summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--.gitmodules5
-rw-r--r--provider_base/services/ca.json3
m---------puppet/modules/apt0
m---------puppet/modules/augeas0
m---------puppet/modules/shorewall0
-rw-r--r--puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf4
-rw-r--r--puppet/modules/site_apache/templates/vhosts.d/api.conf.erb4
-rw-r--r--puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb4
-rw-r--r--puppet/modules/site_apt/files/unstable.list1
-rw-r--r--puppet/modules/site_apt/manifests/init.pp (renamed from puppet/modules/site_config/manifests/apt.pp)3
-rw-r--r--puppet/modules/site_ca_daemon/manifests/couchdb.pp4
-rw-r--r--puppet/modules/site_ca_daemon/manifests/init.pp39
-rw-r--r--puppet/modules/site_ca_daemon/templates/couchdb.yml.erb7
-rw-r--r--puppet/modules/site_ca_daemon/templates/leap_ca.yaml.erb31
-rw-r--r--puppet/modules/site_config/files/bind98
-rw-r--r--puppet/modules/site_config/files/named.conf.options6
-rw-r--r--puppet/modules/site_config/manifests/hosts.pp20
-rw-r--r--puppet/modules/site_config/manifests/init.pp11
-rw-r--r--puppet/modules/site_config/manifests/resolvconf.pp21
-rw-r--r--puppet/modules/site_config/templates/hosts13
-rw-r--r--puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp20
-rw-r--r--puppet/modules/site_openvpn/manifests/keys.pp26
-rw-r--r--puppet/modules/site_openvpn/manifests/server_config.pp6
-rw-r--r--puppet/modules/site_shorewall/manifests/defaults.pp9
-rw-r--r--puppet/modules/site_webapp/templates/couchdb.yml.erb3
25 files changed, 199 insertions, 49 deletions
diff --git a/.gitmodules b/.gitmodules
index 417457e8..6597612b 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -24,7 +24,7 @@
url = git://labs.riseup.net/shared-common
[submodule "puppet/modules/shorewall"]
path = puppet/modules/shorewall
- url = git://labs.riseup.net/shared-shorewall
+ url = git://code.leap.se/puppet_shorewall
[submodule "puppet/modules/resolvconf"]
path = puppet/modules/resolvconf
url = git://git.puppet.immerda.ch/module-resolvconf.git
@@ -52,3 +52,6 @@
[submodule "puppet/modules/passenger"]
path = puppet/modules/passenger
url = git://code.leap.se/puppet_passenger
+[submodule "puppet/modules/augeas"]
+ path = puppet/modules/augeas
+ url = git://code.leap.se/puppet_augeas
diff --git a/provider_base/services/ca.json b/provider_base/services/ca.json
index a4ded72b..3fb8bf6c 100644
--- a/provider_base/services/ca.json
+++ b/provider_base/services/ca.json
@@ -5,6 +5,7 @@
},
"service_type": "internal_service",
"x509": {
- "use": true
+ "use": true,
+ "ca_key": "= file(:ca_key, :missing => 'CA key. Run `leap cert ca` to create the Certificate Authority.')"
