- a/puppet/modules/site_shorewall/manifests/couchdb.pp
+++ /dev/null
@@ -1,24 +0,0 @@
-class site_shorewall::couchdb {
-
-  include site_shorewall::defaults
-
-  $stunnel = hiera('stunnel')
-  $couch_server = $stunnel['couch_server']
-  $couch_stunnel_port = $couch_server['accept']
-
-  # define macro for incoming services
-  file { '/etc/shorewall/macro.leap_couchdb':
-    content => "PARAM   -       -       tcp    ${couch_stunnel_port}",
-    notify  => Service['shorewall'],
-    require => Package['shorewall']
-  }
-
-  shorewall::rule {
-      'net2fw-couchdb':
-        source      => 'net',
-        destination => '$FW',
-        action      => 'leap_couchdb(ACCEPT)',
-        order       => 200;
-  }
-
-}
diff --git a/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp b/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp
deleted file mode 100644
index 20740650..00000000
--- a/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp
+++ /dev/null
@@ -1,51 +0,0 @@
-class site_shorewall::couchdb::bigcouch {
-
-  include site_shorewall::defaults
-
-  $stunnel = hiera('stunnel')
-
-  # Erlang Port Mapper Daemon (epmd) stunnel server/clients
-  $epmd_clients         = $stunnel['epmd_clients']
-  $epmd_server          = $stunnel['epmd_server']
-  $epmd_server_port     = $epmd_server['accept']
-  $epmd_server_connect  = $epmd_server['connect']
-
-  # Erlang Distributed Node Protocol (ednp) stunnel server/clients
-  $ednp_clients         = $stunnel['ednp_clients']
-  $ednp_server          = $stunnel['ednp_server']
-  $ednp_server_port     = $ednp_server['accept']
-  $ednp_server_connect  = $ednp_server['connect']
-
-  # define macro for incoming services
-  file { '/etc/shorewall/macro.leap_bigcouch':
-    content => "PARAM   -       -       tcp    ${epmd_server_port},${ednp_server_port}",
-    notify  => Service['shorewall'],
-    require => Package['shorewall']
-  }
-
-  shorewall::rule {
-      'net2fw-bigcouch':
-        source      => 'net',
-        destination => '$FW',
-        action      => 'leap_bigcouch(ACCEPT)',
-        order       => 300;
-  }
-
-  # setup DNAT rules for each epmd
-  $epmd_shorewall_dnat_defaults = {
-    'source'          => '$FW',
-    'proto'           => 'tcp',
-    'destinationport' => regsubst($epmd_server_connect, '^([0-9.]+:)([0-9]+)$', '\2')
-  }
-  create_resources(site_shorewall::couchdb::dnat, $epmd_clients, $epmd_shorewall_dnat_defaults)
-
-  # setup DNAT rules for each ednp
-  $ednp_shorewall_dnat_defaults = {
-    'source'          => '$FW',
-    'proto'           => 'tcp',
-    'destinationport' => regsubst($ednp_server_connect, '^([0-9.]+:)([0-9]+)$', '\2')
-  }
-  create_resources(site_shorewall::couchdb::dnat, $ednp_clients, $ednp_shorewall_dnat_defaults)
-
-}
-
diff --git a/puppet/modules/site_shorewall/manifests/couchdb/dnat.pp b/puppet/modules/site_shorewall/manifests/couchdb/dnat.pp
deleted file mode 100644
index f1bc9acf..00000000
--- a/puppet/modules/site_shorewall/manifests/couchdb/dnat.pp
+++ /dev/null
@@ -1,21 +0,0 @@
-define site_shorewall::couchdb::dnat (
-  $source,
-  $connect,
-  $connect_port,
-  $accept_port,
-  $proto,
-  $destinationport )
-{
-
-
-  shorewall::rule {
-    "dnat_${name}_${destinationport}":
-      action          => 'DNAT',
-      source          => $source,
-      destination     => "\$FW:127.0.0.1:${accept_port}",
-      proto           => $proto,
-      destinationport => $destinationport,
-      originaldest    => $connect,
-      order           => 200
-  }
-}
diff --git a/puppet/modules/site_shorewall/manifests/stunnel/client.pp b/puppet/modules/site_shorewall/manifests/stunnel/client.pp
new file mode 100644
index 00000000..9a89a244
--- /dev/null
+++ b/puppet/modules/site_shorewall/manifests/stunnel/client.pp
@@ -0,0 +1,40 @@
+#
+# Adds some firewall magic to the stunnel.
+#
+# Using DNAT, this firewall rule allow a locally running program
+# to try to connect to the normal remote IP and remote port of the
+# service on another machine, but have this connection magically
+# routed through the locally running stunnel client.
