summaryrefslogtreecommitdiff
path: root/puppet
diff options
context:
space:
mode:
authorelijah <elijah@riseup.net>2014-06-20 01:58:39 -0700
committerelijah <elijah@riseup.net>2014-06-20 01:58:39 -0700
commit80809853298f16ce7f27c5202f81b516cfa11d56 (patch)
tree0ee30e29c706f0c530e3cee8102872a6b02d3b2a /puppet
parent878d23127dd089e7ffc8a1cd30aeaac0d5a9391b (diff)
new generic system for stunnel: just `include site_stunnel` and stunnel + needed shorewall will be automatically set up. requires new leap_cli
Diffstat (limited to 'puppet')
-rw-r--r--puppet/modules/site_couchdb/manifests/bigcouch/stunnel.pp89
-rw-r--r--puppet/modules/site_couchdb/manifests/stunnel.pp43
-rw-r--r--puppet/modules/site_shorewall/manifests/couchdb.pp24
-rw-r--r--puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp51
-rw-r--r--puppet/modules/site_shorewall/manifests/couchdb/dnat.pp21
-rw-r--r--puppet/modules/site_shorewall/manifests/stunnel/client.pp40
-rw-r--r--puppet/modules/site_shorewall/manifests/stunnel/server.pp22
-rw-r--r--puppet/modules/site_stunnel/manifests/client.pp52
-rw-r--r--puppet/modules/site_stunnel/manifests/clients.pp55
-rw-r--r--puppet/modules/site_stunnel/manifests/init.pp15
-rw-r--r--puppet/modules/site_stunnel/manifests/servers.pp53
11 files changed, 206 insertions, 259 deletions
diff --git a/puppet/modules/site_couchdb/manifests/bigcouch/stunnel.pp b/puppet/modules/site_couchdb/manifests/bigcouch/stunnel.pp
deleted file mode 100644
index 5166ba93..00000000
--- a/puppet/modules/site_couchdb/manifests/bigcouch/stunnel.pp
+++ /dev/null
@@ -1,89 +0,0 @@
-class site_couchdb::bigcouch::stunnel {
-
- $stunnel = hiera('stunnel')
-
- include site_config::x509::cert
- include site_config::x509::key
- include site_config::x509::ca
-
- include x509::variables
- $ca_path = "${x509::variables::local_CAs}/${site_config::params::ca_name}.crt"
- $cert_path = "${x509::variables::certs}/${site_config::params::cert_name}.crt"
- $key_path = "${x509::variables::keys}/${site_config::params::cert_name}.key"
-
-
- # Erlang Port Mapper Daemon (epmd) stunnel server/clients
- $epmd_server = $stunnel['epmd_server']
- $epmd_server_accept = $epmd_server['accept']
- $epmd_server_connect = $epmd_server['connect']
- $epmd_clients = $stunnel['epmd_clients']
-
- # Erlang Distributed Node Protocol (ednp) stunnel server/clients
- $ednp_server = $stunnel['ednp_server']
- $ednp_server_accept = $ednp_server['accept']
- $ednp_server_connect = $ednp_server['connect']
- $ednp_clients = $stunnel['ednp_clients']
-
-
- # setup stunnel server for Erlang Port Mapper Daemon (epmd), necessary for
- # bigcouch clustering between each bigcouchdb node
- stunnel::service { 'epmd_server':
- accept => $epmd_server_accept,
- connect => $epmd_server_connect,
- client => false,
- cafile => $ca_path,
- key => $key_path,
- cert => $cert_path,
- verify => '2',
- pid => '/var/run/stunnel4/epmd_server.pid',
- rndfile => '/var/lib/stunnel4/.rnd',
- debuglevel => '4',
- require => [
- Class['Site_config::X509::Key'],
- Class['Site_config::X509::Cert'],
- Class['Site_config::X509::Ca'] ];
- }
-
- # setup stunnel clients for Erlang Port Mapper Daemon (epmd) to connect
- # to the above epmd stunnel server.