}
}
diff --git a/puppet/modules/apt b/puppet/modules/apt
-Subproject 02bd3269948f1a3c5a586e581a7fec22da69a2c
+Subproject 0d5311b1a9fa82e4e423a9e7ce7f5eb919bab40
diff --git a/puppet/modules/augeas b/puppet/modules/augeas
new file mode 160000
+Subproject 44e84a988b859622e7b3583ac27331cf816017e
diff --git a/puppet/modules/shorewall b/puppet/modules/shorewall
-Subproject 911cc18e594bb5a3ab642ebb24615a0447050c3
+Subproject e511291a111db7a7d88a8820c5423aa5b92304e
diff --git a/puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf b/puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf
index 79ad931d..0dff2cd6 100644
--- a/puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf
+++ b/puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf
@@ -3,8 +3,8 @@ Listen 0.0.0.0:6984
<VirtualHost *:6984>
SSLEngine On
SSLProxyEngine On
- SSLCertificateKeyFile /etc/couchdb/server_key.pem
- SSLCertificateFile /etc/couchdb/server_cert.pem
+ SSLCertificateKeyFile /etc/x509/keys/leap_couchdb.key
+ SSLCertificateFile /etc/x509/certs/leap_couchdb.crt
ProxyPass / http://127.0.0.1:5984/
ProxyPassReverse / http://127.0.0.1:5984/
</VirtualHost>
diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
index 37c4a727..05d5f69d 100644
--- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
+++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb
@@ -19,8 +19,8 @@
RequestHeader set X_FORWARDED_PROTO 'https'
- DocumentRoot /srv/leap_webapp/public
- Alias /1 /srv/leap_webapp/public
+ DocumentRoot /srv/leap-webapp/public
+ Alias /1 /srv/leap-webapp/public
# Check for maintenance file and redirect all requests
RewriteEngine On
diff --git a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb
index 85e7289b..8c820788 100644
--- a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb
+++ b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb
@@ -21,8 +21,8 @@
RequestHeader set X_FORWARDED_PROTO 'https'
- DocumentRoot /srv/leap_webapp/public
- Alias /1 /srv/leap_webapp/public
+ DocumentRoot /srv/leap-webapp/public
+ Alias /1 /srv/leap-webapp/public
RewriteEngine On
# Check for maintenance file and redirect all requests
diff --git a/puppet/modules/site_apt/files/unstable.list b/puppet/modules/site_apt/files/unstable.list
deleted file mode 100644
index 0e289136..00000000
--- a/puppet/modules/site_apt/files/unstable.list
+++ /dev/null
@@ -1 +0,0 @@
-deb http://http.debian.net/debian unstable main
diff --git a/puppet/modules/site_config/manifests/apt.pp b/puppet/modules/site_apt/manifests/init.pp
index f7ba9ac9..631f5742 100644
--- a/puppet/modules/site_config/manifests/apt.pp
+++ b/puppet/modules/site_apt/manifests/init.pp
@@ -1,4 +1,4 @@
-class site_config::apt {
+class site_apt {
include ::apt
include site_apt::dist_upgrade
@@ -7,4 +7,5 @@ class site_config::apt {
content => 'Acquire::PDiffs "false";';
}
+ include ::apt::unattended_upgrades
}
diff --git a/puppet/modules/site_ca_daemon/manifests/couchdb.pp b/puppet/modules/site_ca_daemon/manifests/couchdb.pp
index b5a1d2d4..f446a05b 100644
--- a/puppet/modules/site_ca_daemon/manifests/couchdb.pp
+++ b/puppet/modules/site_ca_daemon/manifests/couchdb.pp
@@ -6,8 +6,8 @@ class site_ca_daemon::couchdb {
$couchdb_password = $ca['couchdb_user']['password']
file {
- '/srv/leap_ca_daemon/config/couchdb.yml':
- content => template('site_ca_daemon/couchdb.yml.erb'),
+ '/etc/leap/leap_ca.yaml':
+ content => template('site_ca_daemon/leap_ca.yaml.erb'),
owner => leap_ca_daemon,
group => leap_ca_daemon,
mode => '0600';
diff --git a/puppet/modules/site_ca_daemon/manifests/init.pp b/puppet/modules/site_ca_daemon/manifests/init.pp
index c749da12..29a70df8 100644
--- a/puppet/modules/site_ca_daemon/manifests/init.pp
+++ b/puppet/modules/site_ca_daemon/manifests/init.pp
@@ -3,6 +3,7 @@ class site_ca_daemon {
#$definition_files = hiera('definition_files')
#$provider = $definition_files['provider']
#$eip_service = $definition_files['eip_service']
+ $x509 = hiera('x509')
Class[Ruby] -> Class[rubygems] -> Class[bundler::install]
@@ -27,6 +28,38 @@ class site_ca_daemon {
require => [ Group['leap_ca_daemon'] ];
}
+
+ x509::key {
+ 'leap_ca_daemon':
+ content => $x509['ca_key'];
+ #notify => Service['leap_ca_daemon']; <== no service yet for leap_ca_daemon
+ }
+
+ x509::cert {
+ 'leap_ca_daemon':
+ content => $x509['ca_cert'];
+ #notify => Service['leap_ca_daemon']; <== no service yet for leap_ca_daemon
+ }
+
+ #
+ # Does CA need a server key/cert? I think not now.
