diff options
| -rw-r--r-- | .gitmodules | 19 | ||||
| -rw-r--r-- | puppet/manifests/site.pp | 4 | ||||
| m--------- | puppet/modules/bundler | 0 | ||||
| m--------- | puppet/modules/passenger | 0 | ||||
| m--------- | puppet/modules/ruby | 0 | ||||
| m--------- | puppet/modules/rubygems | 0 | ||||
| -rw-r--r-- | puppet/modules/site_apache/templates/vhosts.d/api.conf.erb | 37 | ||||
| -rw-r--r-- | puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb | 40 | ||||
| -rw-r--r-- | puppet/modules/site_webapp/manifests/apache.pp | 62 | ||||
| -rw-r--r-- | puppet/modules/site_webapp/manifests/couchdb.pp | 16 | ||||
| -rw-r--r-- | puppet/modules/site_webapp/manifests/init.pp | 73 | ||||
| -rw-r--r-- | puppet/modules/site_webapp/templates/couchdb.yml.erb | 7 | ||||
| m--------- | puppet/modules/vcsrepo | 8 | ||||
| m--------- | puppet/modules/x509 | 0 |
14 files changed, 265 insertions, 1 deletions
diff --git a/.gitmodules b/.gitmodules index 09f185f8..417457e8 100644 --- a/.gitmodules +++ b/.gitmodules @@ -34,4 +34,21 @@ [submodule "puppet/modules/apache"] path = puppet/modules/apache url = git://code.leap.se/puppet_apache - +[submodule "puppet/modules/bundler"] + path = puppet/modules/bundler + url = git://code.leap.se/puppet_bundler +[submodule "puppet/modules/vcsrepo"] + path = puppet/modules/vcsrepo + url = git://github.com/puppetlabs/puppetlabs-vcsrepo.git +[submodule "puppet/modules/rubygems"] + path = puppet/modules/rubygems + url = git://code.leap.se/puppet_rubygems +[submodule "puppet/modules/ruby"] + path = puppet/modules/ruby + url = git://code.leap.se/puppet_ruby +[submodule "puppet/modules/x509"] + path = puppet/modules/x509 + url = git://code.leap.se/puppet_x509 +[submodule "puppet/modules/passenger"] + path = puppet/modules/passenger + url = git://code.leap.se/puppet_passenger diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 0ae86f8e..9da2174c 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -18,4 +18,8 @@ node 'default' { if 'couchdb' in $services { include site_couchdb } + + if 'webapp' in $services { + include site_webapp + } } diff --git a/puppet/modules/bundler b/puppet/modules/bundler new file mode 160000 +Subproject b91d6abfa931b8ef63594092d841701d3ee2328 diff --git a/puppet/modules/passenger b/puppet/modules/passenger new file mode 160000 +Subproject d1b46de84acf4d9e3582b64e019935fb1125f9b diff --git a/puppet/modules/ruby b/puppet/modules/ruby new file mode 160000 +Subproject e4de25d78eefc7df70a35dee22a3e0dc1b7e1d0 diff --git a/puppet/modules/rubygems b/puppet/modules/rubygems new file mode 160000 +Subproject 1e5ed3dbef9381bb9d5e2a7b4957bb3f5288d6a diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb new file mode 100644 index 00000000..37c4a727 --- /dev/null +++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb @@ -0,0 +1,37 @@ +<VirtualHost *:80> + ServerName <%= api_domain %> + RewriteEngine On + RewriteRule ^.*$ https://<%= api_domain -%>%{REQUEST_URI} [R=permanent,L] +</VirtualHost> + +<VirtualHost *:443> + ServerName <%= api_domain %> + + SSLEngine on + SSLProtocol -all +SSLv3 +TLSv1 + SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH + SSLHonorCipherOrder on + + SSLCACertificatePath /etc/ssl/certs + SSLCertificateChainFile /etc/ssl/certs/leap_api.pem + SSLCertificateKeyFile /etc/x509/keys/leap_api.key + SSLCertificateFile /etc/x509/certs/leap_api.crt + + RequestHeader set X_FORWARDED_PROTO 'https' + + DocumentRoot /srv/leap_webapp/public + Alias /1 /srv/leap_webapp/public + + # Check for maintenance file and redirect all requests + RewriteEngine On + RewriteCond %{DOCUMENT_ROOT}/system/maintenance.html -f + RewriteCond %{SCRIPT_FILENAME} !maintenance.html + RewriteCond %{REQUEST_URI} !