diff options
| author | Micah Anderson <micah@riseup.net> | 2013-07-09 16:43:39 +0100 |
|---|---|---|
| committer | Micah Anderson <micah@riseup.net> | 2013-07-09 16:43:39 +0100 |
| commit | b4077083b971377636754b2988668a6ddd384da5 (patch) | |
| tree | b8e358b5f0f6dfa882d31d7446266111bc0d201b /puppet | |
| parent | 625aaa11138bba365958391664299692402f8da4 (diff) | |
| parent | 672154a8322901b86c9882854234eae53221a38e (diff) | |
Merge remote-tracking branch 'origin/develop'0.2.2
Conflicts:
provider_base/services/webapp.json
Diffstat (limited to 'puppet')
81 files changed, 1579 insertions, 714 deletions
diff --git a/puppet/manifests/setup.pp b/puppet/manifests/setup.pp new file mode 100644 index 00000000..80e7ffc2 --- /dev/null +++ b/puppet/manifests/setup.pp @@ -0,0 +1,16 @@ +# +# this is applied before each run of site.pp +# +$services = '' + +Exec { path => '/usr/bin:/usr/sbin/:/bin:/sbin:/usr/local/bin:/usr/local/sbin' } + +include site_config::hosts + +include site_apt + +package { 'facter': + ensure => latest, + require => Exec['refresh_apt'] +} + diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 1ec806d9..08cbbb9e 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -1,39 +1,39 @@ # set a default exec path Exec { path => '/usr/bin:/usr/sbin/:/bin:/sbin:/usr/local/bin:/usr/local/sbin' } -stage { 'initial': - before => Stage['main'], -} +# parse services for host +$services=join(hiera_array('services'), ' ') +notice("Services for ${fqdn}: ${services}") + +# make sure apt is updated before any packages are installed +include apt::update +Package { require => Exec['apt_updated'] } + +include stdlib import 'common' include site_config::default include site_config::slow -# parse services for host -$services=hiera_array('services') -notice("Services for ${fqdn}: ${services}") # configure eip -if 'openvpn' in $services { +if $services =~ /\bopenvpn\b/ { include site_openvpn } -if 'couchdb' in $services { +if $services =~ /\bcouchdb\b/ { include site_couchdb } -if 'webapp' in $services { +if $services =~ /\bwebapp\b/ { include site_webapp + include site_nickserver } -if 'ca' in $services { - include site_ca_daemon -} - -if 'monitor' in $services { +if $services =~ /\bmonitor\b/ { include site_nagios } -if 'tor' in $services { +if $services =~ /\btor\b/ { include site_tor } diff --git a/puppet/modules/apache b/puppet/modules/apache -Subproject 077d4d1508b9ff3355f73ff8597991043b3ba5d +Subproject c3e92a9b3cb02f1546b6b1570f10a968d380005 diff --git a/puppet/modules/apt b/puppet/modules/apt -Subproject f16a0727dce187d07389388da8b816f7b520205 +Subproject 1a72a99693c1d77bfe891546408f88264fca98e diff --git a/puppet/modules/couchdb b/puppet/modules/couchdb -Subproject b915a67c6e7e3b1b75400dbbd4a9ac961c8eb03 +Subproject 20deb0652ccfe105eddec6ba2ad32b8d633705f diff --git a/puppet/modules/haproxy b/puppet/modules/haproxy new file mode 160000 +Subproject b398f3cb0a67d1170d0564a3f03977f9a08c2b6 diff --git a/puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf b/puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf deleted file mode 100644 index 0dff2cd6..00000000 --- a/puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf +++ /dev/null @@ -1,10 +0,0 @@ -Listen 0.0.0.0:6984 - -<VirtualHost *:6984> - SSLEngine On - SSLProxyEngine On - SSLCertificateKeyFile /etc/x509/keys/leap_couchdb.key - SSLCertificateFile /etc/x509/certs/leap_couchdb.crt - ProxyPass / http://127.0.0.1:5984/ - ProxyPassReverse / http://127.0.0.1:5984/ -</VirtualHost> diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb index cdfcbd68..ae894cd4 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb @@ -21,8 +21,7 @@ Listen 0.0.0.0:<%= api_port %> RequestHeader set X_FORWARDED_PROTO 'https' - DocumentRoot /srv/leap-webapp/public - Alias /1 /srv/leap-webapp/public + DocumentRoot /srv/leap/webapp/public # Check for maintenance file and redirect all requests RewriteEngine On diff --git a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb index 4928cdd6..4b051699 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb @@ -21,8 +21,7 @@ RequestHeader set X_FORWARDED_PROTO 'https' - DocumentRoot /srv/leap-webapp/public - Alias /1 /srv/leap-webapp/public + DocumentRoot /srv/leap/webapp/public RewriteEngine On # Check for maintenance file and redirect all requests @@ -37,10 +36,10 @@ PassengerFriendlyErrorPages off SetEnv TMPDIR /var/tmp - <% if (defined? @services) and (services.is_a? Array) and (@services.include? 'monitor') -%> + <% if (defined? @services) and (@services.include? 'monitor') -%> <DirectoryMatch (/usr/share/nagios3/htdocs|/usr/lib/cgi-bin/nagios3|/etc/nagios3/stylesheets)> PassengerEnabled off - AllowOverride all + AllowOverride all </DirectoryMatch> <% end -%> </VirtualHost> diff --git a/puppet/modules/site_apt/files/keys/cloudant-key.asc b/puppet/modules/site_apt/files/keys/cloudant-key.asc new file mode 100644 index 00000000..99716a3c --- /dev/null +++ b/puppet/modules/site_apt/files/keys/cloudant-key.asc @@ -0,0 +1,52 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1.4.11 (GNU/Linux) + +mQINBFE7fhIBEACrDREcODnhdugNozMeBawOm2irpNCP54yMljST/DOXx1uo3gQw +HnVcQ4lL7lXhbfL6Tp0WhrNYTWbbWHO0DaQbW0GQMHa2BGG0Xm0HPrjr3j55tAcM +NPr0ArDuplq4Py2pwviZiEtQkkn+biH9oV+N3jNO+8+zVHLVU7pHaX6Yd7HAxFM8 +XX+7SeVtplZ7nvSxUREiMNxQb9o0kYNRPS+b0UjiIXHrFO9afl7lTdg/I8AhKWa0 +3jJoY/IRvVopJblISQNGFipR11Lpu5sOHghgz4V8mk/in7JLMmoqSl5DP5VhRII8 +OyADBjaUJD2mkv5cGaevqpB4AId78X9+Y62gFJrGkIHY9uBxIUkRe+leYI4Zz4Bm +D9qBIbEY/kKkblTlC1G7u3qbGQcsbCRVIOnhruCih7vifcP40YwGUk5NmDA5AE78 +OovCGYGp4zMepDTSJxGT3sJOTEbzN09so6C7fQWBeQiiG5Uepp1q+VnaGpT1L4rc +Y6yRbu9dOFj6WzY4W5HtnbalzTIEYy+SIGZqRkJt6jREYLiFfyrpSFIgGoJAs0yx +9M0McXfeOod69TPufB1PeppnBwFcTmYNYxakusQxAebRDPEBZqoEgl0gMmxWbAdI +nxGMWWnSsN/Dj0dXRf1MG/5akOhX2zQcUzBOE2m/Xr5kjDPYFtFxVJDGzQARAQAB +tDNDbG91ZGFudCBQYWNrYWdlIFNpZ25pbmcgS2V5IDxzdXBwb3J0QGNsb3VkYW50 +LmNvbT6JAj4EEwECACgFAlE7fhICGwMFCQHhM4AGCwkIBwMCBhUIAgkKCwQWAgMB +Ah4BAheAAAoJEFngH70Vvo4mciIP/AlqHA/LDtSYfrFwdXifY2ImCMyzYvH40Ko2 +DHCw2qDjvK5UXn1iWuzXidT7DrxOfYoZpzySRP7VGyHxa3VPhOtzLDZSvTpk9ELo +2x2IczUwLC17M0Iis4CpqlxSFIBYGX78pMzvsEyC4TFqUDfXRlye3apjD0iwK0hE +kdP1+TPdJjhWImJm+3TLu45zTw3Ph5dnf5pLQPNhKfBSdku+vRrd35N5hHso9S1y +Z3NrxcQlWnXuqkLIA14gM7qbBFD+el9Y+tZ7ERGYg3s5uNDQRTb0QC8zg/um2+zW +4hHmuRcWY3n8IgHcYUruC1VyrrsFIWWMyLv7SZkAAoSY+jKyESDfYpJQ8jtZ4EF9 +2/gYm4FgZR8j4gWkzHSLGVt/4EIykJZb0yIg/QEovmmHqpy8xYri3goMSl4h7tfF +TOCZLTzTyQ7xONdyEsrvQPhmdtXEgvSo5S7ZU9kkx32OjCoshLLjhtqAipBgEXqb +hElFo1oSyOVoGc7UNh7KNBjWfeP8dNdCbIbIYPMeM0/CVjD60kW5ZEVDuYglT+Rz +enJJvS4Hs+fq8cFNxMB+l64qE7iS+I6RP2bPeQM2aBa2UZNWxUIbXF7bb3zLrCGn +GT8GF1AFRoW3GiDzB7QnLVp8BhIaqFUzbDim+5mFFG8wguxHTiz4snDdQXq2Es6V +UETFsNsluQINBFE7fhIBEADIyLHyBh8AKJKQHksFAPHOyA48ocxgQDpQnqYlQcAK +D8eUbRXciIz4ePBmvjaQmz8wJgWULc04u4i9jK8Jd/Ks+VhEz3AjRBfjvkBaVMog +FMPKaoDn9LVMBSZJ3fcC1DVck1oO8LnFIdktt0zhvzG+pV5b/UTRsVZmwNh1p2dM +4cJswxlksJXYnI9tFA74qiomDCPYM0zpv7TEjX23PZTLqTSHP5aWctx+MIEtdoqp +EsEDL6npvYBRz/tuL41cUWs7CItH131Hyuizo4vGrxgWPnoXIxLmLOOZCMk/kbx0 +XCSvengqYwNgAOlIjewtTw+WJm1gtNQQeKmaXBX7njf2Wz7LI/0KVxttEpKT5/5y +embOGn7My9i7zOc1frMCDivIOTQDBZTzR9o7/6wUJ69DIoFLMlO8UcCK3R7o5VUI +ezx+XYsOAD7D2vKoiD8Se65Vnax2rfFlLP7OQqdem5l2lkHpJzP3lA8qmA2MfJ7V +jsk7eDSyJQjG5c6KBoaFlYGhp/E2kR82cAKVaFIbW3euMM4XK6Mgzy3+DVKfk8mu +AEuHub7plfxM+65yjLNAK6l6IKtY1HfM7F4GFyNSd3mNNcWN7ceIHh8Ur4DeD2Tp +7r3XcWd6/czLYNsw2BAHeVUxnMTCeGN99UZTtHgVq9IJMOCDOPwMSzHFfZ6sNaYL +qQARAQABiQIlBBgBAgAPBQJRO34SAhsMBQkB4TOAAAoJEFngH70Vvo4mpokP/jJJ +2mXdhMVqZCtZhwphJfdxg8nBERzrd6ebXxKbTq1MmSN/fDwLknPabFHUpzk1ADCf +6mh2o0HB+67yMzo1UVtyfPOaHgCE/pWer5ultJM8gOdpBfSWL8jRwU8ZQ4fDu3z8 +AC6zTNq7znOVLEzZPy8U7q5Rt5/6QdQYoTLe6DwlLmkflzWP5VWi/mTGvtu/t5OV +tGZkzBYQ5QAXRXXkKswqkJpQFuW6d1vlYm9+x/+Q1+2kGT+CKbRAkqkf77qVcyJR +1M2JQSs4ko+rLMZzr01sYA+EBD17nxqV8vUdYebNc9Qnk8Aphid1zarUbySgAdnJ +5SLAjLe/6N6IEE9F3uKsPEs87gJrnwrYHRrmu0wAPwA0cMmtgD4Bz7Iiz4CLYPFW +rHpQCA313K+rS/LLfLBL66wIRKcPuYIFR9N03jX9eGR6qtk0b5Zb3YjWOo4V9Q1r +o+g6IB0Us5vH6ISuokq7Bv+8cXhEMVoctL9A8xWN1KDkweZ+7dNWCGV8lUWKy3Hw +ig6hENH6H7J57U8H2v2aZTeUo6e7VDP9gddNKPSEEeoBKfVnWYGoG8mVPQ2PzTgZ +ZO2vwp4c3Ix/kIV3xe+/Opcq1lxYhD7HSre1MB7HOeFmis6tBBjMJPaatZVfzj1v +6Uhz5oUCwcPol8rsp69DvGVUPSHfDwBxurDX71oG +=lEm7 +-----END PGP PUBLIC KEY BLOCK----- diff --git a/puppet/modules/site_apt/files/keys/leap_key.asc b/puppet/modules/site_apt/files/keys/leap_key.asc new file mode 100644 index 00000000..b69251f0 --- /dev/null +++ b/puppet/modules/site_apt/files/keys/leap_key.asc @@ -0,0 +1,63 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1.4.11 (GNU/Linux) + +mQINBFESwt0BEAC2CR+XgW04DVwT427v2T4+qz+O/xGOwQcalVaSOUuguYgf29en +Apb6mUqROOTuJWN1nw1lvXiA6iFxg6DjDUhsp6j54X7GAAAjZ9QuavPgcsractsJ +LRz9WSWqDjOAYsb4B5pwmSPAKYtmRAxLVzdxUsuHs2HxRO4VWnaNJQEBj7j7zuGs +gvSJBSq9Vici6cGI9c1fsWyKsnp7R6M54mmQRbsCg2+G/N0hqOz0HE6ZlJKVKaZq +uTrPxGWFuU3mAUpzFLa6Wj8DSUYiWZ/xrqiFdbB4t1HM3vlKB9LEg93DEuG/8Q0T +g2KS0lEWxequBXyE6+jklDNqJeyHmfgkuAfFlkNYa5870XT87MzGE/hS40lbmhQV +HHlwxMkAiERMc0Ys+OfgUJMbIDQBNRFg3Q/bjajFoVBgBoKFp7C22zgoJkUNT+7H +Yv/t6zeDlIzNhgYms5d0gEiAeLauwju36BmwUsbQHwejWKP8pADRZL1bTj0E+rRU +M4FFNh9D2XTFFKaaNubub8tUmo+ZUIEEKfPhNHK9wS/bsFyPv9y3HLe2b3NYGFK5 ++Hznqg8N0H+29I7zLx7VpOh3iRN3Lbxv9dMmukVJtw8Rq/Udprd3Z5p8oCisFo+k +nY+J+IgNjC0eniN8rkkl/4rIN5fvvOR8YCts50hL1fAy3dd/MKExz+QTXQARAQAB +tClMRUFQIGFyY2hpdmUgc2lnbmluZyBrZXkgPHN5c2RldkBsZWFwLnNlPokCHAQQ +AQoABgUCURPzwAAKCRBIWxL6IY6B65FzEACn1Q+9dcLig6yCRPGF8d5qdnWYquts +fLc/W8P9uFCo4bLFhy+BlalZVhOSPt2KMBCApoW0fAc5aXOWjxEmtFOvziPtJ0N7 +uJj7y8XLk1//v7QXDJNYotiO82b9XTmF2G9URhxe/YU7mgx1cRW9X2h6LOG4VCIw +Bd00wM9vV984f50hpftdyjCcWTO9WoSus7dOL457DhcX7uX89AGUJLC9RTiaDtIL +/G/VEM8pIx5zW6Q2TwUXndVsNqyG5s0J0908KNyp5IPI66M07rR939JVAL8HXMxY +KdA9pxkKzPSThx8yWZknJoINsUhrd5ijfiA6kM7HJlJF1SnwyHSSs3KydKHj5zN2 +n3oGGT0bjZiXZHShsWa5mjEvCJ7oqwtcCdo8thW128LY2/0h3JkSsYdgdsJjGJbG +76nYjCIZYa6the4+QI8HM2WG5nrZL4B/EnYHK2lDdeVy/ynu96YhC4mdk566Vcqs +RrWJgRxImkSbxp3f6SAOsLwOdmrs52wCoEpAYPMbu79jb2G7JbR4uDB0i/pXCp+c +aleyKb4ve2EjHAY/VPF5BXKaQh3JIvGKVEZIv5ospoosr78UHBk60RMMzDSlOFso +BcB6Plpqoq4lI/4Zh8M1+eDjAOnOKwQanS4Hv7O2PqldGBUAXS3m6OI2Kvv3VqnM +X0GOB2sX4Ox8UYkCPQQTAQoAJwUCURLC3QIbAwUJAeEzgAULCQgHAwUVCgkICwUW +AgMBAAIeAQIXgAAKCRAeNKGCjiB5AZBiD/wJwUVZjfNeWdpKrYy9HtZExtTcU/94 +3lgRUNinUuLPFU4i2s+hR3h5fzXR15nUD+IBJlXlzLV2G/IjXYPTp4a0gqHpWULa +b5Stu7AzFiO42/RWUAzWD1Fyh6SuZ3FDERvheid8s4SXoe6y4cJ5ErfSlJS6qqku +8ss8mS8lM1Mp+lc9wYTWQ+8hmSUivAZb9WLEljFxhvEnvAKPwD18o7+S9GABFwYs +xflQvKZHguaOVqBEksry+vu8okWNrg3Ll3dDQEeahr7nrLrHe8gqONJgOE9jjxRv +bJmGtIUTyGqgWZZzBfQXL/6uXL23bWkYZDkQNhfsm+colAV8gpj+/E3q/uMXwqz1 +bv06K/LsK3NHzBNE57kJHEhg9K3Uw2Wx5qwFMU1GDxsB3P9p+TyqAboEZAB2irTR +y9k8peFB7wwf0sW3Eg78XFsfy4gyV619VnBR+PbfOpKqFFXAodF1mFiIrPeefaVp +F9fiQ5Owt0sJjDaJnYT83ksAO2Aj+VsY3UjnDrGFaiV8Neit9y/8W8DqmZ3EZEF/ +M3iS0yDjqqt9ACFD+jkGlKYsyHv7gbpTq0yi6u/kRXHUTIvVwFL9M6Z6AUcG8gzo +qbKhXGfWKEq0lN5HAjJ//V9ro3DekFd0A+NQOlFV6XtspZwphVdtW1WS078HmVlw +F5dbD8pcfT/RjbkCDQRREsLdARAA3Frw+j6H9McEIi/gjiGwvxnIdGc8McWchnFp +OWvdhTW9056v+y22DoKbULjT8k+8GzuRQ0xp4VwCC1rX3UExwceczzGs+tSKuIGm +g1ELygsaOZHdQBNLGPvn+TZNGlaYXPlQo7m8YhXGHwgQrdKyjcFD5xnOHxe981LT +q+IQ6jVYhho7/Qik9rVE1XHxoOfYvnNZJD0cFdf9OcX47YoqmM4sZYPMoOmKoVQT +sAAQ527wz742Bd6SpuhqBpdEw6YiCYxEoo5kBY3IhP3L5OTS4tzhOkdf1xlhWSnC +FE7NkPcK6o+r6qCcUqRGV9jRwI97JlPKegEHYWvLD4Sk31pWi8NZ0toU/nqRvxbh +htHxuNf3jeAAzxQBhGVi0C/IBr4vqyFqmEHr9JxIa3DTV8w/a0Y4hX2bczL9Y1cB +6n8qOA68aAn+xerJcSOroTIJh83D/7OguexGGYoZBDvX6dWguf8udFPeYpJvkT6T +SYF9U0JpVTtlCNutjScUO2uaV9+uDqACngwqbzBTjL8UucAleVcFfOi48yepnOd1 +1YFYxbw+/BcqLNhi1eP2AaGxIgXbR88tF9OC0SXaCH+1Z1bbalOmQNYstOv9BbsH +vW7mPgX2xhyoDkVRWaNAQoDLbnJr4gi9cD8/kQMzdlGOzt2ist/+xueblXJs5TOO +80Rw+AEAEQEAAYkCJQQYAQoADwUCURLC3QIbDAUJAeEzgAAKCRAeNKGCjiB5AdMq +D/9SXulJq6Q4U7aN6o7TLMU2MgqeWqtBqwTNIisBoSJjXq9Od4iN2S5Akwo/ZQO0 +1nRNPPc9yjwidgb7wCUFDNglUDuGS2nXaQ0XAO83qHMOsORN2S93dO6xVRX2Chhz +l9bUr1WIQcM+lIs/LZCX2rvKlsFYmZQHX/ibhQs7T01RXajwJqwxyXyVPL+kPNeo +wva4ZUf6rzdqKZLfFgyJyGdHI18bF6lahgHdN2OOawEeU2K+MlluR3ZahoyN4u1M +qijf6snmfd0++EIqDHwYPn70F4JPdMhyuVpYBVyVtsgHy9W5fS+zSj+vX+qj6MBX +dFBs+a9nr8GZJO4BUP2mtyNgmEfUVQefSHnq+0OlGPZG4raxTEqJfp2KTRCGB4hI +zYWO1g1cOBeXxFfXJdkX8LoKbP5s2Kzn9sAK6BxmazOvSNpuimCDNvKjR00iKNS4 +Dxix2FBXQU/4pVpGHjXTQP6RqeTrAedXvpgCHWP1UIlswIQecGmQcJ/hRZjd+0vl +cjfCYhZHr7N96Da6Cy8v2fZiZHaSAt7T2oIZ9X3gEh/kOlLDcuIdvMHUfojn0MrP +Ce1AqOHyQQqhkVylvZpS0PdE0VW3PmJ98uKfX2FVAOTUD4Rw3n9Ew7bfM249HuP4 +JOXi/Skp4sBB/xgrtV1u+E+BW0SS/BOiwfrI4xUy+MrWuw== +=4STg +-----END PGP PUBLIC KEY BLOCK----- diff --git a/puppet/modules/site_apt/manifests/dist_upgrade.pp b/puppet/modules/site_apt/manifests/dist_upgrade.pp index f129dd73..08de31bb 100644 --- a/puppet/modules/site_apt/manifests/dist_upgrade.pp +++ b/puppet/modules/site_apt/manifests/dist_upgrade.pp @@ -1,15 +1,17 @@ class site_apt::dist_upgrade { - if $::apt_running == 'true' { + if $::apt_running == 'true' { fail ('apt-get is running in background - Please wait until it finishes. Exiting.') } else { exec{'initial_apt_update': - command => '/usr/bin/apt-get update && /usr/bin/apt-get autoclean', + command => '/usr/bin/apt-get update', refreshonly => false, + timeout => 360, } exec{'initial_apt_dist_upgrade': command => "/usr/bin/apt-get -q -y -o 'DPkg::Options::=--force-confold' dist-upgrade", refreshonly => false, + timeout => 1200, } } } diff --git a/puppet/modules/site_apt/manifests/init.pp b/puppet/modules/site_apt/manifests/init.pp index 80c6fbde..8821c110 100644 --- a/puppet/modules/site_apt/manifests/init.pp +++ b/puppet/modules/site_apt/manifests/init.pp @@ -1,6 +1,20 @@ -class site_apt { +class site_apt { - include ::apt + # on couchdb we need to include squeeze in apt preferences, + # so the cloudant package can pull some packages from squeeze + # template() must be unquoted ! + if 'couchdb' in $::services { + $custom_preferences = template("site_apt/preferences.include_squeeze") + } else { + $custom_preferences = '' + } + class { 'apt': + custom_preferences => $custom_preferences, + custom_key_dir => 'puppet:///modules/site_apt/keys' + } + + # enable http://deb.leap.se debian package repository + include site_apt::leap_repo apt::apt_conf { '90disable-pdiffs': content => 'Acquire::PDiffs "false";'; @@ -8,8 +22,21 @@ class site_apt { include ::apt::unattended_upgrades - apt::sources_list { 'fallback.list.disabled': - content => template('site_apt/fallback.list'); + apt::sources_list { 'secondary.list.disabled': + content => template('site_apt/secondary.list'); } + apt::preferences_snippet { 'facter': + release => "${::lsbdistcodename}-backports", + priority => 999 + } + + # All packages should be installed _after_ refresh_apt is called, + # which does an apt-get update. + # There is one exception: + # The creation of sources.list depends on the lsb package + + File['/etc/apt/preferences'] -> + Exec['refresh_apt'] + Package <| ( title != 'lsb' ) |> } diff --git a/puppet/modules/site_apt/manifests/leap_repo.pp b/puppet/modules/site_apt/manifests/leap_repo.pp new file mode 100644 index 00000000..6b3d9919 --- /dev/null +++ b/puppet/modules/site_apt/manifests/leap_repo.pp @@ -0,0 +1,14 @@ +class site_apt::leap_repo { + apt::sources_list { 'leap.list': + content => 'deb http://deb.leap.se/debian stable main', + before => Exec[refresh_apt] + } + + package { 'leap-keyring': + ensure => latest + } + + # We wont be able to install the leap-keyring package unless the leap apt + # source has been added and apt has been refreshed + Exec['refresh_apt'] -> Package['leap-keyring'] +} diff --git a/puppet/modules/site_apt/templates/preferences.include_squeeze b/puppet/modules/site_apt/templates/preferences.include_squeeze new file mode 100644 index 00000000..d6d36b60 --- /dev/null +++ b/puppet/modules/site_apt/templates/preferences.include_squeeze @@ -0,0 +1,25 @@ +Explanation: Debian wheezy +Package: * +Pin: release o=Debian,n=wheezy +Pin-Priority: 990 + +Explanation: Debian wheezy-updates +Package: * +Pin: release o=Debian,n=wheezy-updates +Pin-Priority: 990 + +Explanation: Debian sid +Package: * +Pin: release o=Debian,n=sid +Pin-Priority: 1 + +Explanation: Debian squeeze +Package: * +Pin: release o=Debian,n=squeeze +Pin-Priority: 980 + +Explanation: Debian fallback +Package: * +Pin: release o=Debian +Pin-Priority: -10 + diff --git a/puppet/modules/site_apt/templates/fallback.list b/puppet/modules/site_apt/templates/secondary.list index 41334b0b..41334b0b 100644 --- a/puppet/modules/site_apt/templates/fallback.list +++ b/puppet/modules/site_apt/templates/secondary.list diff --git a/puppet/modules/site_ca_daemon/manifests/apache.pp b/puppet/modules/site_ca_daemon/manifests/apache.pp deleted file mode 100644 index ab6b08fd..00000000 --- a/puppet/modules/site_ca_daemon/manifests/apache.pp +++ /dev/null @@ -1,62 +0,0 @@ -class site_ca_daemon::apache { - - $api_domain = hiera('api_domain') - $x509 = hiera('x509') - $commercial_key = $x509['commercial_key'] - $commercial_cert = $x509['commercial_cert'] - $commercial_root = $x509['commercial_ca_cert'] - $api_key = $x509['key'] - $api_cert = $x509['cert'] - $api_root = $x509['ca_cert'] - - $apache_no_default_site = true - include apache::ssl - - apache::module { - 'alias': ensure => present; - 'rewrite': ensure => present; - 'headers': ensure => present; - } - - class { 'passenger': use_munin => false } - - apache::vhost::file { - 'leap_ca_daemon': - content => template('site_apache/vhosts.d/leap_ca_daemon.conf.erb') - } - - apache::vhost::file { - 'api': - content => template('site_apache/vhosts.d/api.conf.erb') - } - - x509::key { - 'leap_ca_daemon': - content => $commercial_key, - notify => Service[apache]; - - 'leap_api': - content => $api_key, - notify => Service[apache]; - } - - x509::cert { - 'leap_ca_daemon': - content => $commercial_cert, - notify => Service[apache]; - - 'leap_api': - content => $api_cert, - notify => Service[apache]; - } - - x509::ca { - 'leap_ca_daemon': - content => $commercial_root, - notify => Service[apache]; - - 'leap_api': - content => $api_root, - notify => Service[apache]; - } -} diff --git a/puppet/modules/site_ca_daemon/manifests/couchdb.pp b/puppet/modules/site_ca_daemon/manifests/couchdb.pp deleted file mode 100644 index f446a05b..00000000 --- a/puppet/modules/site_ca_daemon/manifests/couchdb.pp +++ /dev/null @@ -1,16 +0,0 @@ -class site_ca_daemon::couchdb { - - $ca = hiera('ca_daemon') - $couchdb_host = $ca['couchdb_hosts'] - $couchdb_user = $ca['couchdb_user']['username'] - $couchdb_password = $ca['couchdb_user']['password'] - - file { - '/etc/leap/leap_ca.yaml': - content => template('site_ca_daemon/leap_ca.yaml.erb'), - owner => leap_ca_daemon, - group => leap_ca_daemon, - mode => '0600'; - } - -} diff --git a/puppet/modules/site_ca_daemon/manifests/init.pp b/puppet/modules/site_ca_daemon/manifests/init.pp deleted file mode 100644 index 8ba9c506..00000000 --- a/puppet/modules/site_ca_daemon/manifests/init.pp +++ /dev/null @@ -1,103 +0,0 @@ -class site_ca_daemon { - tag 'leap_service' - #$definition_files = hiera('definition_files') - #$provider = $definition_files['provider'] - #$eip_service = $definition_files['eip_service'] - $x509 = hiera('x509') - - Class[Ruby] -> Class[rubygems] -> Class[bundler::install] - - class { 'ruby': ruby_version => '1.9.3' } - - class { 'bundler::install': install_method => 'package' } - - include rubygems - #include site_ca_daemon::apache - include site_ca_daemon::couchdb - - group { 'leap_ca_daemon': - ensure => present, - allowdupe => false; - } - - user { 'leap_ca_daemon': - ensure => present, - allowdupe => false, - gid => 'leap_ca_daemon', - home => '/srv/leap_ca_daemon', - require => [ Group['leap_ca_daemon'] ]; - } - - - x509::key { - 'leap_ca_daemon': - content => $x509['ca_key']; - #notify => Service['leap_ca_daemon']; <== no service yet for leap_ca_daemon - } - - x509::cert { - 'leap_ca_daemon': - content => $x509['ca_cert']; - #notify => Service['leap_ca_daemon']; <== no service yet for leap_ca_daemon - } - - # - # Does CA need a server key/cert? I think not now. - # - # x509::key { - # 'server': - # content => $x509['key']; - # } - # - # x509::cert { - # 'server': - # content => $x509['cert']; - # } - - # x509::ca { - # 'leap_ca_daemon': - # content => $x509['ca_cert']; - # } - - - file { '/srv/leap_ca_daemon': - ensure => directory, - owner => 'leap_ca_daemon', - group => 'leap_ca_daemon', - require => User['leap_ca_daemon']; - } - - vcsrepo { '/srv/leap_ca_daemon': - ensure => present, - revision => 'origin/master', - provider => git, - source => 'git://code.leap.se/leap_ca', - owner => 'leap_ca_daemon', - group => 'leap_ca_daemon', - require => [ User['leap_ca_daemon'], Group['leap_ca_daemon'] ], - notify => Exec['bundler_update'] - } - - exec { 'bundler_update': - cwd => '/srv/leap_ca_daemon', - command => '/bin/bash -c "/usr/bin/bundle check || /usr/bin/bundle install"', - unless => '/usr/bin/bundle check', - timeout => 600, - require => [ Class['bundler::install'], Vcsrepo['/srv/leap_ca_daemon'] ]; - } - - file { '/usr/local/bin/leap_ca_daemon': - ensure => link, - target => '/srv/leap_ca_daemon/bin/leap_ca_daemon', - } - - file { '/etc/cron.hourly/leap_ca': - ensure => present, - content => "#/bin/sh\n/srv/leap_ca_daemon/bin/leap_ca_daemon --run-once > /dev/null", - owner => 'root', - group => 0, - mode => '0755', - } - - -} diff --git a/puppet/modules/site_ca_daemon/templates/leap_ca.yaml.erb b/puppet/modules/site_ca_daemon/templates/leap_ca.yaml.erb deleted file mode 100644 index e0b95278..00000000 --- a/puppet/modules/site_ca_daemon/templates/leap_ca.yaml.erb +++ /dev/null @@ -1,31 +0,0 @@ -# -# Default configuration options for LEAP Certificate Authority Daemon -# - -# -# Certificate Authority -# -ca_key_path: "/etc/x509/keys/leap_ca_daemon.key" -ca_key_password: nil -ca_cert_path: "/etc/x509/certs/leap_ca_daemon.crt" - -# -# Certificate pool -# -max_pool_size: 100 -client_cert_lifespan: 2 -client_cert_bit_size: 2024 -client_cert_hash: "SHA256" - -# -# Database -# -db_name: "client_certificates" -couch_connection: - protocol: "https" - host: <%= couchdb_host %> - port: 6984 - username: <%= couchdb_user %> - password: <%= couchdb_password %> - prefix: "" - suffix: "" diff --git a/puppet/modules/site_config/files/xterm-title.sh b/puppet/modules/site_config/files/xterm-title.sh new file mode 100644 index 00000000..3cff0e3a --- /dev/null +++ b/puppet/modules/site_config/files/xterm-title.sh @@ -0,0 +1,8 @@ +# If this is an xterm set the title to user@host:dir +case "$TERM" in +xterm*|rxvt*) + PROMPT_COMMAND='echo -ne "\033]0;${USER}@${HOSTNAME}: ${PWD}\007"' + ;; +*) + ;; +esac diff --git a/puppet/modules/site_config/manifests/base_packages.pp b/puppet/modules/site_config/manifests/base_packages.pp new file mode 100644 index 00000000..3d40f7a2 --- /dev/null +++ b/puppet/modules/site_config/manifests/base_packages.pp @@ -0,0 +1,28 @@ +class site_config::base_packages { + + # base set of packages that we want to have installed everywhere + package { [ 'etckeeper', 'screen', 'less' ]: + ensure => installed, + } + + # base set of packages that we want to remove everywhere + package { [ 'acpi', 'acpid', 'acpi-support-base', 'eject', 'ftp', + 'laptop-detect', 'lpr', 'nfs-common', 'nfs-kernel-server', + 'portmap', 'pppconfig', 'pppoe', 'pump', 'qstat', 'rpcbind', + 'samba-common', 'samba-common-bin', 'smbclient', 'tcl8.5', + 'tk8.5', 'os-prober', 'unzip', 'xauth', 'x11-common', + 'x11-utils', 'xterm' ]: + ensure => absent; + } + + if $::virtual == 'virtualbox' { + $virtualbox_ensure = present + } else { + $virtualbox_ensure = absent + } + + package { [ 'build-essential', 'fontconfig-config', 'g++', 'g++-4.7', 'gcc', + 'gcc-4.6', 'gcc-4.7', 'cpp', 'cpp-4.6', 'cpp-4.7', 'libc6-dev' ]: + ensure => $virtualbox_ensure + } +} diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index 2191e9a1..00eee9d0 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -12,10 +12,14 @@ class site_config::default { # configure apt include site_apt - # configure ssh and include ssh-keys include site_config::sshd + # fix dhclient from changing resolver information + if $::ec2_instance_id { + include site_config::dhclient + } + # configure /etc/resolv.conf include site_config::resolvconf @@ -24,13 +28,17 @@ class site_config::default { # configure /etc/hosts class { 'site_config::hosts': - stage => initial, + stage => setup, } - package { [ 'etckeeper' ]: - ensure => installed, - } + # install/remove base packages + include site_config::base_packages # include basic shorewall config include site_shorewall::defaults + + Class['git'] -> Vcsrepo<||> + + # include basic shell config + include site_config::shell } diff --git a/puppet/modules/site_config/manifests/dhclient.pp b/puppet/modules/site_config/manifests/dhclient.pp new file mode 100644 index 00000000..7ac0caf3 --- /dev/null +++ b/puppet/modules/site_config/manifests/dhclient.pp @@ -0,0 +1,30 @@ +class site_config::dhclient { + + # Unfortunately, there does not seem to be a way to reload the dhclient.conf + # config file, or a convenient way to disable the modifications to + # /etc/resolv.conf. So the following makes the functions involved noops and + # ships a script to kill and restart dhclient. See the debian bugs: + # #681698, #712796 + + include site_config::params + + file { '/usr/local/sbin/reload_dhclient': + owner => 0, + group => 0, + mode => '0755', + content => template('site_config/reload_dhclient.erb'); + } + + exec { 'reload_dhclient': + refreshonly => true, + command => '/usr/local/sbin/reload_dhclient'; + } + + file { '/etc/dhcp/dhclient-enter-hooks.d/disable_resolvconf': + content => 'make_resolv_conf() { : ; } ; set_hostname() { : ; }', + mode => '0644', + owner => 'root', + group => 'root', + notify => Exec['reload_dhclient']; + } +} diff --git a/puppet/modules/site_config/manifests/hosts.pp b/puppet/modules/site_config/manifests/hosts.pp index 6c00f3b6..ccedf036 100644 --- a/puppet/modules/site_config/manifests/hosts.pp +++ b/puppet/modules/site_config/manifests/hosts.pp @@ -1,22 +1,34 @@ class site_config::hosts() { + $hosts = hiera('hosts','') + $hostname = hiera('name') + $domain_hash = hiera('domain') + $domain_public = $domain_hash['full_suffix'] - $hosts = hiera('hosts','') - $hostname = hiera('name') - - $domain_public = $site_config::default::domain_hash['full_suffix'] - - file { "/etc/hostname": - ensure => present, + file { '/etc/hostname': + ensure => present, content => $hostname } - exec { "/bin/hostname $hostname": + exec { "/bin/hostname ${hostname}": subscribe => [ File['/etc/hostname'], File['/etc/hosts'] ], refreshonly => true; } + # we depend on reliable hostnames from /etc/hosts for the stunnel services + # so restart stunnel service when /etc/hosts is modified + # because this is done in an early stage, the stunnel module may not + # have been deployed and will not be available for overriding, so + # this is handled in an unorthodox manner + exec { '/etc/init.d/stunnel4 restart': + subscribe => File['/etc/hosts'], + refreshonly => true, + onlyif => 'test -f /etc/init.d/stunnel4'; + } + file { '/etc/hosts': content => template('site_config/hosts'), - mode => '0644', owner => root, group => root; + mode => '0644', + owner => root, + group => root; } } diff --git a/puppet/modules/site_config/manifests/params.pp b/puppet/modules/site_config/manifests/params.pp new file mode 100644 index 00000000..237ee454 --- /dev/null +++ b/puppet/modules/site_config/manifests/params.pp @@ -0,0 +1,25 @@ +class site_config::params { + + $ip_address = hiera('ip_address') + $ip_address_interface = getvar("interface_${ip_address}") + $ec2_local_ipv4_interface = getvar("interface_${::ec2_local_ipv4}") + + if $::virtual == 'virtualbox' { + $interface = [ 'eth0', 'eth1' ] + } + elsif hiera('interface','') != '' { + $interface = hiera('interface') + } + elsif $ip_address_interface != '' { + $interface = $ip_address_interface + } + elsif $ec2_local_ipv4_interface != '' { + $interface = $ec2_local_ipv4_interface + } + elsif $::interfaces =~ /eth0/ { + $interface = eth0 + } + else { + fail("unable to determine a valid interface, please set a valid interface for this node in nodes/${::hostname}.json") + } +} diff --git a/puppet/modules/site_config/manifests/resolvconf.pp b/puppet/modules/site_config/manifests/resolvconf.pp index d73f0b78..271c5043 100644 --- a/puppet/modules/site_config/manifests/resolvconf.pp +++ b/puppet/modules/site_config/manifests/resolvconf.pp @@ -1,16 +1,5 @@ class site_config::resolvconf { - # bind9 purging can be taken out after some time - package { 'bind9': - ensure => absent, - } - file { '/etc/default/bind9': - ensure => absent; - } - file { '/etc/bind/named.conf.options': - ensure => absent; - } - $domain_public = $site_config::default::domain_hash['full_suffix'] # 127.0.0.1: caching-only local bind diff --git a/puppet/modules/site_config/manifests/ruby.pp b/puppet/modules/site_config/manifests/ruby.pp new file mode 100644 index 00000000..2a720114 --- /dev/null +++ b/puppet/modules/site_config/manifests/ruby.pp @@ -0,0 +1,14 @@ +class site_config::ruby { + Class[Ruby] -> Class[rubygems] -> Class[bundler::install] + class { '::ruby': ruby_version => '1.9.3' } + class { 'bundler::install': install_method => 'package' } + include rubygems +} + + +# +# Ruby settings common to all servers +# +# Why this way? So that other classes can do 'include site_ruby' without creating redeclaration errors. +# See https://puppetlabs.com/blog/modeling-class-composition-with-parameterized-classes/ +# diff --git a/puppet/modules/site_config/manifests/shell.pp b/puppet/modules/site_config/manifests/shell.pp new file mode 100644 index 00000000..5b8c025d --- /dev/null +++ b/puppet/modules/site_config/manifests/shell.pp @@ -0,0 +1,22 @@ +class site_config::shell { + + file { + '/etc/profile.d/leap_path.sh': + content => 'PATH=$PATH:/srv/leap/bin', + mode => '0644', + owner => root, + group => root; + } + + ## + ## XTERM TITLE + ## + + file { '/etc/profile.d/xterm-title.sh': + source => 'puppet:///modules/site_config/xterm-title.sh', + owner => root, + group => 0, + mode => '0644'; + } + +} diff --git a/puppet/modules/site_config/manifests/slow.pp b/puppet/modules/site_config/manifests/slow.pp index 18b22a9c..94bac88d 100644 --- a/puppet/modules/site_config/manifests/slow.pp +++ b/puppet/modules/site_config/manifests/slow.pp @@ -1,6 +1,6 @@ class site_config::slow { tag 'leap_slow' class { 'site_apt::dist_upgrade': - stage => initial, + stage => setup, } } diff --git a/puppet/modules/site_config/manifests/sshd.pp b/puppet/modules/site_config/manifests/sshd.pp index 944dbce2..8ff337a0 100644 --- a/puppet/modules/site_config/manifests/sshd.pp +++ b/puppet/modules/site_config/manifests/sshd.pp @@ -2,7 +2,7 @@ class site_config::sshd { # configure sshd include sshd include site_sshd - # no need for configuring authorized_keys as leap_cli cares for that + # no need for configuring authorized_keys as leap_cli cares for that #$ssh_pubkeys=hiera_hash('ssh_pubkeys') #notice($ssh_pubkeys) #create_resources('site_sshd::ssh_key', $ssh_pubkeys) diff --git a/puppet/modules/site_config/templates/hosts b/puppet/modules/site_config/templates/hosts index 00cc6a79..2c784b05 100644 --- a/puppet/modules/site_config/templates/hosts +++ b/puppet/modules/site_config/templates/hosts @@ -1,10 +1,12 @@ # This file is managed by puppet, any changes will be overwritten! 127.0.0.1 localhost -127.0.1.1 <%= hostname %>.<%= @domain_public %> <%= hostname %> +127.0.1.1 <%= @hostname %>.<%= @domain_public %> <%= @hostname %> -<%- if hosts.to_s != '' then -%> -<%= hosts %> +<%- if @hosts then -%> +<% @hosts.each do |name, props| -%> +<%= props["ip_address"] %> <%= props["domain_full"] %> <%= props["domain_internal"] %> <%= name %> +<% end -%> <% end -%> # The following lines are desirable for IPv6 capable hosts diff --git a/puppet/modules/site_config/templates/reload_dhclient.erb b/puppet/modules/site_config/templates/reload_dhclient.erb new file mode 100644 index 00000000..075828b7 --- /dev/null +++ b/puppet/modules/site_config/templates/reload_dhclient.erb @@ -0,0 +1,13 @@ +#!/bin/sh + +# Get the PID +PIDFILE='/var/run/dhclient.<%= scope.lookupvar('site_config::params::interface') %>.pid' + +# Capture how dhclient is currently running so we can relaunch it +dhclient=`/bin/ps --no-headers --pid $(cat $PIDFILE) -f | /usr/bin/awk '{for(i=8;i<=NF;++i) printf("%s ", $i) }'` + +# Kill the current dhclient +/usr/bin/pkill -F $PIDFILE + +# Restart dhclient with the arguments it had previously +$dhclient diff --git a/puppet/modules/site_couchdb/files/couchdb b/puppet/modules/site_couchdb/files/couchdb deleted file mode 100755 index ccdfe716..00000000 --- a/puppet/modules/site_couchdb/files/couchdb +++ /dev/null @@ -1,160 +0,0 @@ -#!/bin/sh -e - -# Licensed under the Apache License, Version 2.0 (the "License"); you may not -# use this file except in compliance with the License. You may obtain a copy of -# the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations under -# the License. - -### BEGIN INIT INFO -# Provides: couchdb -# Required-Start: $local_fs $remote_fs -# Required-Stop: $local_fs $remote_fs -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: Apache CouchDB init script -# Description: Apache CouchDB init script for the database server. -### END INIT INFO - -SCRIPT_OK=0 -SCRIPT_ERROR=1 - -DESCRIPTION="database server" -NAME=couchdb -SCRIPT_NAME=`basename $0` -COUCHDB=/usr/bin/couchdb -CONFIGURATION_FILE=/etc/default/couchdb -RUN_DIR=/var/run/couchdb -LSB_LIBRARY=/lib/lsb/init-functions - -if test ! -x $COUCHDB; then - exit $SCRIPT_ERROR -fi - -if test -r $CONFIGURATION_FILE; then - . $CONFIGURATION_FILE -fi - -log_daemon_msg () { - # Dummy function to be replaced by LSB library. - - echo $@ -} - -log_end_msg () { - # Dummy function to be replaced by LSB library. - - if test "$1" != "0"; then - echo "Error with $DESCRIPTION: $NAME" - fi - return $1 -} - -if test -r $LSB_LIBRARY; then - . $LSB_LIBRARY -fi - -run_command () { - command="$1" - if test -n "$COUCHDB_OPTIONS"; then - command="$command $COUCHDB_OPTIONS" - fi - if test -n "$COUCHDB_USER"; then - if su $COUCHDB_USER -c "$command"; then - return $SCRIPT_OK - else - return $SCRIPT_ERROR - fi - else - if $command; then - return $SCRIPT_OK - else - return $SCRIPT_ERROR - fi - fi -} - -start_couchdb () { - # Start Apache CouchDB as a background process. - - mkdir -p "$RUN_DIR" - chown -R "$COUCHDB_USER" "$RUN_DIR" - command="$COUCHDB -b" - if test -n "$COUCHDB_STDOUT_FILE"; then - command="$command -o $COUCHDB_STDOUT_FILE" - fi - if test -n "$COUCHDB_STDERR_FILE"; then - command="$command -e $COUCHDB_STDERR_FILE" - fi - if test -n "$COUCHDB_RESPAWN_TIMEOUT"; then - command="$command -r $COUCHDB_RESPAWN_TIMEOUT" - fi - run_command "$command" > /dev/null -} - -stop_couchdb () { - # Stop the running Apache CouchDB process. - - run_command "$COUCHDB -d" > /dev/null - pkill -u couchdb - # always return true even if no remaining couchdb procs got killed - /bin/true -} - -display_status () { - # Display the status of the running Apache CouchDB process. - - run_command "$COUCHDB -s" -} - -parse_script_option_list () { - # Parse arguments passed to the script and take appropriate action. - - case "$1" in - start) - log_daemon_msg "Starting $DESCRIPTION" $NAME - if start_couchdb; then - log_end_msg $SCRIPT_OK - else - log_end_msg $SCRIPT_ERROR - fi - ;; - stop) - log_daemon_msg "Stopping $DESCRIPTION" $NAME - if stop_couchdb; then - log_end_msg $SCRIPT_OK - else - log_end_msg $SCRIPT_ERROR - fi - ;; - restart|force-reload) - log_daemon_msg "Restarting $DESCRIPTION" $NAME - if stop_couchdb; then - if start_couchdb; then - log_end_msg $SCRIPT_OK - else - log_end_msg $SCRIPT_ERROR - fi - else - log_end_msg $SCRIPT_ERROR - fi - ;; - status) - display_status - ;; - *) - cat << EOF >&2 -Usage: $SCRIPT_NAME {start|stop|restart|force-reload|status} -EOF - exit $SCRIPT_ERROR - ;; - esac -} - -parse_script_option_list $@ diff --git a/puppet/modules/site_couchdb/files/local.ini b/puppet/modules/site_couchdb/files/local.ini index b3376cbb..22aa0177 100644 --- a/puppet/modules/site_couchdb/files/local.ini +++ b/puppet/modules/site_couchdb/files/local.ini @@ -28,8 +28,10 @@ [httpd_global_handlers] ;_google = {couch_httpd_proxy, handle_proxy_req, <<"http://www.google.com">>} +# futon is enabled by default on bigcouch in default.ini +# we