diff options
25 files changed, 199 insertions, 49 deletions
diff --git a/.gitmodules b/.gitmodules index 417457e8..6597612b 100644 --- a/.gitmodules +++ b/.gitmodules @@ -24,7 +24,7 @@ url = git://labs.riseup.net/shared-common [submodule "puppet/modules/shorewall"] path = puppet/modules/shorewall - url = git://labs.riseup.net/shared-shorewall + url = git://code.leap.se/puppet_shorewall [submodule "puppet/modules/resolvconf"] path = puppet/modules/resolvconf url = git://git.puppet.immerda.ch/module-resolvconf.git @@ -52,3 +52,6 @@ [submodule "puppet/modules/passenger"] path = puppet/modules/passenger url = git://code.leap.se/puppet_passenger +[submodule "puppet/modules/augeas"] + path = puppet/modules/augeas + url = git://code.leap.se/puppet_augeas diff --git a/provider_base/services/ca.json b/provider_base/services/ca.json index a4ded72b..3fb8bf6c 100644 --- a/provider_base/services/ca.json +++ b/provider_base/services/ca.json @@ -5,6 +5,7 @@ }, "service_type": "internal_service", "x509": { - "use": true + "use": true, + "ca_key": "= file(:ca_key, :missing => 'CA key. Run `leap cert ca` to create the Certificate Authority.')" } } diff --git a/puppet/modules/apt b/puppet/modules/apt -Subproject 02bd3269948f1a3c5a586e581a7fec22da69a2c +Subproject 0d5311b1a9fa82e4e423a9e7ce7f5eb919bab40 diff --git a/puppet/modules/augeas b/puppet/modules/augeas new file mode 160000 +Subproject 44e84a988b859622e7b3583ac27331cf816017e diff --git a/puppet/modules/shorewall b/puppet/modules/shorewall -Subproject 911cc18e594bb5a3ab642ebb24615a0447050c3 +Subproject e511291a111db7a7d88a8820c5423aa5b92304e diff --git a/puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf b/puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf index 79ad931d..0dff2cd6 100644 --- a/puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf +++ b/puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf @@ -3,8 +3,8 @@ Listen 0.0.0.0:6984 <VirtualHost *:6984> SSLEngine On SSLProxyEngine On - SSLCertificateKeyFile /etc/couchdb/server_key.pem - SSLCertificateFile /etc/couchdb/server_cert.pem + SSLCertificateKeyFile /etc/x509/keys/leap_couchdb.key + SSLCertificateFile /etc/x509/certs/leap_couchdb.crt ProxyPass / http://127.0.0.1:5984/ ProxyPassReverse / http://127.0.0.1:5984/ </VirtualHost> diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb index 37c4a727..05d5f69d 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb @@ -19,8 +19,8 @@ RequestHeader set X_FORWARDED_PROTO 'https' - DocumentRoot /srv/leap_webapp/public - Alias /1 /srv/leap_webapp/public + DocumentRoot /srv/leap-webapp/public + Alias /1 /srv/leap-webapp/public # Check for maintenance file and redirect all requests RewriteEngine On diff --git a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb index 85e7289b..8c820788 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb @@ -21,8 +21,8 @@ RequestHeader set X_FORWARDED_PROTO 'https' - DocumentRoot /srv/leap_webapp/public - Alias /1 /srv/leap_webapp/public + DocumentRoot /srv/leap-webapp/public + Alias /1 /srv/leap-webapp/public RewriteEngine On # Check for maintenance file and redirect all requests diff --git a/puppet/modules/site_apt/files/unstable.list b/puppet/modules/site_apt/files/unstable.list deleted file mode 100644 index 0e289136..00000000 --- a/puppet/modules/site_apt/files/unstable.list +++ /dev/null @@ -1 +0,0 @@ -deb http://http.debian.net/debian unstable main diff --git a/puppet/modules/site_config/manifests/apt.pp b/puppet/modules/site_apt/manifests/init.pp index f7ba9ac9..631f5742 100644 --- a/puppet/modules/site_config/manifests/apt.pp +++ b/puppet/modules/site_apt/manifests/init.pp @@ -1,4 +1,4 @@ -class site_config::apt { +class site_apt { include ::apt include site_apt::dist_upgrade @@ -7,4 +7,5 @@ class site_config::apt { content => 'Acquire::PDiffs "false";'; } + include ::apt::unattended_upgrades } diff --git a/puppet/modules/site_ca_daemon/manifests/couchdb.pp b/puppet/modules/site_ca_daemon/manifests/couchdb.pp index b5a1d2d4..f446a05b 100644 --- a/puppet/modules/site_ca_daemon/manifests/couchdb.pp +++ b/puppet/modules/site_ca_daemon/manifests/couchdb.pp @@ -6,8 +6,8 @@ class site_ca_daemon::couchdb { $couchdb_password = $ca['couchdb_user']['password'] file { - '/srv/leap_ca_daemon/config/couchdb.yml': - content => template('site_ca_daemon/couchdb.yml.erb'), + '/etc/leap/leap_ca.yaml': + content => template('site_ca_daemon/leap_ca.yaml.erb'), owner => leap_ca_daemon, group => leap_ca_daemon, mode => '0600'; diff --git a/puppet/modules/site_ca_daemon/manifests/init.pp b/puppet/modules/site_ca_daemon/manifests/init.pp index c749da12..29a70df8 100644 --- a/puppet/modules/site_ca_daemon/manifests/init.pp +++ b/puppet/modules/site_ca_daemon/manifests/init.pp @@ -3,6 +3,7 @@ class site_ca_daemon { #$definition_files = hiera('definition_files') #$provider = $definition_files['provider'] #$eip_service = $definition_files['eip_service'] + $x509 = hiera('x509') Class[Ruby] -> Class[rubygems] -> Class[bundler::install] @@ -27,6 +28,38 @@ class site_ca_daemon { require => [ Group['leap_ca_daemon'] ]; } + + x509::key { + 'leap_ca_daemon': + content => $x509['ca_key']; + #notify => Service['leap_ca_daemon']; <== no service yet for leap_ca_daemon + } + + x509::cert { + 'leap_ca_daemon': + content => $x509['ca_cert']; + #notify => Service['leap_ca_daemon']; <== no service yet for leap_ca_daemon + } + + # + # Does CA need a server key/cert? I think not now. + # + # x509::key { + # 'server': + # content => $x509['key']; + # } + # + # x509::cert { + # 'server': + # content => $x509['cert']; + # } + + # x509::ca { + # 'leap_ca_daemon': + # content => $x509['ca_cert']; + # } + + file { '/srv/leap_ca_daemon': ensure => directory, owner => 'leap_ca_daemon', @@ -36,7 +69,7 @@ class site_ca_daemon { vcsrepo { '/srv/leap_ca_daemon': ensure => present, - revision => 'origin/deploy', + revision => 'origin/master', provider => git, source => 'git://code.leap.se/leap_ca', owner => 'leap_ca_daemon', @@ -52,4 +85,8 @@ class site_ca_daemon { require => [ Class['bundler::install'], Vcsrepo['/srv/leap_ca_daemon'] ]; } + file { '/usr/local/bin/leap_ca_daemon': + ensure => link, + target => '/srv/leap_ca_daemon/bin/leap_ca', + } } diff --git a/puppet/modules/site_ca_daemon/templates/couchdb.yml.erb b/puppet/modules/site_ca_daemon/templates/couchdb.yml.erb deleted file mode 100644 index f5132599..00000000 --- a/puppet/modules/site_ca_daemon/templates/couchdb.yml.erb +++ /dev/null @@ -1,7 +0,0 @@ -production: - protocol: 'https' - host: <%= couchdb_host %> - port: 443 - username: <%= couchdb_user %> - password: <%= couchdb_password %> - diff --git a/puppet/modules/site_ca_daemon/templates/leap_ca.yaml.erb b/puppet/modules/site_ca_daemon/templates/leap_ca.yaml.erb new file mode 100644 index 00000000..e0b95278 --- /dev/null +++ b/puppet/modules/site_ca_daemon/templates/leap_ca.yaml.erb @@ -0,0 +1,31 @@ +# +# Default configuration options for LEAP Certificate Authority Daemon +# + +# +# Certificate Authority +# +ca_key_path: "/etc/x509/keys/leap_ca_daemon.key" +ca_key_password: nil +ca_cert_path: "/etc/x509/certs/leap_ca_daemon.crt" + +# +# Certificate pool +# +max_pool_size: 100 +client_cert_lifespan: 2 +client_cert_bit_size: 2024 +client_cert_hash: "SHA256" + +# +# Database +# +db_name: "client_certificates" +couch_connection: + protocol: "https" + host: <%= couchdb_host %> + port: 6984 + username: <%= couchdb_user %> + password: <%= couchdb_password %> + prefix: "" + suffix: "" diff --git a/puppet/modules/site_config/files/bind9 b/puppet/modules/site_config/files/bind9 new file mode 100644 index 00000000..50d8ed14 --- /dev/null +++ b/puppet/modules/site_config/files/bind9 @@ -0,0 +1,8 @@ +# managed by puppet + +# run resolvconf? +RESOLVCONF=no + +# startup options for the server +OPTIONS="-u bind -4" + diff --git a/puppet/modules/site_config/files/named.conf.options b/puppet/modules/site_config/files/named.conf.options new file mode 100644 index 00000000..47df6c5d --- /dev/null +++ b/puppet/modules/site_config/files/named.conf.options @@ -0,0 +1,6 @@ +options { + allow-query { 127.0.0.1; }; + allow-transfer { none; }; + listen-on { 127.0.0.1; }; +}; + diff --git a/puppet/modules/site_config/manifests/hosts.pp b/puppet/modules/site_config/manifests/hosts.pp new file mode 100644 index 00000000..06cd5c01 --- /dev/null +++ b/puppet/modules/site_config/manifests/hosts.pp @@ -0,0 +1,20 @@ +class site_config::hosts() { + + $hosts = hiera('hosts','') + $hostname = hiera('name') + + file { "/etc/hostname": + ensure => present, + content => $hostname + } + + exec { "/bin/hostname $hostname": + subscribe => [ File['/etc/hostname'], File['/etc/hosts'] ], + refreshonly => true; + } + + file { '/etc/hosts': + content => template('site_config/hosts'), + mode => '0644', owner => root, group => root; + } +} diff --git a/puppet/modules/site_config/manifests/init.pp b/puppet/modules/site_config/manifests/init.pp index 7f67ad4e..ef4ffbd3 100644 --- a/puppet/modules/site_config/manifests/init.pp +++ b/puppet/modules/site_config/manifests/init.pp @@ -4,11 +4,20 @@ class site_config { include lsb, git # configure apt - include site_config::apt + include site_apt # configure ssh and include ssh-keys include site_config::sshd # configure /etc/resolv.conf include site_config::resolvconf + + # configure /etc/hosts + stage { 'initial': + before => Stage['main'], + } + + class { 'site_config::hosts': + stage => initial, + } } diff --git a/puppet/modules/site_config/manifests/resolvconf.pp b/puppet/modules/site_config/manifests/resolvconf.pp index bd0539b9..78f83a62 100644 --- a/puppet/modules/site_config/manifests/resolvconf.pp +++ b/puppet/modules/site_config/manifests/resolvconf.pp @@ -1,8 +1,29 @@ class site_config::resolvconf { + + # bind9 package { 'bind9': ensure => installed, } + service { 'bind9': + ensure => running, + require => Package['bind9'], + } + + file { '/etc/default/bind9': + source => 'puppet:///modules/site_config/bind9', + require => Package['bind9'], + notify => Service['bind9'], + } + + file { '/etc/bind/named.conf.options': + source => 'puppet:///modules/site_config/named.conf.options', + require => Package['bind9'], + notify => Service['bind9'], + } + + + $domain_hash = hiera('domain') $domain_public = $domain_hash['public'] diff --git a/puppet/modules/site_config/templates/hosts b/puppet/modules/site_config/templates/hosts new file mode 100644 index 00000000..c516eaf8 --- /dev/null +++ b/puppet/modules/site_config/templates/hosts @@ -0,0 +1,13 @@ +# This file is managed by puppet, any changes will be overwritten! + +127.0.0.1 localhost +<%- if hosts.to_s != '' then -%> +<%= hosts %> +<% end -%> + +# The following lines are desirable for IPv6 capable hosts +::1 ip6-localhost ip6-loopback +fe00::0 ip6-localnet +ff00::0 ip6-mcastprefix +ff02::1 ip6-allnodes +ff02::2 ip6-allrouters diff --git a/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp b/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp index fb3477db..02aae0c3 100644 --- a/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp +++ b/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp @@ -10,20 +10,16 @@ define site_couchdb::apache_ssl_proxy ($key, $cert) { } apache::vhost::file { 'couchdb_proxy': } - file { '/etc/couchdb/server_cert.pem': - mode => '0644', - owner => 'couchdb', - group => 'couchdb', - content => $cert, - notify => Service[apache], + x509::key { + 'leap_couchdb': + content => $x509['key'], + notify => Service[apache]; } - file { '/etc/couchdb/server_key.pem': - mode => '0600', - owner => 'couchdb', - group => 'couchdb', - content => $key, - notify => Service[apache], + x509::cert { + 'leap_couchdb': + content => $x509['cert'], + notify => Service[apache]; } } diff --git a/puppet/modules/site_openvpn/manifests/keys.pp b/puppet/modules/site_openvpn/manifests/keys.pp index 12c1bd8f..4c43ec05 100644 --- a/puppet/modules/site_openvpn/manifests/keys.pp +++ b/puppet/modules/site_openvpn/manifests/keys.pp @@ -1,22 +1,26 @@ class site_openvpn::keys { - file { '/etc/openvpn/keys/ca.crt': - content => $site_openvpn::x509_config['ca_cert'], - mode => '0644', + x509::key { + 'leap_openvpn': + content => $site_openvpn::x509_config['key'], + notify => Service[openvpn]; } - file { '/etc/openvpn/keys/dh.pem': - content => $site_openvpn::x509_config['dh'], - mode => '0644', + x509::cert { + 'leap_openvpn': + content => $site_openvpn::x509_config['cert'], + notify => Service[openvpn]; } - file { '/etc/openvpn/keys/server.key': - content => $site_openvpn::x509_config['key'], - mode => '0600', + x509::ca { + 'leap_openvpn': + content => $site_openvpn::x509_config['ca_cert'], + notify => Service[openvpn]; } - file { '/etc/openvpn/keys/server.crt': - content => $site_openvpn::x509_config['cert'], + file { '/etc/openvpn/keys/dh.pem': + content => $site_openvpn::x509_config['dh'], mode => '0644', } + } diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 6fc3a3c2..c4f64225 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -69,15 +69,15 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push, $mana openvpn::option { "ca $openvpn_configname": key => 'ca', - value => '/etc/openvpn/keys/ca.crt', + value => '/usr/local/share/ca-certificates/leap_openvpn.crt', server => $openvpn_configname; "cert $openvpn_configname": key => 'cert', - value => '/etc/openvpn/keys/server.crt', + value => '/etc/x509/certs/leap_openvpn.crt', server => $openvpn_configname; "key $openvpn_configname": key => 'key', - value => '/etc/openvpn/keys/server.key', + value => '/etc/x509/keys/leap_openvpn.key', server => $openvpn_configname; "dh $openvpn_configname": key => 'dh', diff --git a/puppet/modules/site_shorewall/manifests/defaults.pp b/puppet/modules/site_shorewall/manifests/defaults.pp index 88981e5f..d348bf00 100644 --- a/puppet/modules/site_shorewall/manifests/defaults.pp +++ b/puppet/modules/site_shorewall/manifests/defaults.pp @@ -8,6 +8,13 @@ class site_shorewall::defaults { shorewall::zone {'net': type => 'ipv4'; } - shorewall::rule_section { 'NEW': order => 10; } + include augeas + + augeas { 'enable_ip_forwarding': + changes => 'set /files/etc/shorewall/shorewall.conf/IP_FORWARDING Yes', + lens => 'Shellvars.lns', + incl => '/etc/shorewall/shorewall.conf', + notify => Service[shorewall]; + } } diff --git a/puppet/modules/site_webapp/templates/couchdb.yml.erb b/puppet/modules/site_webapp/templates/couchdb.yml.erb index f5132599..e5678680 100644 --- a/puppet/modules/site_webapp/templates/couchdb.yml.erb +++ b/puppet/modules/site_webapp/templates/couchdb.yml.erb @@ -1,7 +1,8 @@ production: + prefix: "" protocol: 'https' host: <%= couchdb_host %> - port: 443 + port: 6984 username: <%= couchdb_user %> password: <%= couchdb_password %> |