+ #
+ # x509::key {
+ # 'server':
+ # content => $x509['key'];
+ # }
+ #
+ # x509::cert {
+ # 'server':
+ # content => $x509['cert'];
+ # }
+
+ # x509::ca {
+ # 'leap_ca_daemon':
+ # content => $x509['ca_cert'];
+ # }
+
+
file { '/srv/leap_ca_daemon':
ensure => directory,
owner => 'leap_ca_daemon',
@@ -36,7 +69,7 @@ class site_ca_daemon {
vcsrepo { '/srv/leap_ca_daemon':
ensure => present,
- revision => 'origin/deploy',
+ revision => 'origin/master',
provider => git,
source => 'git://code.leap.se/leap_ca',
owner => 'leap_ca_daemon',
@@ -52,4 +85,8 @@ class site_ca_daemon {
require => [ Class['bundler::install'], Vcsrepo['/srv/leap_ca_daemon'] ];
}
+ file { '/usr/local/bin/leap_ca_daemon':
+ ensure => link,
+ target => '/srv/leap_ca_daemon/bin/leap_ca',
+ }
}
diff --git a/puppet/modules/site_ca_daemon/templates/couchdb.yml.erb b/puppet/modules/site_ca_daemon/templates/couchdb.yml.erb
deleted file mode 100644
index f5132599..00000000
--- a/puppet/modules/site_ca_daemon/templates/couchdb.yml.erb
+++ /dev/null
@@ -1,7 +0,0 @@
-production:
- protocol: 'https'
- host: <%= couchdb_host %>
- port: 443
- username: <%= couchdb_user %>
- password: <%= couchdb_password %>
-
diff --git a/puppet/modules/site_ca_daemon/templates/leap_ca.yaml.erb b/puppet/modules/site_ca_daemon/templates/leap_ca.yaml.erb
new file mode 100644
index 00000000..e0b95278
--- /dev/null
+++ b/puppet/modules/site_ca_daemon/templates/leap_ca.yaml.erb
@@ -0,0 +1,31 @@
+#
+# Default configuration options for LEAP Certificate Authority Daemon
+#
+
+#
+# Certificate Authority
+#
+ca_key_path: "/etc/x509/keys/leap_ca_daemon.key"
+ca_key_password: nil
+ca_cert_path: "/etc/x509/certs/leap_ca_daemon.crt"
+
+#
+# Certificate pool
+#
+max_pool_size: 100
+client_cert_lifespan: 2
+client_cert_bit_size: 2024
+client_cert_hash: "SHA256"
+
+#
+# Database
+#
+db_name: "client_certificates"
+couch_connection:
+ protocol: "https"
+ host: <%= couchdb_host %>
+ port: 6984
+ username: <%= couchdb_user %>
+ password: <%= couchdb_password %>
+ prefix: ""
+ suffix: ""
diff --git a/puppet/modules/site_config/files/bind9 b/puppet/modules/site_config/files/bind9
new file mode 100644
index 00000000..50d8ed14
--- /dev/null
+++ b/puppet/modules/site_config/files/bind9
@@ -0,0 +1,8 @@
+# managed by puppet
+
+# run resolvconf?