- $epmd_client_defaults = {
- 'client' => true,
- 'cafile' => $ca_path,
- 'key' => $key_path,
- 'cert' => $cert_path,
- }
-
- create_resources(site_stunnel::clients, $epmd_clients, $epmd_client_defaults)
-
- # setup stunnel server for Erlang Distributed Node Protocol (ednp), necessary
- # for bigcouch clustering between each bigcouchdb node
- stunnel::service { 'ednp_server':
- accept => $ednp_server_accept,
- connect => $ednp_server_connect,
- client => false,
- cafile => $ca_path,
- key => $key_path,
- cert => $cert_path,
- verify => '2',
- pid => '/var/run/stunnel4/ednp_server.pid',
- rndfile => '/var/lib/stunnel4/.rnd',
- debuglevel => '4',
- require => [
- Class['Site_config::X509::Key'],
- Class['Site_config::X509::Cert'],
- Class['Site_config::X509::Ca'] ];
- }
-
- # setup stunnel clients for Erlang Distributed Node Protocol (ednp) to connect
- # to the above ednp stunnel server.
- $ednp_client_defaults = {
- 'client' => true,
- 'cafile' => $ca_path,
- 'key' => $key_path,
- 'cert' => $cert_path,
- }
-
- create_resources(site_stunnel::clients, $ednp_clients, $ednp_client_defaults)
-
- include site_check_mk::agent::stunnel
-}
diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp
deleted file mode 100644
index 484a0c00..00000000
--- a/puppet/modules/site_couchdb/manifests/stunnel.pp
+++ /dev/null
@@ -1,43 +0,0 @@
-class site_couchdb::stunnel {
-
- $stunnel = hiera('stunnel')
- $couchdb_config = hiera('couch')
- $couchdb_bigcouch = $couchdb_config['mode'] == "multimaster"
-
- $couch_server = $stunnel['couch_server']
- $couch_server_accept = $couch_server['accept']
- $couch_server_connect = $couch_server['connect']
-
- include site_config::x509::cert
- include site_config::x509::key
- include site_config::x509::ca
-
- if $couchdb_bigcouch {
- include site_couchdb::bigcouch::stunnel
- }
-
- include x509::variables
- $ca_path = "${x509::variables::local_CAs}/${site_config::params::ca_name}.crt"
- $cert_path = "${x509::variables::certs}/${site_config::params::cert_name}.crt"
- $key_path = "${x509::variables::keys}/${site_config::params::cert_name}.key"
-
- # setup a stunnel server for the webapp to connect to couchdb
- stunnel::service { 'couch_server':
- accept => $couch_server_accept,
- connect => $couch_server_connect,
- client => false,
- cafile => $ca_path,
- key => $key_path,
- cert => $cert_path,
- verify => '2',
- pid => '/var/run/stunnel4/couchserver.pid',
- rndfile => '/var/lib/stunnel4/.rnd',
- debuglevel => '4',
- require => [
- Class['Site_config::X509::Key'],
- Class['Site_config::X509::Cert'],
- Class['Site_config::X509::Ca'] ];
- }
-
- include site_check_mk::agent::stunnel
-}
diff --git a/puppet/modules/site_shorewall/manifests/couchdb.pp b/puppet/modules/site_shorewall/manifests/couchdb.pp
deleted file mode 100644
index 73bed62b..00000000
--- a/puppet/modules/site_shorewall/manifests/couchdb.pp
+++ /dev/null
@@ -1,24 +0,0 @@
-class site_shorewall::couchdb {
-
- include site_shorewall::defaults
-
- $stunnel = hiera('stunnel')
- $couch_server = $stunnel['couch_server']
- $couch_stunnel_port = $couch_server['accept']
-
- # define macro for incoming services
- file { '/etc/shorewall/macro.leap_couchdb':
- content => "PARAM - - tcp ${couch_stunnel_port}",
- notify => Service['shorewall'],