need to find another way to disable futon, it won't work disabling it here # enable futon -_utils = {couch_httpd_misc_handlers, handle_utils_dir_req, "/usr/share/couchdb/www"} +#_utils = {couch_httpd_misc_handlers, handle_utils_dir_req, "/usr/share/couchdb/www"} # disable futon #_utils = {couch_httpd_misc_handlers, handle_welcome_req, <<"Welcome, Futon is disabled!">>} diff --git a/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp b/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp deleted file mode 100644 index 7739473e..00000000 --- a/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp +++ /dev/null @@ -1,25 +0,0 @@ -define site_couchdb::apache_ssl_proxy ($key, $cert) { - - $apache_no_default_site = true - include apache - apache::module { - 'proxy': ensure => present; - 'proxy_http': ensure => present; - 'rewrite': ensure => present; - 'ssl': ensure => present; - } - apache::vhost::file { 'couchdb_proxy': } - - x509::key { - 'leap_couchdb': - content => $key, - notify => Service[apache]; - } - - x509::cert { - 'leap_couchdb': - content => $cert, - notify => Service[apache]; - } - -} diff --git a/puppet/modules/site_couchdb/manifests/bigcouch/add_nodes.pp b/puppet/modules/site_couchdb/manifests/bigcouch/add_nodes.pp new file mode 100644 index 00000000..241a4914 --- /dev/null +++ b/puppet/modules/site_couchdb/manifests/bigcouch/add_nodes.pp @@ -0,0 +1,5 @@ +class site_couchdb::bigcouch::add_nodes { + # loop through neighbors array and add nodes + $nodes = $::site_couchdb::bigcouch_config['neighbors'] + couchdb::bigcouch::add_node { $nodes: } +} diff --git a/puppet/modules/site_couchdb/manifests/configure.pp b/puppet/modules/site_couchdb/manifests/configure.pp deleted file mode 100644 index 333511b5..00000000 --- a/puppet/modules/site_couchdb/manifests/configure.pp +++ /dev/null @@ -1,27 +0,0 @@ -class site_couchdb::configure { - - file { '/etc/init.d/couchdb': - source => 'puppet:///modules/site_couchdb/couchdb', - mode => '0755', - owner => 'root', - group => 'root', - } - - file { '/etc/couchdb/local.d/admin.ini': - content => "[admins] -admin = $site_couchdb::couchdb_admin_pw -", - mode => '0600', - owner => 'couchdb', - group => 'couchdb', - notify => Service[couchdb] - } - - - exec { '/etc/init.d/couchdb restart; sleep 6': - path => ['/bin', '/usr/bin',], - subscribe => File['/etc/couchdb/local.d/admin.ini', - '/etc/couchdb/local.ini'], - refreshonly => true - } -} diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 9ecde5e6..802f3224 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -1,64 +1,83 @@ class site_couchdb { tag 'leap_service' - include couchdb $x509 = hiera('x509') $key = $x509['key'] $cert = $x509['cert'] + $ca = $x509['ca_cert'] + $couchdb_config = hiera('couch') $couchdb_users = $couchdb_config['users'] $couchdb_admin = $couchdb_users['admin'] $couchdb_admin_user = $couchdb_admin['username'] $couchdb_admin_pw = $couchdb_admin['password'] + $couchdb_admin_salt = $couchdb_admin['salt'] $couchdb_webapp = $couchdb_users['webapp'] $couchdb_webapp_user = $couchdb_webapp['username'] $couchdb_webapp_pw = $couchdb_webapp['password'] - $couchdb_ca_daemon = $couchdb_users['ca_daemon'] - $couchdb_ca_daemon_user = $couchdb_ca_daemon['username'] - $couchdb_ca_daemon_pw = $couchdb_ca_daemon['password'] + $couchdb_webapp_salt = $couchdb_webapp['salt'] + $couchdb_soledad = $couchdb_users['soledad'] + $couchdb_soledad_user = $couchdb_soledad['username'] + $couchdb_soledad_pw = $couchdb_soledad['password'] + $couchdb_soledad_salt = $couchdb_soledad['salt'] + + $bigcouch_config = $couchdb_config['bigcouch'] + $bigcouch_cookie = $bigcouch_config['cookie'] + + $ednp_port = $bigcouch_config['ednp_port'] + + class { 'couchdb': + bigcouch => true, + admin_pw => $couchdb_admin_pw, + admin_salt => $couchdb_admin_salt, + bigcouch_cookie => $bigcouch_cookie, + ednp_port => $ednp_port + } + + class { 'couchdb::bigcouch::package::cloudant': } - Package ['couchdb'] - -> File['/etc/init.d/couchdb'] - -> File['/etc/couchdb/local.ini'] - -> File['/etc/couchdb/local.d/admin.ini'] - -> File['/etc/couchdb/couchdb.netrc'] + Class ['couchdb::bigcouch::package::cloudant'] + -> Service ['couchdb'] + -> Class ['site_couchdb::bigcouch::add_nodes'] -> Couchdb::Create_db['users'] - -> Couchdb::Create_db['client_certificates'] + -> Couchdb::Create_db['tokens'] -> Couchdb::Add_user[$couchdb_webapp_user] - -> Couchdb::Add_user[$couchdb_ca_daemon_user] - -> Site_couchdb::Apache_ssl_proxy['apache_ssl_proxy'] + -> Couchdb::Add_user[$couchdb_soledad_user] - include site_couchdb::configure - include couchdb::deploy_config - - site_couchdb::apache_ssl_proxy { 'apache_ssl_proxy': - key => $key, - cert => $cert + class { 'site_couchdb::stunnel': + key => $key, + cert => $cert, + ca => $ca } + class { 'site_couchdb::bigcouch::add_nodes': } + couchdb::query::setup { 'localhost': user => $couchdb_admin_user, - pw => $couchdb_admin_pw + pw => $couchdb_admin_pw, } # Populate couchdb couchdb::add_user { $couchdb_webapp_user: - roles => '["certs"]', - pw => $couchdb_webapp_pw + roles => '["auth"]', + pw => $couchdb_webapp_pw, + salt => $couchdb_webapp_salt } - couchdb::add_user { $couchdb_ca_daemon_user: - roles => '["certs"]', - pw => $couchdb_ca_daemon_pw + couchdb::add_user { $couchdb_soledad_user: + roles => '["auth"]', + pw => $couchdb_soledad_pw, + salt => $couchdb_soledad_salt } couchdb::create_db { 'users': readers => "{ \"names\": [\"$couchdb_webapp_user\"], \"roles\": [] }" } - couchdb::create_db { 'client_certificates': - readers => "{ \"names\": [], \"roles\": [\"certs\"] }" + couchdb::create_db { 'tokens': + readers => "{ \"names\": [], \"roles\": [\"auth\"] }" } include site_shorewall::couchdb + include site_shorewall::couchdb::bigcouch } diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp new file mode 100644 index 00000000..d982013e --- /dev/null +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -0,0 +1,104 @@ +class site_couchdb::stunnel ($key, $cert, $ca) { + + $stunnel = hiera('stunnel') + + $couch_server = $stunnel['couch_server'] + $couch_server_accept = $couch_server['accept'] + $couch_server_connect = $couch_server['connect'] + + # Erlang Port Mapper Daemon (epmd) stunnel server/clients + $epmd_server = $stunnel['epmd_server'] + $epmd_server_accept = $epmd_server['accept'] + $epmd_server_connect = $epmd_server['connect'] + $epmd_clients = $stunnel['epmd_clients'] + + # Erlang Distributed Node Protocol (ednp) stunnel server/clients + $ednp_server = $stunnel['ednp_server'] + $ednp_server_accept = $ednp_server['accept'] + $ednp_server_connect = $ednp_server['connect'] + $ednp_clients = $stunnel['ednp_clients'] + + include x509::variables + $cert_name = 'leap_couchdb' + $ca_name = 'leap_ca' + $ca_path = "${x509::variables::local_CAs}/${ca_name}.crt" + $cert_path = "${x509::variables::certs}/${cert_name}.crt" + $key_path = "${x509::variables::keys}/${cert_name}.key" + + # basic setup: ensure cert, key, ca files are in place, and some generic + # stunnel things are done + class { 'site_stunnel::setup': + cert_name => $cert_name, + key => $key, + cert => $cert, + ca_name => $ca_name, + ca => $ca + } + + # setup a stunnel server for the webapp to connect to couchdb + stunnel::service { 'couch_server': + accept => $couch_server_accept, + connect => $couch_server_connect, + client => false, + cafile => $ca_path, + key => $key_path, + cert => $cert_path, + verify => '2', + pid => '/var/run/stunnel4/couchserver.pid', + rndfile => '/var/lib/stunnel4/.rnd', + debuglevel => '4' + } + + + # setup stunnel server for Erlang Port Mapper Daemon (epmd), necessary for + # bigcouch clustering between each bigcouchdb node + stunnel::service { 'epmd_server': + accept => $epmd_server_accept, + connect => $epmd_server_connect, + client => false, + cafile => $ca_path, + key => $key_path, + cert => $cert_path, + verify => '2', + pid => '/var/run/stunnel4/epmd_server.pid', + rndfile => '/var/lib/stunnel4/.rnd', + debuglevel => '4' + } + + # setup stunnel clients for Erlang Port Mapper Daemon (epmd) to connect + # to the above epmd stunnel server. + $epmd_client_defaults = { + 'client' => true, + 'cafile' => $ca_path, + 'key' => $key_path, + 'cert' => $cert_path, + } + + create_resources(site_stunnel::clients, $epmd_clients, $epmd_client_defaults) + + # setup stunnel server for Erlang Distributed Node Protocol (ednp), necessary + # for bigcouch clustering between each bigcouchdb node + stunnel::service { 'ednp_server': + accept => $ednp_server_accept, + connect => $ednp_server_connect, + client => false, + cafile => $ca_path, + key => $key_path, + cert => $cert_path, + verify => '2', + pid => '/var/run/stunnel4/ednp_server.pid', + rndfile => '/var/lib/stunnel4/.rnd', + debuglevel => '4' + } + + # setup stunnel clients for Erlang Distributed Node Protocol (ednp) to connect + # to the above ednp stunnel server. + $ednp_client_defaults = { + 'client' => true, + 'cafile' => $ca_path, + 'key' => $key_path, + 'cert' => $cert_path, + } + + create_resources(site_stunnel::clients, $ednp_clients, $ednp_client_defaults) +} diff --git a/puppet/modules/site_haproxy/manifests/init.pp b/puppet/modules/site_haproxy/manifests/init.pp new file mode 100644 index 00000000..ace88a7b --- /dev/null +++ b/puppet/modules/site_haproxy/manifests/init.pp @@ -0,0 +1,26 @@ +class site_haproxy { + + class { 'haproxy': + enable => true, + version => '1.4.23-0.1~leap60+1', + manage_service => true, + global_options => { + 'log' => '127.0.0.1 local0', + 'maxconn' => '4096', + 'stats' => 'socket /var/run/haproxy.sock user haproxy group haproxy', + 'chroot' => '/usr/share/haproxy', + 'user' => 'haproxy', + 'group' => 'haproxy', + 'daemon' => '' + }, + defaults_options => { + 'log' => 'global', + 'retries' => '3', + 'option' => 'redispatch', + 'timeout connect' => '4000', + 'timeout client' => '20000', + 'timeout server' => '20000' + } + } + +} diff --git a/puppet/modules/site_nagios/manifests/server.pp b/puppet/modules/site_nagios/manifests/server.pp index c98a8a1f..c114a39a 100644 --- a/puppet/modules/site_nagios/manifests/server.pp +++ b/puppet/modules/site_nagios/manifests/server.pp @@ -2,7 +2,7 @@ class site_nagios::server inherits nagios::base { # First, purge old nagios config (see #1467) class { 'site_nagios::server::purge': - stage => initial + stage => setup } $nagios_hiera=hiera('nagios') diff --git a/puppet/modules/site_nickserver/manifests/init.pp b/puppet/modules/site_nickserver/manifests/init.pp new file mode 100644 index 00000000..7dfa2603 --- /dev/null +++ b/puppet/modules/site_nickserver/manifests/init.pp @@ -0,0 +1,162 @@ +# +# TODO: currently, this is dependent on some things that are set up in site_webapp +# +# (1) HAProxy -> couchdb +# (2) Apache +# +# It would be good in the future to make nickserver installable independently of site_webapp. +# + +class site_nickserver { + tag 'leap_service' + include site_config::ruby + + # + # VARIABLES + # + + $nickserver = hiera('nickserver') + $nickserver_port = $nickserver['port'] # the port that public connects to (should be 6425) + $nickserver_local_port = '64250' # the port that nickserver is actually running on + $nickserver_domain = $nickserver['domain'] + + $couchdb_user = $nickserver['couchdb_user']['username'] + $couchdb_password = $nickserver['couchdb_user']['password'] + $couchdb_host = 'localhost' # couchdb is available on localhost via haproxy, which is bound to 4096. + $couchdb_port = '4096' # See site_webapp/templates/haproxy_couchdb.cfg.erg + + # temporarily for now: + $domain = hiera('domain') + $address_domain = $domain['full_suffix'] + $x509 = hiera('x509') + $x509_key = $x509['key'] + $x509_cert = $x509['cert'] + $x509_ca = $x509['ca_cert'] + + # + # USER AND GROUP + # + + group { 'nickserver': + ensure => present, + allowdupe => false; + } + user { 'nickserver': + ensure => present, + allowdupe => false, + gid => 'nickserver', + home => '/srv/leap/nickserver', + require => Group['nickserver']; + } + + # + # NICKSERVER CODE + # NOTE: in order to support TLS, libssl-dev must be installed before EventMachine gem + # is built/installed. + # + + package { + 'libssl-dev': ensure => installed; + } + vcsrepo { '/srv/leap/nickserver': + ensure => present, + revision => 'origin/master', + provider => git, + source => 'git://code.leap.se/nickserver', + owner => 'nickserver', + group => 'nickserver', + require => [ User['nickserver'], Group['nickserver'] ], + notify => Exec['nickserver_bundler_update']; + } + exec { 'nickserver_bundler_update': + cwd => '/srv/leap/nickserver', + command => '/bin/bash -c "/usr/bin/bundle check || /usr/bin/bundle install --path vendor/bundle"', + unless => '/usr/bin/bundle check', + user => 'nickserver', + timeout => 600, + require => [ Class['bundler::install'], Vcsrepo['/srv/leap/nickserver'], Package['libssl-dev'] ], + notify => Service['nickserver']; + } + + # + # NICKSERVER CONFIG + # + + file { '/etc/leap/nickserver.yml': + content => template('site_nickserver/nickserver.yml.erb'), + owner => nickserver, + group => nickserver, + mode => '0600', + notify => Service['nickserver']; + } + + # + # NICKSERVER DAEMON + # + + file { + '/usr/bin/nickserver': + ensure => link, + target => '/srv/leap/nickserver/bin/nickserver', + require => Vcsrepo['/srv/leap/nickserver']; + '/etc/init.d/nickserver': + owner => root, group => 0, mode => '0755', + source => '/srv/leap/nickserver/dist/debian-init-script', + require => Vcsrepo['/srv/leap/nickserver']; + } + + service { 'nickserver': + ensure => running, + enable => true, + hasrestart => true, + hasstatus => true, + require => File['/etc/init.d/nickserver']; + } + + # + # FIREWALL + # poke a hole in the firewall to allow nickserver requests + # + + file { '/etc/shorewall/macro.nickserver': + content => "PARAM - - tcp $nickserver_port", + notify => Service['shorewall'], + require => Package['shorewall']; + } + + shorewall::rule { 'net2fw-nickserver': + source => 'net', + destination => '$FW', + action => 'nickserver(ACCEPT)', + order => 200; + } + + # + # APACHE REVERSE PROXY + # nickserver doesn't speak TLS natively, let Apache handle that. + # + + apache::module { + 'proxy': ensure => present; + 'proxy_http': ensure => present + } + + apache::vhost::file { + 'nickserver': content => template('site_nickserver/nickserver-proxy.conf.erb') + } + + x509::key { 'nickserver': + content => $x509_key, + notify => Service[apache]; + } + + x509::cert { 'nickserver': + content => $x509_cert, + notify => Service[apache]; + } + + x509::ca { 'nickserver': + content => $x509_ca, + notify => Service[apache]; + } +}
\ No newline at end of file diff --git a/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb b/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb new file mode 100644 index 00000000..67896cd3 --- /dev/null +++ b/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb @@ -0,0 +1,23 @@ +# +# Apache reverse proxy configuration for the Nickserver +# + +Listen 0.0.0.0:<%= @nickserver_port -%> + +<VirtualHost *:<%= @nickserver_port -%>> + ServerName <%= @nickserver_domain %> + ServerAlias <%= @address_domain %> + + SSLEngine on + SSLProtocol -all +SSLv3 +TLSv1 + SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH + SSLHonorCipherOrder on + + SSLCACertificatePath /etc/ssl/certs + SSLCertificateChainFile /etc/ssl/certs/nickserver.pem + SSLCertificateKeyFile /etc/x509/keys/nickserver.key + SSLCertificateFile /etc/x509/certs/nickserver.crt + + ProxyPass / http://localhost:<%= @nickserver_local_port %>/ + ProxyPreserveHost On # preserve Host header in HTTP request +</VirtualHost> diff --git a/puppet/modules/site_nickserver/templates/nickserver.yml.erb b/puppet/modules/site_nickserver/templates/nickserver.yml.erb new file mode 100644 index 00000000..7aab5605 --- /dev/null +++ b/puppet/modules/site_nickserver/templates/nickserver.yml.erb @@ -0,0 +1,19 @@ +# +# configuration for nickserver. +# + +domain: "<%= @address_domain %>" + +couch_host: "<%= @couchdb_host %>" +couch_port: <%= @couchdb_port %> +couch_database: "users" +couch_user: "<%= @couchdb_user %>" +couch_password: "<%= @couchdb_password %>" + +hkp_url: "https://hkps.pool.sks-keyservers.net:/pks/lookup" + +user: "nickserver" +port: <%= @nickserver_local_port %> +pid_file: "/var/run/nickserver" +log_file: "/var/log/nickserver.log" + diff --git a/puppet/modules/site_openvpn/README b/puppet/modules/site_openvpn/README new file mode 100644 index 00000000..cef5be23 --- /dev/null +++ b/puppet/modules/site_openvpn/README @@ -0,0 +1,20 @@ +Place to look when debugging problems +======================================== + +Log files: + + openvpn: /var/log/syslog + shorewall: /var/log/syslog + shorewall startup: /var/log/shorewall-init.log + +Check NAT masq: + + iptables -t nat --list-rules + +Check interfaces: + + ip addr ls + +Scripts: + + /usr/local/bin/add_gateway_ips.sh
\ No newline at end of file diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index e3d2a9af..4f900623 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -1,55 +1,141 @@ +# +# An openvpn gateway can support three modes: +# +# (1) limited and unlimited +# (2) unlimited only +# (3) limited only +# +# The difference is that 'unlimited' gateways only allow client certs that match the 'unlimited_prefix', +# and 'limited' gateways only allow certs that match the 'limited_prefix'. +# +# We potentially create four openvpn config files (thus four daemons): +# +# (1) unlimited + tcp => tcp_config.conf +# (2) unlimited + udp => udp_config.conf +# (3) limited + tcp => limited_tcp_config.conf +# (4) limited + udp => limited_udp_config.conf +# + class site_openvpn { tag 'leap_service' - # parse hiera config - $ip_address = hiera('ip_address') - $interface = getvar("interface_${ip_address}") - #$gateway_address = hiera('gateway_address') - $openvpn_config = hiera('openvpn') - $openvpn_gateway_address = $openvpn_config['gateway_address'] - $openvpn_tcp_network_prefix = '10.1.0' - $openvpn_tcp_netmask = '255.255.248.0' - $openvpn_tcp_cidr = '21' - $openvpn_udp_network_prefix = '10.2.0' - $openvpn_udp_netmask = '255.255.248.0' - $openvpn_udp_cidr = '21' - $x509_config = hiera('x509') + + $openvpn_config = hiera('openvpn') + $x509_config = hiera('x509') + $openvpn_ports = $openvpn_config['ports'] + + if $::ec2_instance_id { + $openvpn_gateway_address = $::ipaddress + } else { + $openvpn_gateway_address = $openvpn_config['gateway_address'] + if $openvpn_config['second_gateway_address'] { + $openvpn_second_gateway_address = $openvpn_config['second_gateway_address'] + } else { + $openvpn_second_gateway_address = undef + } + } + + $openvpn_allow_unlimited = $openvpn_config['allow_unlimited'] + $openvpn_unlimited_prefix = $openvpn_config['unlimited_prefix'] + $openvpn_unlimited_tcp_network_prefix = '10.41.0' + $openvpn_unlimited_tcp_netmask = '255.255.248.0' + $openvpn_unlimited_tcp_cidr = '21' + $openvpn_unlimited_udp_network_prefix = '10.42.0' + $openvpn_unlimited_udp_netmask = '255.255.248.0' + $openvpn_unlimited_udp_cidr = '21' + + if !$::ec2_instance_id { + $openvpn_allow_limited = $openvpn_config['allow_limited'] + $openvpn_limited_prefix = $openvpn_config['limited_prefix'] + $openvpn_rate_limit = $openvpn_config['rate_limit'] + $openvpn_limited_tcp_network_prefix = '10.43.0' + $openvpn_limited_tcp_netmask = '255.255.248.0' + $openvpn_limited_tcp_cidr = '21' + $openvpn_limited_udp_network_prefix = '10.44.0' + $openvpn_limited_udp_netmask = '255.255.248.0' + $openvpn_limited_udp_cidr = '21' + } # deploy ca + server keys include site_openvpn::keys - # create 2 openvpn config files, one for tcp, one for udp - site_openvpn::server_config { 'tcp_config': - port => '1194', - proto => 'tcp', - local => $openvpn_gateway_address, - server => "${openvpn_tcp_network_prefix}.0 ${openvpn_tcp_netmask}", - push => "\"dhcp-option DNS ${openvpn_tcp_network_prefix}.1\"", - management => '127.0.0.1 1000' + if $openvpn_allow_unlimited and $openvpn_allow_limited { + $unlimited_gateway_address = $openvpn_gateway_address + $limited_gateway_address = $openvpn_second_gateway_address + } elsif $openvpn_allow_unlimited { + $unlimited_gateway_address = $openvpn_gateway_address + $limited_gateway_address = undef + } elsif $openvpn_allow_limited { + $unlimited_gateway_address = undef + $limited_gateway_address = $openvpn_gateway_address } - site_openvpn::server_config { 'udp_config': - port => '1194', - proto => 'udp', - server => "${openvpn_udp_network_prefix}.0 ${openvpn_udp_netmask}", - push => "\"dhcp-option DNS ${openvpn_udp_network_prefix}.1\"", - local => $openvpn_gateway_address, - management => '127.0.0.1 1001' + + if $openvpn_allow_unlimited { + site_openvpn::server_config { 'tcp_config': + port => '1194', + proto => 'tcp', + local => $unlimited_gateway_address, + tls_remote => "\"${openvpn_unlimited_prefix}\"", + server => "${openvpn_unlimited_tcp_network_prefix}.0 ${openvpn_unlimited_tcp_netmask}", + push => "\"dhcp-option DNS ${openvpn_unlimited_tcp_network_prefix}.1\"", + management => '127.0.0.1 1000' + } + site_openvpn::server_config { 'udp_config': + port => '1194', + proto => 'udp', + local => $unlimited_gateway_address, + tls_remote => "\"${openvpn_unlimited_prefix}\"", + server => "${openvpn_unlimited_udp_network_prefix}.0 ${openvpn_unlimited_udp_netmask}", + push => "\"dhcp-option DNS ${openvpn_unlimited_udp_network_prefix}.1\"", + management => '127.0.0.1 1001' + } + } else { + tidy { "/etc/openvpn/tcp_config.conf": } + tidy { "/etc/openvpn/udp_config.conf": } + } + + if $openvpn_allow_limited { + site_openvpn::server_config { 'limited_tcp_config': + port => '1194', + proto => 'tcp', + local => $limited_gateway_address, + tls_remote => "\"${openvpn_limited_prefix}\"", + server => "${openvpn_limited_tcp_network_prefix}.0 ${openvpn_limited_tcp_netmask}", + push => "\"dhcp-option DNS ${openvpn_limited_tcp_network_prefix}.1\"", + management => '127.0.0.1 1002' + } + site_openvpn::server_config { 'limited_udp_config': + port => '1194', + proto => 'udp', + local => $limited_gateway_address, + tls_remote => "\"${openvpn_limited_prefix}\"", + server => "${openvpn_limited_udp_network_prefix}.0 ${openvpn_limited_udp_netmask}", + push => "\"dhcp-option DNS ${openvpn_limited_udp_network_prefix}.1\"", + management => '127.0.0.1 1003' + } + } else { + tidy { "/etc/openvpn/limited_tcp_config.conf": } + tidy { "/etc/openvpn/limited_udp_config.conf": } } - # add second IP on given interface - file { '/usr/local/bin/leap_add_second_ip.sh': - content => "#!