+#
+# The network looks like this:
+#
+#   From the client's perspective:
+#
+#   |------- stunnel client --------------|    |---------- stunnel server -----------------------|
+#    consumer app -> localhost:accept_port  ->  connect:connect_port -> localhost:original_port
+#
+#   From the server's perspective:
+#
+#   |------- stunnel client --------------|    |---------- stunnel server -----------------------|
+#                                       ??  ->  *:accept_port -> localhost:connect_port -> service
+#
+
+define site_shorewall::stunnel::client(
+  $accept_port,
+  $connect,
+  $connect_port,
+  $original_port) {
+
+  include site_shorewall::defaults
+
+  shorewall::rule {
+    "stunnel_dnat_${name}":
+      action          => 'DNAT',
+      source          => '$FW',
+      destination     => "\$FW:127.0.0.1:${accept_port}",
+      proto           => 'tcp',
+      destinationport => $original_port,
+      originaldest    => $connect,
+      order           => 200
+  }
+}
diff --git a/puppet/modules/site_shorewall/manifests/stunnel/server.pp b/puppet/modules/site_shorewall/manifests/stunnel/server.pp
new file mode 100644
index 00000000..db3ecd3e
--- /dev/null
+++ b/puppet/modules/site_shorewall/manifests/stunnel/server.pp
@@ -0,0 +1,22 @@
+#
+# Allow all incoming connections to stunnel server port
+#
+
+define site_shorewall::stunnel::server($port) {
+
+  include site_shorewall::defaults
+
+  file { "/etc/shorewall/macro.stunnel_server_${name}":
+    content => "PARAM   -       -       tcp    ${port}",
+    notify  => Service['shorewall'],
+    require => Package['shorewall']
+  }
+  shorewall::rule {
+    'net2fw-couchdb':
+      source      => 'net',
+      destination => '$FW',
+      action      => "stunnel_server_${name}(ACCEPT)",
+      order       => 200;
+  }
+
+}
+\ No newline at end of file
diff --git a/puppet/modules/site_stunnel/manifests/client.pp b/puppet/modules/site_stunnel/manifests/client.pp
new file mode 100644
index 00000000..12d664b4
--- /dev/null
+++ b/puppet/modules/site_stunnel/manifests/client.pp
@@ -0,0 +1,52 @@
+#
+# Sets up stunnel and firewall configuration for
+# a single stunnel client
+#
+# As a client, we accept connections on localhost,
+# and connect to a remote $connect:$connect_port
+#
+
+define site_stunnel::client (
+  $accept_port,
+  $connect_port,
+  $connect,
+  $original_port,
+  $verify     = '2',
+  $pid        = $name,
+  $rndfile    = '/var/lib/stunnel4/.rnd',
+  $debuglevel = '4' ) {
+
+  include site_config::x509::cert
+  include site_config::x509::key
+  include site_config::x509::ca
+  include x509::variables
+  $ca_path   = "${x509::variables::local_CAs}/${site_config::params::ca_name}.crt"
+  $cert_path = "${x509::variables::certs}/${site_config::params::cert_name}.crt"
+  $key_path  = "${x509::variables::keys}/${site_config::params::cert_name}.key"
+
+  stunnel::service { $name:
+    accept     => "127.0.0.1:${accept_port}",
+    connect    => "${connect}:${connect_port}",
+    client     => true,
+    cafile     => $ca_path,
+    key        => $key_path,
+    cert       => $cert_path,
+    verify     => $verify,
+    pid        => "/var/run/stunnel4/${pid}.pid",
+    rndfile    => $rndfile,
+    debuglevel => $debuglevel,
+    subscribe  => [
+      Class['Site_config::X509::Key'],
+      Class['Site_config::X509::Cert'],
+      Class['Site_config::X509::Ca'] ];
+  }
+
+  site_shorewall::stunnel::client { $name:
+    accept_port   => $accept_port,
+    connect       => $connect,
+    connect_port  => $connect_port,
+    original_port => $original_port
+  }
+
+  include site_check_mk::agent::stunnel
+}
diff --git a/puppet/modules/site_stunnel/manifests/clients.pp b/puppet/modules/site_stunnel/manifests/clients.pp
index b75c9ac3..44b31aaa 100644
--- a/puppet/modules/site_stunnel/manifests/clients.pp
+++ b/puppet/modules/site_stunnel/manifests/clients.pp
@@ -1,33 +1,26 @@
-define site_stunnel::clients (
-  $accept_port,
-  $connect_port,
-  $connect,
-  $cafile,
-  $key,
-  $cert,
-  $client     = true,
-  $verify     = '2',
-  $pid        = $name,
-  $rndfile    = '/var/lib/stunnel4/.rnd',