- require => Package['shorewall']
- }
-
- shorewall::rule {
- 'net2fw-couchdb':
- source => 'net',
- destination => '$FW',
- action => 'leap_couchdb(ACCEPT)',
- order => 200;
- }
-
-}
diff --git a/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp b/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp
deleted file mode 100644
index 20740650..00000000
--- a/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp
+++ /dev/null
@@ -1,51 +0,0 @@
-class site_shorewall::couchdb::bigcouch {
-
- include site_shorewall::defaults
-
- $stunnel = hiera('stunnel')
-
- # Erlang Port Mapper Daemon (epmd) stunnel server/clients
- $epmd_clients = $stunnel['epmd_clients']
- $epmd_server = $stunnel['epmd_server']
- $epmd_server_port = $epmd_server['accept']
- $epmd_server_connect = $epmd_server['connect']
-
- # Erlang Distributed Node Protocol (ednp) stunnel server/clients
- $ednp_clients = $stunnel['ednp_clients']
- $ednp_server = $stunnel['ednp_server']
- $ednp_server_port = $ednp_server['accept']
- $ednp_server_connect = $ednp_server['connect']
-
- # define macro for incoming services
- file { '/etc/shorewall/macro.leap_bigcouch':
- content => "PARAM - - tcp ${epmd_server_port},${ednp_server_port}",
- notify => Service['shorewall'],
- require => Package['shorewall']
- }
-
- shorewall::rule {
- 'net2fw-bigcouch':
- source => 'net',
- destination => '$FW',
- action => 'leap_bigcouch(ACCEPT)',
- order => 300;
- }
-
- # setup DNAT rules for each epmd
- $epmd_shorewall_dnat_defaults = {
- 'source' => '$FW',
- 'proto' => 'tcp',
- 'destinationport' => regsubst($epmd_server_connect, '^([0-9.]+:)([0-9]+)$', '\2')
- }
- create_resources(site_shorewall::couchdb::dnat, $epmd_clients, $epmd_shorewall_dnat_defaults)
-
- # setup DNAT rules for each ednp
- $ednp_shorewall_dnat_defaults = {
- 'source' => '$FW',
- 'proto' => 'tcp',
- 'destinationport' => regsubst($ednp_server_connect, '^([0-9.]+:)([0-9]+)$', '\2')
- }
- create_resources(site_shorewall::couchdb::dnat, $ednp_clients, $ednp_shorewall_dnat_defaults)
-
-}
-
diff --git a/puppet/modules/site_shorewall/manifests/couchdb/dnat.pp b/puppet/modules/site_shorewall/manifests/couchdb/dnat.pp
deleted file mode 100644
index f1bc9acf..00000000
--- a/puppet/modules/site_shorewall/manifests/couchdb/dnat.pp
+++ /dev/null
@@ -1,21 +0,0 @@
-define site_shorewall::couchdb::dnat (
- $source,
- $connect,
- $connect_port,
- $accept_port,
- $proto,
- $destinationport )
-{
-
-
- shorewall::rule {
- "dnat_${name}_${destinationport}":
- action => 'DNAT',
- source => $source,
- destination => "\$FW:127.0.0.1:${accept_port}",
- proto => $proto,
- destinationport => $destinationport,
- originaldest => $connect,
- order => 200
- }
-}
diff --git a/puppet/modules/site_shorewall/manifests/stunnel/client.pp b/puppet/modules/site_shorewall/manifests/stunnel/client.pp
new file mode 100644
index 00000000..9a89a244
--- /dev/null
+++ b/puppet/modules/site_shorewall/manifests/stunnel/client.pp
@@ -0,0 +1,40 @@
+#
+# Adds some firewall magic to the stunnel.
+#
+# Using DNAT, this firewall rule allow a locally running program
+# to try to connect to the normal remote IP and remote port of the
+# service on another machine, but have this connection magically
+# routed through the locally running stunnel client.