/bin/sh -ip addr show dev $interface | grep -q ${openvpn_gateway_address}/24 || ip addr add ${openvpn_gateway_address}/24 dev $interface -/bin/echo 1 > /proc/sys/net/ipv4/ip_forward -", - mode => '0755', + file { + '/usr/local/bin/add_gateway_ips.sh': + content => template('site_openvpn/add_gateway_ips.sh.erb'), + mode => '0755'; } - exec { '/usr/local/bin/leap_add_second_ip.sh': - subscribe => File['/usr/local/bin/leap_add_second_ip.sh'], + exec { '/usr/local/bin/add_gateway_ips.sh': + subscribe => File['/usr/local/bin/add_gateway_ips.sh'], } - cron { 'leap_add_second_ip.sh': - command => "/usr/local/bin/leap_add_second_ip.sh", + exec { 'restart_openvpn': + command => '/etc/init.d/openvpn restart', + refreshonly => true, + subscribe => File['/etc/openvpn'], + require => [ Package['openvpn'], File['/etc/openvpn'] ]; + } + + cron { 'add_gateway_ips.sh': + command => '/usr/local/bin/add_gateway_ips.sh', user => 'root', special => 'reboot', } @@ -63,6 +149,7 @@ ip addr show dev $interface | grep -q ${openvpn_gateway_address}/24 || ip addr a 'openvpn': ensure => installed; } + service { 'openvpn': ensure => running, @@ -74,6 +161,7 @@ ip addr show dev $interface | grep -q ${openvpn_gateway_address}/24 || ip addr a file { '/etc/openvpn': ensure => directory, + notify => Exec['restart_openvpn'], require => Package['openvpn']; } diff --git a/puppet/modules/site_openvpn/manifests/resolver.pp b/puppet/modules/site_openvpn/manifests/resolver.pp index d3963c95..dc31767c 100644 --- a/puppet/modules/site_openvpn/manifests/resolver.pp +++ b/puppet/modules/site_openvpn/manifests/resolver.pp @@ -1,5 +1,53 @@ class site_openvpn::resolver { + if $site_openvpn::openvpn_allow_unlimited { + $ensure_unlimited = 'present' + file { + '/etc/unbound/conf.d/vpn_unlimited_udp_resolver': + content => "interface: ${site_openvpn::openvpn_unlimited_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_unlimited_udp_network_prefix}.0/${site_openvpn::openvpn_unlimited_udp_cidr} allow\n", + owner => root, + group => root, + mode => '0644', + require => Service['openvpn'], + notify => Service['unbound']; + '/etc/unbound/conf.d/vpn_unlimited_tcp_resolver': + content => "interface: ${site_openvpn::openvpn_unlimited_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_unlimited_tcp_network_prefix}.0/${site_openvpn::openvpn_unlimited_tcp_cidr} allow\n", + owner => root, + group => root, + mode => '0644', + require => Service['openvpn'], + notify => Service['unbound']; + } + } else { + $ensure_unlimited = 'absent' + tidy { '/etc/unbound/conf.d/vpn_unlimited_udp_resolver': } + tidy { '/etc/unbound/conf.d/vpn_unlimited_tcp_resolver': } + } + + if $site_openvpn::openvpn_allow_limited { + $ensure_limited = 'present' + file { + '/etc/unbound/conf.d/vpn_limited_udp_resolver': + content => "interface: ${site_openvpn::openvpn_limited_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_limited_udp_network_prefix}.0/${site_openvpn::openvpn_limited_udp_cidr} allow\n", + owner => root, + group => root, + mode => '0644', + require => Service['openvpn'], + notify => Service['unbound']; + '/etc/unbound/conf.d/vpn_limited_tcp_resolver': + content => "interface: ${site_openvpn::openvpn_limited_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_limited_tcp_network_prefix}.0/${site_openvpn::openvpn_limited_tcp_cidr} allow\n", + owner => root, + group => root, + mode => '0644', + require => Service['openvpn'], + notify => Service['unbound']; + } + } else { + $ensure_limited = 'absent' + tidy { '/etc/unbound/conf.d/vpn_limited_udp_resolver': } + tidy { '/etc/unbound/conf.d/vpn_limited_tcp_resolver': } + } + # this is an unfortunate way to get around the fact that the version of # unbound we are working with does not accept a wildcard include directive # (/etc/unbound/conf.d/*), when it does, these line definitions should @@ -7,30 +55,30 @@ class site_openvpn::resolver { # include: /etc/unbound/conf.d/* line { - 'add_tcp_resolver': - ensure => present, - file => '/etc/unbound/unbound.conf', - line => 'server: include: /etc/unbound/conf.d/vpn_tcp_resolver', - notify => Service['unbound']; - - 'add_udp_resolver': - ensure => present, - file => '/etc/unbound/unbound.conf', - line => 'server: include: /etc/unbound/conf.d/vpn_udp_resolver', - notify => Service['unbound']; + 'add_unlimited_tcp_resolver': + ensure => $ensure_unlimited, + file => '/etc/unbound/unbound.conf', + line => 'server: include: /etc/unbound/conf.d/vpn_unlimited_tcp_resolver', + notify => Service['unbound'], + require => Package['unbound']; + 'add_unlimited_udp_resolver': + ensure => $ensure_unlimited, + file => '/etc/unbound/unbound.conf', + line => 'server: include: /etc/unbound/conf.d/vpn_unlimited_udp_resolver', + notify => Service['unbound'], + require => Package['unbound']; + 'add_limited_tcp_resolver': + ensure => $ensure_limited, + file => '/etc/unbound/unbound.conf', + line => 'server: include: /etc/unbound/conf.d/vpn_limited_tcp_resolver', + notify => Service['unbound'], + require => Package['unbound']; + 'add_limited_udp_resolver': + ensure => $ensure_limited, + file => '/etc/unbound/unbound.conf', + line => 'server: include: /etc/unbound/conf.d/vpn_limited_udp_resolver', + notify => Service['unbound'], + require => Package['unbound'] } - file { - '/etc/unbound/conf.d/vpn_udp_resolver': - content => "interface: ${site_openvpn::openvpn_udp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_cidr} allow\n", - owner => root, group => root, mode => '0644', - require => Service['openvpn'], - notify => Service['unbound']; - - '/etc/unbound/conf.d/vpn_tcp_resolver': - content => "interface: ${site_openvpn::openvpn_tcp_network_prefix}.1\naccess-control: ${site_openvpn::openvpn_tcp_network_prefix}.0/${site_openvpn::openvpn_tcp_cidr} allow\n", - owner => root, group => root, mode => '0644', - require => Service['openvpn'], - notify => Service['unbound']; - } } diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index de273b46..6106cfbb 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -52,18 +52,29 @@ # note: the default is BF-CBC (blowfish) # -define site_openvpn::server_config ($port, $proto, $local, $server, $push, $management ) { +define site_openvpn::server_config( + $port, $proto, $local, $server, $push, + $management, $tls_remote = undef) { $openvpn_configname = $name concat { - "/etc/openvpn/$openvpn_configname.conf": + "/etc/openvpn/${openvpn_configname}.conf": owner => root, group => root, mode => 644, warn => true, require => File['/etc/openvpn'], - notify => Service['openvpn']; + notify => Exec['restart_openvpn']; + } + + if $tls_remote != undef { + openvpn::option { + "tls-remote $openvpn_configname": + key => 'tls-remote', + value => $tls_remote, + server => $openvpn_configname; + } } openvpn::option { diff --git a/puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb b/puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb new file mode 100644 index 00000000..05f3d16b --- /dev/null +++ b/puppet/modules/site_openvpn/templates/add_gateway_ips.sh.erb @@ -0,0 +1,11 @@ +#!/bin/sh + +ip addr show dev <%= scope.lookupvar('site_config::params::interface') %> | grep -q <%= @openvpn_gateway_address %>/24 || + ip addr add <%= @openvpn_gateway_address %>/24 dev <%= scope.lookupvar('site_config::params::interface') %> + +<% if @openvpn_second_gateway_address %> +ip addr show dev <%= scope.lookupvar('site_config::params::interface') %> | grep -q <%= @openvpn_second_gateway_address %>/24 || + ip addr add <%= @openvpn_second_gateway_address %>/24 dev <%= scope.lookupvar('site_config::params::interface') %> +<% end %> + +/bin/echo 1 > /proc/sys/net/ipv4/ip_forward diff --git a/puppet/modules/site_shorewall/manifests/couchdb.pp b/puppet/modules/site_shorewall/manifests/couchdb.pp index 9fa59569..73bed62b 100644 --- a/puppet/modules/site_shorewall/manifests/couchdb.pp +++ b/puppet/modules/site_shorewall/manifests/couchdb.pp @@ -2,16 +2,17 @@ class site_shorewall::couchdb { include site_shorewall::defaults - $couchdb_port = '6984' + $stunnel = hiera('stunnel') + $couch_server = $stunnel['couch_server'] + $couch_stunnel_port = $couch_server['accept'] # define macro for incoming services file { '/etc/shorewall/macro.leap_couchdb': - content => "PARAM - - tcp $couchdb_port", + content => "PARAM - - tcp ${couch_stunnel_port}", notify => Service['shorewall'], require => Package['shorewall'] } - shorewall::rule { 'net2fw-couchdb': source => 'net', diff --git a/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp b/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp new file mode 100644 index 00000000..20740650 --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp @@ -0,0 +1,51 @@ +class site_shorewall::couchdb::bigcouch { + + include site_shorewall::defaults + + $stunnel = hiera('stunnel') + + # Erlang Port Mapper Daemon (epmd) stunnel server/clients + $epmd_clients = $stunnel['epmd_clients'] + $epmd_server = $stunnel['epmd_server'] + $epmd_server_port = $epmd_server['accept'] + $epmd_server_connect = $epmd_server['connect'] + + # Erlang Distributed Node Protocol (ednp) stunnel server/clients + $ednp_clients = $stunnel['ednp_clients'] + $ednp_server = $stunnel['ednp_server'] + $ednp_server_port = $ednp_server['accept'] + $ednp_server_connect = $ednp_server['connect'] + + # define macro for incoming services + file { '/etc/shorewall/macro.leap_bigcouch': + content => "PARAM - - tcp ${epmd_server_port},${ednp_server_port}", + notify => Service['shorewall'], + require => Package['shorewall'] + } + + shorewall::rule { + 'net2fw-bigcouch': + source => 'net', + destination => '$FW', + action => 'leap_bigcouch(ACCEPT)', + order => 300; + } + + # setup DNAT rules for each epmd + $epmd_shorewall_dnat_defaults = { + 'source' => '$FW', + 'proto' => 'tcp', + 'destinationport' => regsubst($epmd_server_connect, '^([0-9.]+:)([0-9]+)$', '\2') + } + create_resources(site_shorewall::couchdb::dnat, $epmd_clients, $epmd_shorewall_dnat_defaults) + + # setup DNAT rules for each ednp + $ednp_shorewall_dnat_defaults = { + 'source' => '$FW', + 'proto' => 'tcp', + 'destinationport' => regsubst($ednp_server_connect, '^([0-9.]+:)([0-9]+)$', '\2') + } + create_resources(site_shorewall::couchdb::dnat, $ednp_clients, $ednp_shorewall_dnat_defaults) + +} + diff --git a/puppet/modules/site_shorewall/manifests/couchdb/dnat.pp b/puppet/modules/site_shorewall/manifests/couchdb/dnat.pp new file mode 100644 index 00000000..f1bc9acf --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/couchdb/dnat.pp @@ -0,0 +1,21 @@ +define site_shorewall::couchdb::dnat ( + $source, + $connect, + $connect_port, + $accept_port, + $proto, + $destinationport ) +{ + + + shorewall::rule { + "dnat_${name}_${destinationport}": + action => 'DNAT', + source => $source, + destination => "\$FW:127.0.0.1:${accept_port}", + proto => $proto, + destinationport => $destinationport, + originaldest => $connect, + order => 200 + } +} diff --git a/puppet/modules/site_shorewall/manifests/defaults.pp b/puppet/modules/site_shorewall/manifests/defaults.pp index d5639a90..c62c9307 100644 --- a/puppet/modules/site_shorewall/manifests/defaults.pp +++ b/puppet/modules/site_shorewall/manifests/defaults.pp @@ -1,17 +1,10 @@ class site_shorewall::defaults { include shorewall + include site_config::params # be safe for development #if ( $::virtual == 'virtualbox') { $shorewall_startup='0' } - $ip_address = hiera('ip_address') - # a special case for vagrant interfaces - $interface = $::virtual ? { - virtualbox => [ 'eth0', 'eth1' ], - default => getvar("interface_${ip_address}") - } - - # If you want logging: shorewall::params { 'LOG': value => 'debug'; @@ -19,14 +12,13 @@ class site_shorewall::defaults { shorewall::zone {'net': type => 'ipv4'; } - # define interfaces - shorewall::interface { $interface: + shorewall::interface { $site_config::params::interface: zone => 'net', options => 'tcpflags,blacklist,nosmurfs'; } - shorewall::routestopped { $interface: } + shorewall::routestopped { $site_config::params::interface: } shorewall::policy { 'fw-to-all': diff --git a/puppet/modules/site_shorewall/manifests/dnat.pp b/puppet/modules/site_shorewall/manifests/dnat.pp new file mode 100644 index 00000000..a73294cc --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/dnat.pp @@ -0,0 +1,19 @@ +define site_shorewall::dnat ( + $source, + $destination, + $proto, + $destinationport, + $originaldest ) { + + + shorewall::rule { + "dnat_${name}_${destinationport}": + action => 'DNAT', + source => $source, + destination => $destination, + proto => $proto, + destinationport => $destinationport, + originaldest => $originaldest, + order => 200 + } +} diff --git a/puppet/modules/site_shorewall/manifests/dnat_rule.pp b/puppet/modules/site_shorewall/manifests/dnat_rule.pp index 68f480d8..aa298408 100644 --- a/puppet/modules/site_shorewall/manifests/dnat_rule.pp +++ b/puppet/modules/site_shorewall/manifests/dnat_rule.pp @@ -2,24 +2,45 @@ define site_shorewall::dnat_rule { $port = $name if $port != 1194 { - shorewall::rule { - "dnat_tcp_port_$port": - action => 'DNAT', - source => 'net', - destination => "\$FW:${site_openvpn::openvpn_gateway_address}:1194", - proto => 'tcp', - destinationport => $port, - order => 100; + if $site_openvpn::openvpn_allow_unlimited { + shorewall::rule { + "dnat_tcp_port_$port": + action => 'DNAT', + source => 'net', + destination => "\$FW:${site_openvpn::unlimited_gateway_address}:1194", + proto => 'tcp', + destinationport => $port, + order => 100; + } + shorewall::rule { + "dnat_udp_port_$port": + action => 'DNAT', + source => 'net', + destination => "\$FW:${site_openvpn::unlimited_gateway_address}:1194", + proto => 'udp', + destinationport => $port, + order => 100; + } } - - shorewall::rule { - "dnat_udp_port_$port": - action => 