+RESOLVCONF=no
+
+# startup options for the server
+OPTIONS="-u bind -4"
+
diff --git a/puppet/modules/site_config/files/named.conf.options b/puppet/modules/site_config/files/named.conf.options
new file mode 100644
index 00000000..47df6c5d
--- /dev/null
+++ b/puppet/modules/site_config/files/named.conf.options
@@ -0,0 +1,6 @@
+options {
+ allow-query { 127.0.0.1; };
+ allow-transfer { none; };
+ listen-on { 127.0.0.1; };
+};
+
diff --git a/puppet/modules/site_config/manifests/hosts.pp b/puppet/modules/site_config/manifests/hosts.pp
new file mode 100644
index 00000000..06cd5c01
--- /dev/null
+++ b/puppet/modules/site_config/manifests/hosts.pp
@@ -0,0 +1,20 @@
+class site_config::hosts() {
+
+ $hosts = hiera('hosts','')
+ $hostname = hiera('name')
+
+ file { "/etc/hostname":
+ ensure => present,
+ content => $hostname
+ }
+
+ exec { "/bin/hostname $hostname":
+ subscribe => [ File['/etc/hostname'], File['/etc/hosts'] ],
+ refreshonly => true;
+ }
+
+ file { '/etc/hosts':
+ content => template('site_config/hosts'),
+ mode => '0644', owner => root, group => root;
+ }
+}
diff --git a/puppet/modules/site_config/manifests/init.pp b/puppet/modules/site_config/manifests/init.pp
index 7f67ad4e..ef4ffbd3 100644
--- a/puppet/modules/site_config/manifests/init.pp
+++ b/puppet/modules/site_config/manifests/init.pp
@@ -4,11 +4,20 @@ class site_config {
include lsb, git
# configure apt
- include site_config::apt
+ include site_apt
# configure ssh and include ssh-keys
include site_config::sshd
# configure /etc/resolv.conf
include site_config::resolvconf
+
+ # configure /etc/hosts
+ stage { 'initial':
+ before => Stage['main'],
+ }
+
+ class { 'site_config::hosts':
+ stage => initial,
+ }
}
diff --git a/puppet/modules/site_config/manifests/resolvconf.pp b/puppet/modules/site_config/manifests/resolvconf.pp
index bd0539b9..78f83a62 100644
--- a/puppet/modules/site_config/manifests/resolvconf.pp
+++ b/puppet/modules/site_config/manifests/resolvconf.pp
@@ -1,8 +1,29 @@
class site_config::resolvconf {
+
+ # bind9
package { 'bind9':
ensure => installed,
}
+ service { 'bind9':
+ ensure => running,
+ require => Package['bind9'],
+ }
+
+ file { '/etc/default/bind9':
+ source => 'puppet:///modules/site_config/bind9',
+ require => Package['bind9'],
+ notify => Service['bind9'],
+ }
+
+ file { '/etc/bind/named.conf.options':
+ source => 'puppet:///modules/site_config/named.conf.options',
+ require => Package['bind9'],
+ notify => Service['bind9'],
+ }
+
+
+
$domain_hash = hiera('domain')
$domain_public = $domain_hash['public']
diff --git a/puppet/modules/site_config/templates/hosts b/puppet/modules/site_config/templates/hosts
new file mode 100644
index 00000000..c516eaf8
--- /dev/null
+++ b/puppet/modules/site_config/templates/hosts
@@ -0,0 +1,13 @@
+# This file is managed by puppet, any changes will be overwritten!