+#
+# The network looks like this:
+#
+# From the client's perspective:
+#
+# |------- stunnel client --------------| |---------- stunnel server -----------------------|
+# consumer app -> localhost:accept_port -> connect:connect_port -> localhost:original_port
+#
+# From the server's perspective:
+#
+# |------- stunnel client --------------| |---------- stunnel server -----------------------|
+# ?? -> *:accept_port -> localhost:connect_port -> service
+#
+
+define site_shorewall::stunnel::client(
+ $accept_port,
+ $connect,
+ $connect_port,
+ $original_port) {
+
+ include site_shorewall::defaults
+
+ shorewall::rule {
+ "stunnel_dnat_${name}":
+ action => 'DNAT',
+ source => '$FW',
+ destination => "\$FW:127.0.0.1:${accept_port}",
+ proto => 'tcp',
+ destinationport => $original_port,
+ originaldest => $connect,
+ order => 200
+ }
+}
diff --git a/puppet/modules/site_shorewall/manifests/stunnel/server.pp b/puppet/modules/site_shorewall/manifests/stunnel/server.pp
new file mode 100644
index 00000000..db3ecd3e
--- /dev/null
+++ b/puppet/modules/site_shorewall/manifests/stunnel/server.pp
@@ -0,0 +1,22 @@
+#
+# Allow all incoming connections to stunnel server port
+#
+
+define site_shorewall::stunnel::server($port) {
+
+ include site_shorewall::defaults
+
+ file { "/etc/shorewall/macro.stunnel_server_${name}":
+ content => "PARAM - - tcp ${port}",
+ notify => Service['shorewall'],
+ require => Package['shorewall']
+ }
+ shorewall::rule {
+ 'net2fw-couchdb':
+ source => 'net',
+ destination => '$FW',
+ action => "stunnel_server_${name}(ACCEPT)",
+ order => 200;
+ }
+
+} \ No newline at end of file
diff --git a/puppet/modules/site_stunnel/manifests/client.pp b/puppet/modules/site_stunnel/manifests/client.pp
new file mode 100644
index 00000000..12d664b4
--- /dev/null
+++ b/puppet/modules/site_stunnel/manifests/client.pp
@@ -0,0 +1,52 @@
+#
+# Sets up stunnel and firewall configuration for
+# a single stunnel client
+#
+# As a client, we accept connections on localhost,
+# and connect to a remote $connect:$connect_port
+#
+
+define site_stunnel::client (
+ $accept_port,
+ $connect_port,
+ $connect,
+ $original_port,
+ $verify = '2',
+ $pid = $name,
+ $rndfile = '/var/lib/stunnel4/.rnd',
+ $debuglevel = '4' ) {
+
+ include site_config::x509::cert
+ include site_config::x509::key
+ include site_config::x509::ca
+ include x509::variables
+ $ca_path = "${x509::variables::local_CAs}/${site_config::params::ca_name}.crt"
+ $cert_path = "${x509::variables::certs}/${site_config::params::cert_name}.crt"
+ $key_path = "${x509::variables::keys}/${site_config::params::cert_name}.key"
+
+ stunnel::service { $name:
+ accept => "127.0.0.1:${accept_port}",
+ connect => "${connect}:${connect_port}",
+ client => true,
+ cafile => $ca_path,
+ key => $key_path,
+ cert => $cert_path,
+ verify => $verify,
+ pid => "/var/run/stunnel4/${pid}.pid",
+ rndfile => $rndfile,
+ debuglevel => $debuglevel,
+ subscribe => [
+ Class['Site_config::X509::Key'],
+ Class['Site_config::X509::Cert'],
+ Class['Site_config::X509::Ca'] ];
+ }
+
+ site_shorewall::stunnel::client { $name:
+ accept_port => $accept_port,
+ connect => $connect,
+ connect_port => $connect_port,
+ original_port => $original_port
+ }
+
+ include site_check_mk::agent::stunnel
+}
diff --git a/puppet/modules/site_stunnel/manifests/clients.pp b/puppet/modules/site_stunnel/manifests/clients.pp
index b75c9ac3..44b31aaa 100644
--- a/puppet/modules/site_stunnel/manifests/clients.pp
+++ b/puppet/modules/site_stunnel/manifests/clients.pp
@@ -1,33 +1,26 @@
-define site_stunnel::clients (
- $accept_port,