/images/maintenance.jpg + RewriteRule ^.*$ %{DOCUMENT_ROOT}/system/maintenance.html [L] + + # http://www.modrails.com/documentation/Users%20guide%20Apache.html#_passengerallowencodedslashes_lt_on_off_gt + AllowEncodedSlashes on + PassengerAllowEncodedSlashes on + PassengerFriendlyErrorPages off + SetEnv TMPDIR /var/tmp +</VirtualHost> diff --git a/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb new file mode 100644 index 00000000..85e7289b --- /dev/null +++ b/puppet/modules/site_apache/templates/vhosts.d/leap_webapp.conf.erb @@ -0,0 +1,40 @@ +<VirtualHost *:80> + ServerName <%= domain %> + ServerAlias www.<%= domain %> + RewriteEngine On + RewriteRule ^.*$ https://<%= domain -%>%{REQUEST_URI} [R=permanent,L] +</VirtualHost> + +<VirtualHost *:443> + ServerName <%= domain %> + ServerAlias www.<%= domain %> + + SSLEngine on + SSLProtocol -all +SSLv3 +TLSv1 + SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH + SSLHonorCipherOrder on + + SSLCACertificatePath /etc/ssl/certs + SSLCertificateChainFile /etc/ssl/certs/leap_webapp.pem + SSLCertificateKeyFile /etc/x509/keys/leap_webapp.key + SSLCertificateFile /etc/x509/certs/leap_webapp.crt + + RequestHeader set X_FORWARDED_PROTO 'https' + + DocumentRoot /srv/leap_webapp/public + Alias /1 /srv/leap_webapp/public + + RewriteEngine On + # Check for maintenance file and redirect all requests + RewriteCond %{DOCUMENT_ROOT}/system/maintenance.html -f + RewriteCond %{SCRIPT_FILENAME} !maintenance.html + RewriteCond %{REQUEST_URI} !/images/maintenance.jpg + RewriteRule ^.*$ %{DOCUMENT_ROOT}/system/maintenance.html [L] + + # http://www.modrails.com/documentation/Users%20guide%20Apache.html#_passengerallowencodedslashes_lt_on_off_gt + AllowEncodedSlashes on + PassengerAllowEncodedSlashes on + PassengerFriendlyErrorPages off + SetEnv TMPDIR /var/tmp +</VirtualHost> + diff --git a/puppet/modules/site_webapp/manifests/apache.pp b/puppet/modules/site_webapp/manifests/apache.pp new file mode 100644 index 00000000..8532cc38 --- /dev/null +++ b/puppet/modules/site_webapp/manifests/apache.pp @@ -0,0 +1,62 @@ +class site_webapp::apache { + + $api_domain = hiera('api_domain') + $x509 = hiera('x509') + $commercial_key = $x509['commercial_key'] + $commercial_cert = $x509['commercial_cert'] + $commercial_root = $x509['commercial_ca_cert'] + $api_key = $x509['key'] + $api_cert = $x509['cert'] + $api_root = $x509['ca_cert'] + + $apache_no_default_site = true + include apache::ssl + + apache::module { + 'alias': ensure => present; + 'rewrite': ensure => present; + 'headers': ensure => present; + } + + class { 'passenger': use_munin => false } + + apache::vhost::file { + 'leap_webapp': + content => template('site_apache/vhosts.d/leap_webapp.conf.erb') + } + + apache::vhost::file { + 'api': + content => template('site_apache/vhosts.d/api.conf.erb') + } + + x509::key { + 'leap_webapp': + content => $commercial_key, + notify => Service[apache]; + + 'leap_api': + content => $api_key, + notify => Service[apache]; + } + + x509::cert { + 'leap_webapp': + content => $commercial_cert, + notify => Service[apache]; + + 'leap_api': + content => $api_cert, + notify => Service[apache]; + } + + x509::ca { + 'leap_webapp': + content => $commercial_root, + notify => Service[apache]; + + 'leap_api': + content => $api_root, + notify => Service[apache]; + } +} diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp new file mode 100644 index 00000000..6cac666f --- /dev/null +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -0,0 +1,16 @@ +class site_webapp::couchdb { + + $webapp = hiera('webapp') + $couchdb_host = $webapp['couchdb_hosts'] + $couchdb_user = $webapp['couchdb_user']['username'] + $couchdb_password = $webapp['couchdb_user']['password'] + + file { + '/srv/leap-webapp/config/couchdb.yml': + content => template('site_webapp/couchdb.yml.erb'), + owner => leap-webapp, + group => leap-webapp, + mode => '0600'; + } + +} diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp new file mode 100644 index 00000000..c5f33b5a --- /dev/null +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -0,0 +1,73 @@ +class site_webapp { + + $definition_files = hiera('definition_files') + $provider = $definition_files['provider'] + $eip_service = $definition_files['eip_service'] + + Class[Ruby] -> Class[rubygems] -> Class[bundler::install] + + class { 'ruby': ruby_version => '1.9.3' } + + class { 'bundler::install': install_method => '' } + + include rubygems + include site_webapp::apache + include site_webapp::couchdb + + group { 'leap-webapp': + ensure => present, + allowdupe => false; + } + + user { 'leap-webapp': + ensure => present, + allowdupe => false, + gid => 'leap-webapp', + home => '/srv/leap-webapp', + require => [ Group['leap-webapp'] ]; + } + + file { '/srv/leap-webapp': + ensure => present, + owner => 'leap-webapp', + group => 'leap-webapp', + require => User['leap-webapp']; + } + + vcsrepo { '/srv/leap-webapp': + ensure => present, + revision => 'origin/develop', + provider => git, + source => 'git://code.leap.se/leap_web', + owner => 'leap-webapp', + group => 'leap-webapp', + require => [ User['leap-webapp'], Group['leap-webapp'] ], + notify => Exec['bundler_update'] + } + + exec { 'bundler_update': + cwd => '/srv/leap-webapp', + command => '/bin/bash -c "/usr/bin/bundle check || /usr/bin/bundle install"', + unless => '/usr/bin/bundle check', + require => [ Class['bundler::install'], Vcsrepo['/srv/leap-webapp'] ]; + } + + file { + '/srv/leap-webapp/public/provider.json': + content => $provider, + owner => leap-webapp, group => leap-webapp, mode => '0644'; + + '/srv/leap-webapp/public/ca.crt': + content => $cert_root, + owner => leap-webapp, group => leap-webapp, mode => '0644'; + + '/srv/leap-webapp/public/config': + ensure => directory, + owner => leap-webapp, group => leap-webapp, mode => '0755'; + + '/srv/leap-webapp/public/config/eip-service.json': + content => $eip_service, + owner => leap-webapp, group => leap-webapp, mode => '0644'; + } + +} diff --git a/puppet/modules/site_webapp/templates/couchdb.yml.erb b/puppet/modules/site_webapp/templates/couchdb.yml.erb new file mode 100644 index 00000000..f5132599 --- /dev/null +++ b/puppet/modules/site_webapp/templates/couchdb.yml.erb @@ -0,0 +1,7 @@ +production: + protocol: 'https' + host: <%= couchdb_host %> + port: 443 + username: <%= couchdb_user %> + password: <%= couchdb_password %> + diff --git a/puppet/modules/vcsrepo b/puppet/modules/vcsrepo new file mode 160000 +Subproject 04851c28b12973c679fc9f234fd0f5a193df9d7 diff --git a/puppet/modules/x509 b/puppet/modules/x509 new file mode 160000 +Subproject d7a252b77db843e800ed9fc92a56d5214f43202 |