+
+127.0.0.1 localhost
+<%- if hosts.to_s != '' then -%>
+<%= hosts %>
+<% end -%>
+
+# The following lines are desirable for IPv6 capable hosts
+::1 ip6-localhost ip6-loopback
+fe00::0 ip6-localnet
+ff00::0 ip6-mcastprefix
+ff02::1 ip6-allnodes
+ff02::2 ip6-allrouters
diff --git a/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp b/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp
index fb3477db..02aae0c3 100644
--- a/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp
+++ b/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp
@@ -10,20 +10,16 @@ define site_couchdb::apache_ssl_proxy ($key, $cert) {
}
apache::vhost::file { 'couchdb_proxy': }
- file { '/etc/couchdb/server_cert.pem':
- mode => '0644',
- owner => 'couchdb',
- group => 'couchdb',
- content => $cert,
- notify => Service[apache],
+ x509::key {
+ 'leap_couchdb':
+ content => $x509['key'],
+ notify => Service[apache];
}
- file { '/etc/couchdb/server_key.pem':
- mode => '0600',
- owner => 'couchdb',
- group => 'couchdb',
- content => $key,
- notify => Service[apache],
+ x509::cert {
+ 'leap_couchdb':
+ content => $x509['cert'],
+ notify => Service[apache];
}
}
diff --git a/puppet/modules/site_openvpn/manifests/keys.pp b/puppet/modules/site_openvpn/manifests/keys.pp
index 12c1bd8f..4c43ec05 100644
--- a/puppet/modules/site_openvpn/manifests/keys.pp
+++ b/puppet/modules/site_openvpn/manifests/keys.pp
@@ -1,22 +1,26 @@
class site_openvpn::keys {
- file { '/etc/openvpn/keys/ca.crt':
- content => $site_openvpn::x509_config['ca_cert'],
- mode => '0644',
+ x509::key {
+ 'leap_openvpn':
+ content => $site_openvpn::x509_config['key'],
+ notify => Service[openvpn];
}
- file { '/etc/openvpn/keys/dh.pem':
- content => $site_openvpn::x509_config['dh'],
- mode => '0644',
+ x509::cert {
+ 'leap_openvpn':
+ content => $site_openvpn::x509_config['cert'],
+ notify => Service[openvpn];
}
- file { '/etc/openvpn/keys/server.key':
- content => $site_openvpn::x509_config['key'],
- mode => '0600',
+ x509::ca {
+ 'leap_openvpn':
+ content => $site_openvpn::x509_config['ca_cert'],
+ notify => Service[openvpn];
}
- file { '/etc/openvpn/keys/server.crt':
- content => $site_openvpn::x509_config['cert'],
+ file { '/etc/openvpn/keys/dh.pem':
+ content => $site_openvpn::x509_config['dh'],
mode => '0644',
}
+
}
diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp
index 6fc3a3c2..c4f64225 100644
--- a/puppet/modules/site_openvpn/manifests/server_config.pp
+++ b/puppet/modules/site_openvpn/manifests/server_config.pp
@@ -69,15 +69,15 @@ define site_openvpn::server_config ($port, $proto, $local, $server, $push, $mana
openvpn::option {
"ca $openvpn_configname":
key => 'ca',
- value => '/etc/openvpn/keys/ca.crt',
+ value => '/usr/local/share/ca-certificates/leap_openvpn.crt',
server => $openvpn_configname;
"cert $openvpn_configname":
key => 'cert',
- value => '/etc/openvpn/keys/server.crt',
+ value => '/etc/x509/certs/leap_openvpn.crt',
server => $openvpn_configname;
"key $openvpn_configname":
key => 'key',
- value => '/etc/openvpn/keys/server.key',
+ value => '/etc/x509/keys/leap_openvpn.key',
server => $openvpn_configname;
"dh $openvpn_configname":
key => 'dh',
diff --git a/puppet/modules/site_shorewall/manifests/defaults.pp b/puppet/modules/site_shorewall/manifests/defaults.pp
index 88981e5f..d348bf00 100644
--- a/puppet/modules/site_shorewall/manifests/defaults.pp
+++ b/puppet/modules/site_shorewall/manifests/defaults.pp
@@ -8,6 +8,13 @@ class site_shorewall::defaults {
shorewall::zone {'net': type => 'ipv4'; }
- shorewall::rule_section { 'NEW': order => 10; }
+ include augeas
+
+ augeas { 'enable_ip_forwarding':
+ changes => 'set /files/etc/shorewall/shorewall.conf/IP_FORWARDING Yes',
+ lens => 'Shellvars.lns',
+ incl => '/etc/shorewall/shorewall.conf',
+ notify => Service[shorewall];
+ }
}
diff --git a/puppet/modules/site_webapp/templates/couchdb.yml.erb b/puppet/modules/site_webapp/templates/couchdb.yml.erb
index f5132599..e5678680 100644
--- a/puppet/modules/site_webapp/templates/couchdb.yml.erb
+++ b/puppet/modules/site_webapp/templates/couchdb.yml.erb
@@ -1,7 +1,8 @@
production:
+ prefix: ""
protocol: 'https'
host: <%= couchdb_host %>
- port: 443
+ port: 6984
username: <%= couchdb_user %>
password: <%= couchdb_password %>