-  $debuglevel = '4' ) {
+#
+# usage:
+#   create_resource(site_stunnel::clients, hiera('stunnel')['clients'])
+#
+# example hiera yaml:
+#
+#   stunnel:
+#     clients:
+#       ednp_clients:
+#         thrips_9002:
+#           accept_port: 4001
+#           connect: thrips.demo.bitmask.i
+#           connect_port: 19002
+#       epmd_clients:
+#         thrips_4369:
+#           accept_port: 4000
+#           connect: thrips.demo.bitmask.i
+#           connect_port: 14369
+#
+# In the above example, this resource definition is called twice, with $name
+# 'ednp_clients' and 'epmd_clients'
+#
 
-  stunnel::service { $name:
-    accept     => "127.0.0.1:${accept_port}",
-    connect    => "${connect}:${connect_port}",
-    client     => $client,
-    cafile     => $cafile,
-    key        => $key,
-    cert       => $cert,
-    verify     => $verify,
-    pid        => "/var/run/stunnel4/${pid}.pid",
-    rndfile    => $rndfile,
-    debuglevel => $debuglevel,
-    subscribe  => [
-      Class['Site_config::X509::Key'],
-      Class['Site_config::X509::Cert'],
-      Class['Site_config::X509::Ca'] ];
-
-  }
-
-  include site_check_mk::agent::stunnel
+define site_stunnel::clients {
+  create_resources(site_stunnel::client, $site_stunnel::clients[$name])
 }
diff --git a/puppet/modules/site_stunnel/manifests/init.pp b/puppet/modules/site_stunnel/manifests/init.pp
index c7d6acc6..b292f1cd 100644
--- a/puppet/modules/site_stunnel/manifests/init.pp
+++ b/puppet/modules/site_stunnel/manifests/init.pp
@@ -1,3 +1,8 @@
+#
+# If you need something to happen after stunnel is started,
+# you can depend on Service['stunnel'] or Class['site_stunnel']
+#
+
 class site_stunnel {
 
   # include the generic stunnel module
@@ -13,5 +18,15 @@ class site_stunnel {
         ensure => absent;
     }
   }
+
+  $stunnel = hiera('stunnel')
+
+  # add server stunnels
+  create_resources(site_stunnel::servers, $stunnel['servers'])
+
+  # add client stunnels
+  $clients = $stunnel['clients']
+  $client_sections = keys($clients)
+  site_stunnel::clients { $client_sections: }
 }
 
diff --git a/puppet/modules/site_stunnel/manifests/servers.pp b/puppet/modules/site_stunnel/manifests/servers.pp
new file mode 100644
index 00000000..4419923f
--- /dev/null
+++ b/puppet/modules/site_stunnel/manifests/servers.pp
@@ -0,0 +1,53 @@
+#
+# usage:
+#   create_resource(site_stunnel::servers, hiera('stunnel')['servers'])
+#
+# example hiera yaml:
+#
+#   stunnel:
+#     servers:
+#       couch_server:
+#         accept_port: 15984
+#         connect_port: 5984
+#
+
+define site_stunnel::servers (
+  $accept_port,
+  $connect_port,
+  $verify     = '2',
+  $pid        = $name,
+  $rndfile    = '/var/lib/stunnel4/.rnd',
+  $debuglevel = '4' ) {
+
+  include site_config::x509::cert
+  include site_config::x509::key
+  include site_config::x509::ca
+  include x509::variables
+  $ca_path   = "${x509::variables::local_CAs}/${site_config::params::ca_name}.crt"
+  $cert_path = "${x509::variables::certs}/${site_config::params::cert_name}.crt"
+  $key_path  = "${x509::variables::keys}/${site_config::params::cert_name}.key"
+
+  stunnel::service { $name:
+    accept     => $accept_port,
+    connect    => "127.0.0.1:${connect_port}",
+    client     => false,
+    cafile     => $ca_path,
+    key        => $key_path,
+    cert       => $cert_path,
+    verify     => $verify,
+    pid        => "/var/run/stunnel4/${pid}.pid",
+    rndfile    => '/var/lib/stunnel4/.rnd',
+    debuglevel => $debuglevel,
+    require    => [
+      Class['Site_config::X509::Key'],
+      Class['Site_config::X509::Cert'],
+      Class['Site_config::X509::Ca'] ];
+  }
+
+  # allow incoming connections on $accept_port
+  site_shorewall::stunnel::server { $name:
+    port  => $accept_port
+  }
+
+  include site_check_mk::agent::stunnel
+}
author	elijah <elijah@riseup.net>	2014-06-20 01:58:39 -0700
committer	elijah <elijah@riseup.net>	2014-06-25 18:17:22 -0700
commit	49f0c54a05f6b542367f8ef4538316ba2eaac6cd (patch)
tree	c4d26dee9c7fb9f0056da062371ca30d292ce082 /puppet/modules
parent	6df59b9f579134a9521aafb71727a98fdc92e19a (diff)