'DNAT', - source => 'net', - destination => "\$FW:${site_openvpn::openvpn_gateway_address}:1194", - proto => 'udp', - destinationport => $port, - order => 100; + if $site_openvpn::openvpn_allow_limited { + shorewall::rule { + "dnat_free_tcp_port_$port": + action => 'DNAT', + source => 'net', + destination => "\$FW:${site_openvpn::limited_gateway_address}:1194", + proto => 'tcp', + destinationport => $port, + order => 100; + } + shorewall::rule { + "dnat_free_udp_port_$port": + action => 'DNAT', + source => 'net', + destination => "\$FW:${site_openvpn::limited_gateway_address}:1194", + proto => 'udp', + destinationport => $port, + order => 100; + } } } } diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 4e5a5d48..7109b770 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -1,54 +1,56 @@ class site_shorewall::eip { include site_shorewall::defaults + include site_config::params include site_shorewall::ip_forward - $openvpn_config = hiera('openvpn') - $openvpn_ports = $openvpn_config['ports'] - $openvpn_gateway_address = $site_openvpn::openvpn_gateway_address - # define macro for incoming services file { '/etc/shorewall/macro.leap_eip': content => "PARAM - - tcp 1194 -PARAM - - udp 1194 -", - notify => Service['shorewall'] + PARAM - - udp 1194 + ", + notify => Service['shorewall'], + require => Package['shorewall'] } - shorewall::interface { 'tun0': zone => 'eip', options => 'tcpflags,blacklist,nosmurfs'; 'tun1': zone => 'eip', - options => 'tcpflags,blacklist,nosmurfs' + options => 'tcpflags,blacklist,nosmurfs'; + 'tun2': + zone => 'eip', + options => 'tcpflags,blacklist,nosmurfs'; + 'tun3': + zone => 'eip', + options => 'tcpflags,blacklist,nosmurfs'; } + shorewall::zone { + 'eip': + type => 'ipv4'; + } - shorewall::zone {'eip': - type => 'ipv4'; } + $interface = $site_config::params::interface - case $::virtual { - 'virtualbox': { - shorewall::masq { - 'eth0_tcp': - interface => 'eth0', - source => "${site_openvpn::openvpn_tcp_network_prefix}.0/${site_openvpn::openvpn_tcp_cidr}"; - 'eth0_udp': - interface => 'eth0', - source => "${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_cidr}"; } - } - default: { - $interface = $site_shorewall::defaults::interface - shorewall::masq { - "${interface}_tcp": - interface => $interface, - source => "${site_openvpn::openvpn_tcp_network_prefix}.0/${site_openvpn::openvpn_tcp_cidr}"; - - "${interface}_udp": - interface => $interface, - source => "${site_openvpn::openvpn_udp_network_prefix}.0/${site_openvpn::openvpn_udp_cidr}"; } + shorewall::masq { + "${interface}_unlimited_tcp": + interface => $interface, + source => "${site_openvpn::openvpn_unlimited_tcp_network_prefix}.0/${site_openvpn::openvpn_unlimited_tcp_cidr}"; + "${interface}_unlimited_udp": + interface => $interface, + source => "${site_openvpn::openvpn_unlimited_udp_network_prefix}.0/${site_openvpn::openvpn_unlimited_udp_cidr}"; + } + if ! $::ec2_instance_id { + shorewall::masq { + "${interface}_limited_tcp": + interface => $interface, + source => "${site_openvpn::openvpn_limited_tcp_network_prefix}.0/${site_openvpn::openvpn_limited_tcp_cidr}"; + "${interface}_limited_udp": + interface => $interface, + source => "${site_openvpn::openvpn_limited_udp_network_prefix}.0/${site_openvpn::openvpn_limited_udp_cidr}"; } } @@ -61,15 +63,14 @@ PARAM - - udp 1194 } shorewall::rule { - 'net2fw-openvpn': - source => 'net', - destination => '$FW', - action => 'leap_eip(ACCEPT)', - order => 200; + 'net2fw-openvpn': + source => 'net', + destination => '$FW', + action => 'leap_eip(ACCEPT)', + order => 200; } # create dnat rule for each port - #create_resources('site_shorewall::dnat_rule', $openvpn_ports) - site_shorewall::dnat_rule { $openvpn_ports: } + site_shorewall::dnat_rule { $site_openvpn::openvpn_ports: } } diff --git a/puppet/modules/site_shorewall/manifests/webapp.pp b/puppet/modules/site_shorewall/manifests/webapp.pp index d12bbc8f..a8d2aa5b 100644 --- a/puppet/modules/site_shorewall/manifests/webapp.pp +++ b/puppet/modules/site_shorewall/manifests/webapp.pp @@ -2,5 +2,6 @@ class site_shorewall::webapp { include site_shorewall::defaults include site_shorewall::service::https + include site_shorewall::service::http include site_shorewall::service::webapp_api } diff --git a/puppet/modules/site_sshd/manifests/authorized_keys.pp b/puppet/modules/site_sshd/manifests/authorized_keys.pp new file mode 100644 index 00000000..c18f691c --- /dev/null +++ b/puppet/modules/site_sshd/manifests/authorized_keys.pp @@ -0,0 +1,19 @@ +define site_sshd::authorized_keys ($keys, $ensure = 'present', $home = '') { + # This line allows default homedir based on $title variable. + # If $home is empty, the default is used. + $homedir = $home ? {'' => "/home/${title}", default => $home} + file { + "${homedir}/.ssh": + ensure => 'directory', + owner => $title, + group => $title, + mode => '0700'; + "${homedir}/.ssh/authorized_keys": + ensure => $ensure, + owner => $ensure ? {'present' => $title, default => undef }, + group => $ensure ? {'present' => $title, default => undef }, + mode => '0600', + require => File["${homedir}/.ssh"], + content => template('site_sshd/authorized_keys.erb'); + } +} diff --git a/puppet/modules/site_sshd/manifests/deploy_authorized_keys.pp b/puppet/modules/site_sshd/manifests/deploy_authorized_keys.pp new file mode 100644 index 00000000..97ca058f --- /dev/null +++ b/puppet/modules/site_sshd/manifests/deploy_authorized_keys.pp @@ -0,0 +1,9 @@ +class site_sshd::deploy_authorized_keys ( $keys ) { + tag 'leap_authorized_keys' + + site_sshd::authorized_keys {'root': + keys => $keys, + home => '/root' + } + +} diff --git a/puppet/modules/site_sshd/manifests/init.pp b/puppet/modules/site_sshd/manifests/init.pp index 630e9bdf..90dd2d0e 100644 --- a/puppet/modules/site_sshd/manifests/init.pp +++ b/puppet/modules/site_sshd/manifests/init.pp @@ -1 +1,31 @@ -class site_sshd {} +class site_sshd { + $ssh = hiera_hash('ssh') + + ## + ## SETUP AUTHORIZED KEYS + ## + + $authorized_keys = $ssh['authorized_keys'] + + class { 'site_sshd::deploy_authorized_keys': + keys => $authorized_keys + } + + ## + ## OPTIONAL MOSH SUPPORT + ## + + $mosh = $ssh['mosh'] + + if $mosh['enabled'] { + class { 'site_sshd::mosh': + ensure => present, + ports => $mosh['ports'] + } + } + else { + class { 'site_sshd::mosh': + ensure => absent + } + } +} diff --git a/puppet/modules/site_sshd/manifests/mosh.pp b/puppet/modules/site_sshd/manifests/mosh.pp new file mode 100644 index 00000000..49f56ca0 --- /dev/null +++ b/puppet/modules/site_sshd/manifests/mosh.pp @@ -0,0 +1,21 @@ +class site_sshd::mosh ( $ensure = present, $ports = '60000-61000' ) { + + package { 'mosh': + ensure => $ensure + } + + file { '/etc/shorewall/macro.mosh': + ensure => $ensure, + content => "PARAM - - udp ${ports}", + notify => Service['shorewall'], + require => Package['shorewall']; + } + + shorewall::rule { 'net2fw-mosh': + ensure => $ensure, + source => 'net', + destination => '$FW', + action => 'mosh(ACCEPT)', + order => 200; + } +} diff --git a/puppet/modules/site_sshd/manifests/ssh_key.pp b/puppet/modules/site_sshd/manifests/ssh_key.pp deleted file mode 100644 index b47b2ebd..00000000 --- a/puppet/modules/site_sshd/manifests/ssh_key.pp +++ /dev/null @@ -1,3 +0,0 @@ -define site_sshd::ssh_key($key) { - # ... todo: deploy ssh_key -} diff --git a/puppet/modules/site_sshd/templates/authorized_keys.erb b/puppet/modules/site_sshd/templates/authorized_keys.erb new file mode 100644 index 00000000..3c65e8ab --- /dev/null +++ b/puppet/modules/site_sshd/templates/authorized_keys.erb @@ -0,0 +1,6 @@ +# NOTICE: This file is autogenerated by Puppet +# all manually added keys will be overridden + +<% keys.sort.each do |user, hash| -%> +<%=hash['type']-%> <%=hash['key']%> <%=user%> +<% end -%> diff --git a/puppet/modules/site_stunnel/manifests/clients.pp b/puppet/modules/site_stunnel/manifests/clients.pp new file mode 100644 index 00000000..ed766e1a --- /dev/null +++ b/puppet/modules/site_stunnel/manifests/clients.pp @@ -0,0 +1,26 @@ +define site_stunnel::clients ( + $accept_port, + $connect_port, + $connect, + $cafile, + $key, + $cert, + $client = true, + $verify = '2', + $pid = $name, + $rndfile = '/var/lib/stunnel4/.rnd', + $debuglevel = '4' ) { + + stunnel::service { $name: + accept => "127.0.0.1:${accept_port}", + connect => "${connect}:${connect_port}", + client => $client, + cafile => $cafile, + key => $key, + cert => $cert, + verify => $verify, + pid => "/var/run/stunnel4/${pid}.pid", + rndfile => $rndfile, + debuglevel => $debuglevel + } +} diff --git a/puppet/modules/site_stunnel/manifests/init.pp b/puppet/modules/site_stunnel/manifests/init.pp new file mode 100644 index 00000000..c7d6acc6 --- /dev/null +++ b/puppet/modules/site_stunnel/manifests/init.pp @@ -0,0 +1,17 @@ +class site_stunnel { + + # include the generic stunnel module + # increase the number of open files to allow for 800 connections + class { 'stunnel': default_extra => 'ulimit -n 4096' } + + # The stunnel.conf provided by the Debian package is broken by default + # so we get rid of it and just define our own. See #549384 + if !defined(File['/etc/stunnel/stunnel.conf']) { + file { + # this file is a broken config installed by the package + '/etc/stunnel/stunnel.conf': + ensure => absent; + } + } +} + diff --git a/puppet/modules/site_stunnel/manifests/setup.pp b/puppet/modules/site_stunnel/manifests/setup.pp new file mode 100644 index 00000000..92eeb425 --- /dev/null +++ b/puppet/modules/site_stunnel/manifests/setup.pp @@ -0,0 +1,24 @@ +class site_stunnel::setup ($cert_name, $key, $cert, $ca_name, $ca) { + + include site_stunnel + + x509::key { + $cert_name: + content => $key, + notify => Service['stunnel']; + } + + x509::cert { + $cert_name: + content => $cert, + notify => Service['stunnel']; + } + + x509::ca { + $ca_name: + content => $ca, + notify => Service['stunnel']; + } + +} + diff --git a/puppet/modules/site_tor/manifests/init.pp b/puppet/modules/site_tor/manifests/init.pp index ceb6fb13..50ab636b 100644 --- a/puppet/modules/site_tor/manifests/init.pp +++ b/puppet/modules/site_tor/manifests/init.pp @@ -15,6 +15,7 @@ class site_tor { address => $address, contact_info => $contact_email, bandwidth_rate => $bandwidth_rate, + my_family => '$2A431444756B0E7228A7918C85A8DACFF7E3B050', } tor::daemon::directory { $::hostname: port => 80 } diff --git a/puppet/modules/site_webapp/files/migrate_design_documents b/puppet/modules/site_webapp/files/migrate_design_documents new file mode 100644 index 00000000..6e24aa5b --- /dev/null +++ b/puppet/modules/site_webapp/files/migrate_design_documents @@ -0,0 +1,16 @@ +#!