- $connect_port,
- $connect,
- $cafile,
- $key,
- $cert,
- $client = true,
- $verify = '2',
- $pid = $name,
- $rndfile = '/var/lib/stunnel4/.rnd',
- $debuglevel = '4' ) {
+#
+# usage:
+# create_resource(site_stunnel::clients, hiera('stunnel')['clients'])
+#
+# example hiera yaml:
+#
+# stunnel:
+# clients:
+# ednp_clients:
+# thrips_9002:
+# accept_port: 4001
+# connect: thrips.demo.bitmask.i
+# connect_port: 19002
+# epmd_clients:
+# thrips_4369:
+# accept_port: 4000
+# connect: thrips.demo.bitmask.i
+# connect_port: 14369
+#
+# In the above example, this resource definition is called twice, with $name
+# 'ednp_clients' and 'epmd_clients'
+#
- stunnel::service { $name:
- accept => "127.0.0.1:${accept_port}",
- connect => "${connect}:${connect_port}",
- client => $client,
- cafile => $cafile,
- key => $key,
- cert => $cert,
- verify => $verify,
- pid => "/var/run/stunnel4/${pid}.pid",
- rndfile => $rndfile,
- debuglevel => $debuglevel,
- subscribe => [
- Class['Site_config::X509::Key'],
- Class['Site_config::X509::Cert'],
- Class['Site_config::X509::Ca'] ];
-
- }
-
- include site_check_mk::agent::stunnel
+define site_stunnel::clients {
+ create_resources(site_stunnel::client, $site_stunnel::clients[$name])
}
diff --git a/puppet/modules/site_stunnel/manifests/init.pp b/puppet/modules/site_stunnel/manifests/init.pp
index c7d6acc6..b292f1cd 100644
--- a/puppet/modules/site_stunnel/manifests/init.pp
+++ b/puppet/modules/site_stunnel/manifests/init.pp
@@ -1,3 +1,8 @@
+#
+# If you need something to happen after stunnel is started,
+# you can depend on Service['stunnel'] or Class['site_stunnel']
+#
+
class site_stunnel {
# include the generic stunnel module
@@ -13,5 +18,15 @@ class site_stunnel {
ensure => absent;
}
}
+
+ $stunnel = hiera('stunnel')
+
+ # add server stunnels
+ create_resources(site_stunnel::servers, $stunnel['servers'])
+
+ # add client stunnels
+ $clients = $stunnel['clients']
+ $client_sections = keys($clients)
+ site_stunnel::clients { $client_sections: }
}
diff --git a/puppet/modules/site_stunnel/manifests/servers.pp b/puppet/modules/site_stunnel/manifests/servers.pp
new file mode 100644
index 00000000..4419923f
--- /dev/null
+++ b/puppet/modules/site_stunnel/manifests/servers.pp
@@ -0,0 +1,53 @@
+#
+# usage:
+# create_resource(site_stunnel::servers, hiera('stunnel')['servers'])
+#
+# example hiera yaml:
+#
+# stunnel:
+# servers:
+# couch_server:
+# accept_port: 15984
+# connect_port: 5984
+#
+
+define site_stunnel::servers (
+ $accept_port,
+ $connect_port,
+ $verify = '2',
+ $pid = $name,
+ $rndfile = '/var/lib/stunnel4/.rnd',
+ $debuglevel = '4' ) {
+
+ include site_config::x509::cert
+ include site_config::x509::key
+ include site_config::x509::ca
+ include x509::variables
+ $ca_path = "${x509::variables::local_CAs}/${site_config::params::ca_name}.crt"
+ $cert_path = "${x509::variables::certs}/${site_config::params::cert_name}.crt"
+ $key_path = "${x509::variables::keys}/${site_config::params::cert_name}.key"
+
+ stunnel::service { $name:
+ accept => $accept_port,
+ connect => "127.0.0.1:${connect_port}",
+ client => false,
+ cafile => $ca_path,
+ key => $key_path,
+ cert => $cert_path,
+ verify => $verify,
+ pid => "/var/run/stunnel4/${pid}.pid",
+ rndfile => '/var/lib/stunnel4/.rnd',
+ debuglevel => $debuglevel,
+ require => [
+ Class['Site_config::X509::Key'],
+ Class['Site_config::X509::Cert'],
+ Class['Site_config::X509::Ca'] ];
+ }
+
+ # allow incoming connections on $accept_port
+ site_shorewall::stunnel::server { $name:
+ port => $accept_port
+ }
+
+ include site_check_mk::agent::stunnel
+}