/bin/sh + +cd /srv/leap/webapp + +# use admin credentials +cp config/couchdb.yml.admin config/couchdb.yml +chown leap-webapp:leap-webapp config/couchdb.yml + +# needs to be run twice +RAILS_ENV=production /usr/bin/bundle exec rake couchrest:migrate +RAILS_ENV=production /usr/bin/bundle exec rake couchrest:migrate + +# use user credentials and remove admin credentials +cp config/couchdb.yml.webapp config/couchdb.yml +chown leap-webapp:leap-webapp config/couchdb.yml + diff --git a/puppet/modules/site_webapp/manifests/apache.pp b/puppet/modules/site_webapp/manifests/apache.pp index 554b9147..8b340160 100644 --- a/puppet/modules/site_webapp/manifests/apache.pp +++ b/puppet/modules/site_webapp/manifests/apache.pp @@ -12,8 +12,7 @@ class site_webapp::apache { $api_cert = $x509['cert'] $api_root = $x509['ca_cert'] - $apache_no_default_site = true - include apache::ssl + class { '::apache': no_default_site => true, ssl => true } apache::module { 'alias': ensure => present; diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index 6cac666f..b4ef0980 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -1,16 +1,79 @@ class site_webapp::couchdb { - $webapp = hiera('webapp') - $couchdb_host = $webapp['couchdb_hosts'] - $couchdb_user = $webapp['couchdb_user']['username'] - $couchdb_password = $webapp['couchdb_user']['password'] + $webapp = hiera('webapp') + # haproxy listener on port localhost:4096, see site_webapp::haproxy + $couchdb_host = 'localhost' + $couchdb_port = '4096' + $couchdb_admin_user = $webapp['couchdb_admin_user']['username'] + $couchdb_admin_password = $webapp['couchdb_admin_user']['password'] + $couchdb_webapp_user = $webapp['couchdb_webapp_user']['username'] + $couchdb_webapp_password = $webapp['couchdb_webapp_user']['password'] + + $stunnel = hiera('stunnel') + $couch_client = $stunnel['couch_client'] + $couch_client_connect = $couch_client['connect'] + + include x509::variables + $x509 = hiera('x509') + $key = $x509['key'] + $cert = $x509['cert'] + $ca = $x509['ca_cert'] + $cert_name = 'leap_couchdb' + $ca_name = 'leap_ca' + $ca_path = "${x509::variables::local_CAs}/${ca_name}.crt" + $cert_path = "${x509::variables::certs}/${cert_name}.crt" + $key_path = "${x509::variables::keys}/${cert_name}.key" file { - '/srv/leap-webapp/config/couchdb.yml': + '/srv/leap/webapp/config/couchdb.yml.admin': + content => template('site_webapp/couchdb.yml.admin.erb'), + owner => leap-webapp, + group => leap-webapp, + mode => '0600', + require => Vcsrepo['/srv/leap/webapp']; + + '/srv/leap/webapp/config/couchdb.yml.webapp': content => template('site_webapp/couchdb.yml.erb'), owner => leap-webapp, group => leap-webapp, - mode => '0600'; + mode => '0600', + require => Vcsrepo['/srv/leap/webapp']; + + '/srv/leap/webapp/logs/production.log': + owner => leap-webapp, + group => leap-webapp, + mode => '0666', + require => Vcsrepo['/srv/leap/webapp']; + + '/usr/local/sbin/migrate_design_documents': + source => 'puppet:///modules/site_webapp/migrate_design_documents', + owner => root, + group => root, + mode => '0744'; + } + + class { 'site_stunnel::setup': + cert_name => $cert_name, + key => $key, + cert => $cert, + ca_name => $ca_name, + ca => $ca + } + + exec { 'migrate_design_documents': + cwd => '/srv/leap/webapp', + command => '/usr/local/sbin/migrate_design_documents', + require => Exec['bundler_update'], + notify => Service['apache']; + } + + $couchdb_stunnel_client_defaults = { + 'connect_port' => $couch_client_connect, + 'client' => true, + 'cafile' => $ca_path, + 'key' => $key_path, + 'cert' => $cert_path, } + create_resources(site_stunnel::clients, $couch_client, $couchdb_stunnel_client_defaults) } diff --git a/puppet/modules/site_webapp/manifests/haproxy.pp b/puppet/modules/site_webapp/manifests/haproxy.pp new file mode 100644 index 00000000..4a7e3c25 --- /dev/null +++ b/puppet/modules/site_webapp/manifests/haproxy.pp @@ -0,0 +1,14 @@ +class site_webapp::haproxy { + + include site_haproxy + + $haproxy = hiera('haproxy') + $local_ports = $haproxy['local_ports'] + + # Template uses $global_options, $defaults_options + concat::fragment { 'leap_haproxy_webapp_couchdb': + target => '/etc/haproxy/haproxy.cfg', + order => '20', + content => template('site_webapp/haproxy_couchdb.cfg.erb'), + } +} diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index e8134521..e743dc07 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -3,20 +3,19 @@ class site_webapp { $definition_files = hiera('definition_files') $provider = $definition_files['provider'] $eip_service = $definition_files['eip_service'] + $soledad_service = $definition_files['soledad_service'] + $smtp_service = $definition_files['smtp_service'] $node_domain = hiera('domain') $provider_domain = $node_domain['full_suffix'] $webapp = hiera('webapp') + $api_version = $webapp['api_version'] + $secret_token = $webapp['secret_token'] - Class[Ruby] -> Class[rubygems] -> Class[bundler::install] - - class { 'ruby': ruby_version => '1.9.3' } - - class { 'bundler::install': install_method => 'package' } - - include rubygems + include site_config::ruby include site_webapp::apache include site_webapp::couchdb include site_webapp::client_ca + include site_webapp::haproxy group { 'leap-webapp': ensure => present, @@ -28,19 +27,20 @@ class site_webapp { allowdupe => false, gid => 'leap-webapp', groups => 'ssl-cert', - home => '/srv/leap-webapp', + home => '/srv/leap/webapp', require => [ Group['leap-webapp'] ]; } - file { '/srv/leap-webapp': + file { '/srv/leap/webapp': ensure => directory, owner => 'leap-webapp', group => 'leap-webapp', require => User['leap-webapp']; } - vcsrepo { '/srv/leap-webapp': + vcsrepo { '/srv/leap/webapp': ensure => present, + force => true, revision => 'origin/master', provider => git, source => 'git://code.leap.se/leap_web', @@ -51,17 +51,17 @@ class site_webapp { } exec { 'bundler_update': - cwd => '/srv/leap-webapp', - command => '/bin/bash -c "/usr/bin/bundle check || /usr/bin/bundle install --path vendor/bundle"', + cwd => '/srv/leap/webapp', + command => '/bin/bash -c "/usr/bin/bundle check || /usr/bin/bundle install --path vendor/bundle --without test development"', unless => '/usr/bin/bundle check', user => 'leap-webapp', timeout => 600, - require => [ Class['bundler::install'], Vcsrepo['/srv/leap-webapp'] ], + require => [ Class['bundler::install'], Vcsrepo['/srv/leap/webapp'] ], notify => Service['apache']; } exec { 'compile_assets': - cwd => '/srv/leap-webapp', + cwd => '/srv/leap/webapp', command => '/bin/bash -c "/usr/bin/bundle exec rake assets:precompile"', user => 'leap-webapp', require => Exec['bundler_update'], @@ -69,47 +69,72 @@ class site_webapp { } file { - '/srv/leap-webapp/public/provider.json': + '/srv/leap/webapp/public/provider.json': content => $provider, + require => Vcsrepo['/srv/leap/webapp'], owner => leap-webapp, group => leap-webapp, mode => '0644'; - '/srv/leap-webapp/public/ca.crt': + '/srv/leap/webapp/public/ca.crt': ensure => link, + require => Vcsrepo['/srv/leap/webapp'], target => '/usr/local/share/ca-certificates/leap_api.crt'; - '/srv/leap-webapp/public/config': + "/srv/leap/webapp/public/${api_version}": ensure => directory, + require => Vcsrepo['/srv/leap/webapp'], owner => leap-webapp, group => leap-webapp, mode => '0755'; - '/srv/leap-webapp/public/config/eip-service.json': + "/srv/leap/webapp/public/${api_version}/config/": + ensure => directory, + require => Vcsrepo['/srv/leap/webapp'], + owner => leap-webapp, group => leap-webapp, mode => '0755'; + + "/srv/leap/webapp/public/${api_version}/config/eip-service.json": content => $eip_service, + require => Vcsrepo['/srv/leap/webapp'], owner => leap-webapp, group => leap-webapp, mode => '0644'; - } - try::file { - '/srv/leap-webapp/public/favicon.ico': - ensure => 'link', - target => $webapp['favicon']; - - '/srv/leap-webapp/app/assets/stylesheets/tail.scss': - ensure => 'link', - target => $webapp['tail_scss']; + "/srv/leap/webapp/public/${api_version}/config/soledad-service.json": + content => $soledad_service, + require => Vcsrepo['/srv/leap/webapp'], + owner => leap-webapp, group => leap-webapp, mode => '0644'; - '/srv/leap-webapp/app/assets/stylesheets/head.scss': - ensure => 'link', - target => $webapp['head_scss']; + "/srv/leap/webapp/public/${api_version}/config/smtp-service.json": + content => $smtp_service, + require => Vcsrepo['/srv/leap/webapp'], + owner => leap-webapp, group => leap-webapp, mode => '0644'; + } - '/srv/leap-webapp/public/img': - ensure => 'link', - target => $webapp['img_dir']; + try::file { + '/srv/leap/webapp/public/favicon.ico': + ensure => 'link', + require => Vcsrepo['/srv/leap/webapp'], + target => $webapp['favicon']; + + '/srv/leap/webapp/app/assets/stylesheets/tail.scss': + ensure => 'link', + require => Vcsrepo['/srv/leap/webapp'], + target => $webapp['tail_scss']; + + '/srv/leap/webapp/app/assets/stylesheets/head.scss': + ensure => 'link', + require => Vcsrepo['/srv/leap/webapp'], + target => $webapp['head_scss']; + + '/srv/leap/webapp/public/img': + ensure => 'link', + require => Vcsrepo['/srv/leap/webapp'], + target => $webapp['img_dir']; } file { - '/srv/leap-webapp/config/config.yml': + '/srv/leap/webapp/config/config.yml': content => template('site_webapp/config.yml.erb'), owner => leap-webapp, group => leap-webapp, - mode => '0600'; + mode => '0600', + require => Vcsrepo['/srv/leap/webapp'], + notify => Service['apache']; } include site_shorewall::webapp diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb index 9cf85f0c..df562cd9 100644 --- a/puppet/modules/site_webapp/templates/config.yml.erb +++ b/puppet/modules/site_webapp/templates/config.yml.erb @@ -1,5 +1,15 @@ +<%- cert_options = @webapp['client_certificates'] -%> production: admins: [admin] domain: <%= @provider_domain %> client_ca_key: <%= scope.lookupvar('site_webapp::client_ca::key_path') %> client_ca_cert: <%= scope.lookupvar('site_webapp::client_ca::cert_path') %> + secret_token: "<%= @secret_token %>" + client_cert_lifespan: <%= cert_options['life_span'].to_i %> + client_cert_bit_size: <%= cert_options['bit_size'].to_i %> + client_cert_hash: <%= cert_options['digest'] %> + allow_limited_certs: <%= @webapp['allow_limited_certs'].inspect %> + allow_unlimited_certs: <%= @webapp['allow_unlimited_certs'].inspect %> + allow_anonymous_certs: <%= @webapp['allow_anonymous_certs'].inspect %> + limited_cert_prefix: "<%= cert_options['limited_prefix'] %>" + unlimited_cert_prefix: "<%= cert_options['unlimited_prefix'] %>" diff --git a/puppet/modules/site_webapp/templates/couchdb.yml.admin.erb b/puppet/modules/site_webapp/templates/couchdb.yml.admin.erb new file mode 100644 index 00000000..a0921add --- /dev/null +++ b/puppet/modules/site_webapp/templates/couchdb.yml.admin.erb @@ -0,0 +1,9 @@ +production: + prefix: "" + protocol: 'http' + host: <%= @couchdb_host %> + port: <%= @couchdb_port %> + auto_update_design_doc: false + username: <%= @couchdb_admin_user %> + password: <%= @couchdb_admin_password %> + diff --git a/puppet/modules/site_webapp/templates/couchdb.yml.erb b/puppet/modules/site_webapp/templates/couchdb.yml.erb index ee521713..2bef0af5 100644 --- a/puppet/modules/site_webapp/templates/couchdb.yml.erb +++ b/puppet/modules/site_webapp/templates/couchdb.yml.erb @@ -1,8 +1,9 @@ production: prefix: "" - protocol: 'https' + protocol: 'http' host: <%= @couchdb_host %> - port: 6984 - username: <%= @couchdb_user %> - password: <%= @couchdb_password %> + port: <%= @couchdb_port %> + auto_update_design_doc: false + username: <%= @couchdb_webapp_user %> + password: <%= @couchdb_webapp_password %> diff --git a/puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb b/puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb new file mode 100644 index 00000000..f08161ee --- /dev/null +++ b/puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb @@ -0,0 +1,16 @@ + +listen bigcouch-in + mode http + balance roundrobin + option httplog + option dontlognull + option httpchk GET / + option http-server-close + + bind localhost:4096 +<% for port in @local_ports -%> + server couchdb_<%=port%> localhost:<%=port%> check inter 3000 fastinter 1000 downinter 1000 rise 2 fall 1 +<% end -%> + + + diff --git a/puppet/modules/stdlib b/puppet/modules/stdlib -Subproject 2df66c041109ecca1099bf3977657572cc32ad2 +Subproject 66e0fa8f1bc5062e9d753598ad17602c378a299 diff --git a/puppet/modules/stunnel b/puppet/modules/stunnel new file mode 160000 +Subproject fc1589a5f09d80f58d730d4e1f6a8058483f61f diff --git a/puppet/modules/try/manifests/file.pp b/puppet/modules/try/manifests/file.pp index 406c0b7a..47a8c269 100644 --- a/puppet/modules/try/manifests/file.pp +++ b/puppet/modules/try/manifests/file.pp @@ -18,7 +18,10 @@ define try::file ( file { "$name": ensure => $ensure, target => $target, - require => Exec["check_${name}"], + require => $require ? { + undef => Exec["check_${name}"], + default => [ $require, Exec["check_${name}"] ] + }, loglevel => info; } } @@ -37,6 +40,10 @@ define try::file ( exec { "restore_${name}": command => $command, cwd => $file_dirname, + require => $require ? { + undef => undef, + default => [ $require ] + }, loglevel => info; } } else { @@ -44,6 +51,10 @@ define try::file ( unless => "/usr/bin/test -e '${target}'", command => $command, cwd => $file_dirname, + require => $require ? { + undef => undef, + default => [ $require ] + }, loglevel => info; } } diff --git a/puppet/modules/vcsrepo b/puppet/modules/vcsrepo -Subproject 04851c28b12973c679fc9f234fd0f5a193df9d7 +Subproject 4db1120c78763f5244dc6c9d2e0d064a6ef363e |