diff options
-rw-r--r-- | provider_base/services/couchdb.json | 5 | ||||
-rw-r--r-- | puppet/modules/site_config/manifests/hosts.pp | 2 | ||||
-rw-r--r-- | puppet/modules/site_couchdb/manifests/init.pp | 1 | ||||
-rw-r--r-- | puppet/modules/site_couchdb/manifests/stunnel.pp | 67 | ||||
-rw-r--r-- | puppet/modules/site_shorewall/manifests/couchdb.pp | 10 | ||||
-rw-r--r-- | puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp | 36 | ||||
-rw-r--r-- | puppet/modules/site_shorewall/manifests/couchdb/dnat.pp | 21 | ||||
-rw-r--r-- | puppet/modules/site_shorewall/manifests/dnat.pp | 19 | ||||
-rw-r--r-- | puppet/modules/site_stunnel/manifests/clients.pp | 26 | ||||
-rw-r--r-- | puppet/modules/site_stunnel/manifests/setup.pp | 24 | ||||
-rw-r--r-- | puppet/modules/site_webapp/manifests/couchdb.pp | 38 | ||||
-rw-r--r-- | puppet/modules/site_webapp/manifests/couchdb_stunnel.pp | 43 | ||||
-rw-r--r-- | puppet/modules/site_webapp/manifests/couchdb_stunnel/clients.pp | 17 |
13 files changed, 216 insertions, 93 deletions
diff --git a/provider_base/services/couchdb.json b/provider_base/services/couchdb.json index e60f4e0f..ce46e3bb 100644 --- a/provider_base/services/couchdb.json +++ b/provider_base/services/couchdb.json @@ -4,11 +4,14 @@ "use": true }, "stunnel": { - "couch_server": "= stunnel_server(couch.port)" + "couch_server": "= stunnel_server(couch.port)", + "bigcouch_replication_server": "= stunnel_server(couch.bigcouch.port)", + "bigcouch_replication_clients": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.bigcouch.port)" }, "couch": { "port": 5984, "bigcouch": { + "port": 4369, "cookie": "= secret :bigcouch_cookie" }, "users": { diff --git a/puppet/modules/site_config/manifests/hosts.pp b/puppet/modules/site_config/manifests/hosts.pp index 81795f7d..1e1590f5 100644 --- a/puppet/modules/site_config/manifests/hosts.pp +++ b/puppet/modules/site_config/manifests/hosts.pp @@ -9,7 +9,7 @@ class site_config::hosts() { content => $hostname } - exec { "/bin/hostname $hostname": + exec { "/bin/hostname ${hostname}": subscribe => [ File['/etc/hostname'], File['/etc/hosts'] ], refreshonly => true; } diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index d317de65..e0f379cd 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -67,4 +67,5 @@ class site_couchdb ( $bigcouch = false ) { } include site_shorewall::couchdb + include site_shorewall::couchdb::bigcouch } diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index 1afe25a4..1eb79293 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -1,43 +1,70 @@ class site_couchdb::stunnel ($key, $cert, $ca) { - include x509::variables - include site_stunnel + $stunnel = hiera('stunnel') + + $couch_server = $stunnel['couch_server'] + $couch_server_accept = $couch_server['accept'] + $couch_server_connect = $couch_server['connect'] + + $bigcouch_replication_server = $stunnel['bigcouch_replication_server'] + $bigcouch_replication_server_accept = $bigcouch_replication_server['accept'] + $bigcouch_replication_server_connect = $bigcouch_replication_server['connect'] + $bigcouch_replication_clients = $stunnel['bigcouch_replication_clients'] + + include x509::variables $cert_name = 'leap_couchdb' $ca_name = 'leap_ca' $ca_path = "${x509::variables::local_CAs}/${ca_name}.crt" $cert_path = "${x509::variables::certs}/${cert_name}.crt" $key_path = "${x509::variables::keys}/${cert_name}.key" - x509::key { - $cert_name: - content => $key, - notify => Service['stunnel']; + # basic setup: ensure cert, key, ca files are in place, and some generic + # stunnel things are done + class { 'site_stunnel::setup': + cert_name => $cert_name, + key => $key, + cert => $cert, + ca => $ca } - x509::cert { - $cert_name: - content => $cert, - notify => Service['stunnel']; + # setup a stunnel server for the webapp to connect to couchdb + stunnel::service { 'couch_server': + accept => $couch_server_accept, + connect => $couch_server_connect, + client => false, + cafile => $ca_path, + key => $key_path, + cert => $cert_path, + verify => '2', + pid => '/var/run/stunnel4/couchserver.pid', + rndfile => '/var/lib/stunnel4/.rnd', + debuglevel => '4' } - x509::ca { - $ca_name: - content => $ca, - notify => Service['stunnel']; - } - stunnel::service { 'couchdb': - accept => '6984', - connect => '127.0.0.1:5984', + # setup stunnels for bigcouch clustering between each bigcouchdb node + # server + stunnel::service { 'bigcouch_replication_server': + accept => $bigcouch_replication_server_accept, + connect => $bigcouch_replication_server_connect, client => false, cafile => $ca_path, key => $key_path, cert => $cert_path, verify => '2', - pid => '/var/run/stunnel4/couchdb.pid', + pid => '/var/run/stunnel4/bigcouchreplication_server.pid', rndfile => '/var/lib/stunnel4/.rnd', debuglevel => '4' } -} + # clients + $bigcouch_replication_client_defaults = { + 'client' => true, + 'cafile' => $ca_path, + 'key' => $key_path, + 'cert' => $cert_path, + } + + create_resources(site_stunnel::clients, $bigcouch_replication_clients, $bigcouch_replication_client_defaults) +} diff --git a/puppet/modules/site_shorewall/manifests/couchdb.pp b/puppet/modules/site_shorewall/manifests/couchdb.pp index 9fa59569..1ef91bb0 100644 --- a/puppet/modules/site_shorewall/manifests/couchdb.pp +++ b/puppet/modules/site_shorewall/manifests/couchdb.pp @@ -2,16 +2,20 @@ class site_shorewall::couchdb { include site_shorewall::defaults - $couchdb_port = '6984' + $stunnel = hiera('stunnel') + $couch_server = $stunnel['couch_server'] + $couch_stunnel_port = $couch_server['accept'] + + # see http://stackoverflow.com/questions/8459949/bigcouch-cluster-connection-issue#comment10467603_8463814 + $erlang_vm_port = '9001' # define macro for incoming services file { '/etc/shorewall/macro.leap_couchdb': - content => "PARAM - - tcp $couchdb_port", + content => "PARAM - - tcp ${couch_stunnel_port},${erlang_vm_port}", notify => Service['shorewall'], require => Package['shorewall'] } - shorewall::rule { 'net2fw-couchdb': source => 'net', diff --git a/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp b/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp new file mode 100644 index 00000000..85272657 --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/couchdb/bigcouch.pp @@ -0,0 +1,36 @@ +class site_shorewall::couchdb::bigcouch { + + include site_shorewall::defaults + + $stunnel = hiera('stunnel') + $bigcouch_replication_clients = $stunnel['bigcouch_replication_clients'] + + $bigcouch_replication_server = $stunnel['bigcouch_replication_server'] + $bigcouch_replication_server_port = $bigcouch_replication_server['accept'] + $bigcouch_replication_connect = $bigcouch_replication_server['connect'] + + # define macro for incoming services + file { '/etc/shorewall/macro.leap_bigcouch': + content => "PARAM - - tcp ${bigcouch_replication_server_port}", + notify => Service['shorewall'], + require => Package['shorewall'] + } + + shorewall::rule { + 'net2fw-bigcouch': + source => 'net', + destination => '$FW', + action => 'leap_bigcouch(ACCEPT)', + order => 300; + } + + $bigcouch_shorewall_dnat_defaults = { + 'source' => '$FW', + 'proto' => 'tcp', + 'destinationport' => regsubst($bigcouch_replication_connect, '^([0-9.]+:)([0-9]+)$', '\2') + } + + create_resources(site_shorewall::couchdb::dnat, $bigcouch_replication_clients, $bigcouch_shorewall_dnat_defaults) + +} + diff --git a/puppet/modules/site_shorewall/manifests/couchdb/dnat.pp b/puppet/modules/site_shorewall/manifests/couchdb/dnat.pp new file mode 100644 index 00000000..f1bc9acf --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/couchdb/dnat.pp @@ -0,0 +1,21 @@ +define site_shorewall::couchdb::dnat ( + $source, + $connect, + $connect_port, + $accept_port, + $proto, + $destinationport ) +{ + + + shorewall::rule { + "dnat_${name}_${destinationport}": + action => 'DNAT', + source => $source, + destination => "\$FW:127.0.0.1:${accept_port}", + proto => $proto, + destinationport => $destinationport, + originaldest => $connect, + order => 200 + } +} diff --git a/puppet/modules/site_shorewall/manifests/dnat.pp b/puppet/modules/site_shorewall/manifests/dnat.pp new file mode 100644 index 00000000..a73294cc --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/dnat.pp @@ -0,0 +1,19 @@ +define site_shorewall::dnat ( + $source, + $destination, + $proto, + $destinationport, + $originaldest ) { + + + shorewall::rule { + "dnat_${name}_${destinationport}": + action => 'DNAT', + source => $source, + destination => $destination, + proto => $proto, + destinationport => $destinationport, + originaldest => $originaldest, + order => 200 + } +} diff --git a/puppet/modules/site_stunnel/manifests/clients.pp b/puppet/modules/site_stunnel/manifests/clients.pp new file mode 100644 index 00000000..ed766e1a --- /dev/null +++ b/puppet/modules/site_stunnel/manifests/clients.pp @@ -0,0 +1,26 @@ +define site_stunnel::clients ( + $accept_port, + $connect_port, + $connect, + $cafile, + $key, + $cert, + $client = true, + $verify = '2', + $pid = $name, + $rndfile = '/var/lib/stunnel4/.rnd', + $debuglevel = '4' ) { + + stunnel::service { $name: + accept => "127.0.0.1:${accept_port}", + connect => "${connect}:${connect_port}", + client => $client, + cafile => $cafile, + key => $key, + cert => $cert, + verify => $verify, + pid => "/var/run/stunnel4/${pid}.pid", + rndfile => $rndfile, + debuglevel => $debuglevel + } +} diff --git a/puppet/modules/site_stunnel/manifests/setup.pp b/puppet/modules/site_stunnel/manifests/setup.pp new file mode 100644 index 00000000..7ec2378f --- /dev/null +++ b/puppet/modules/site_stunnel/manifests/setup.pp @@ -0,0 +1,24 @@ +class site_stunnel::setup ($cert_name, $key, $cert, $ca) { + + include site_stunnel + + x509::key { + $cert_name: + content => $key, + notify => Service['stunnel']; + } + + x509::cert { + $cert_name: + content => $cert, + notify => Service['stunnel']; + } + + x509::ca { + $ca_name: + content => $ca, + notify => Service['stunnel']; + } + +} + diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index ef61aeb6..e956fd54 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -1,9 +1,5 @@ class site_webapp::couchdb { - $x509 = hiera('x509') - $key = $x509['key'] - $cert = $x509['cert'] - $ca = $x509['ca_cert'] $webapp = hiera('webapp') # haproxy listener on port localhost:4096, see site_webapp::haproxy $couchdb_host = 'localhost' @@ -13,6 +9,21 @@ class site_webapp::couchdb { $couchdb_webapp_user = $webapp['couchdb_webapp_user']['username'] $couchdb_webapp_password = $webapp['couchdb_webapp_user']['password'] + $stunnel = hiera('stunnel') + $couch_client = $stunnel['couch_client'] + $couch_client_connect = $couch_client['connect'] + + include x509::variable + $x509 = hiera('x509') + $key = $x509['key'] + $cert = $x509['cert'] + $ca = $x509['ca_cert'] + $cert_name = 'leap_couchdb' + $ca_name = 'leap_ca' + $ca_path = "${x509::variables::local_CAs}/${ca_name}.crt" + $cert_path = "${x509::variables::certs}/${cert_name}.crt" + $key_path = "${x509::variables::keys}/${cert_name}.key" + file { '/srv/leap-webapp/config/couchdb.yml.admin': content => template('site_webapp/couchdb.yml.admin.erb'), @@ -33,10 +44,11 @@ class site_webapp::couchdb { mode => '0744'; } - class { 'site_webapp::couchdb_stunnel': - key => $key, - cert => $cert, - ca => $ca + class { 'site_stunnel::setup': + cert_name => $cert_name, + key => $key, + cert => $cert, + ca => $ca } exec { 'migrate_design_documents': @@ -45,4 +57,14 @@ class site_webapp::couchdb { require => Exec['bundler_update'], notify => Service['apache']; } + + $couchdb_stunnel_client_defaults = { + 'connect_port' => $couch_client_connect, + 'client' => true, + 'cafile' => $ca_path, + 'key' => $key_path, + 'cert' => $cert_path, + } + + create_resources(site_stunnel::clients, $couch_client, $couchdb_stunnel_client_defaults) } diff --git a/puppet/modules/site_webapp/manifests/couchdb_stunnel.pp b/puppet/modules/site_webapp/manifests/couchdb_stunnel.pp deleted file mode 100644 index 325b18ee..00000000 --- a/puppet/modules/site_webapp/manifests/couchdb_stunnel.pp +++ /dev/null @@ -1,43 +0,0 @@ -class site_webapp::couchdb_stunnel ($key, $cert, $ca) { - - include x509::variables - include site_stunnel - - $cert_name = 'leap_couchdb' - $ca_name = 'leap_ca' - $ca_path = "${x509::variables::local_CAs}/${ca_name}.crt" - $cert_path = "${x509::variables::certs}/${cert_name}.crt" - $key_path = "${x509::variables::keys}/${cert_name}.key" - - x509::key { - $cert_name: - content => $key, - notify => Service['stunnel']; - } - - x509::cert { - $cert_name: - content => $cert, - notify => Service['stunnel']; - } - - x509::ca { - $ca_name: - content => $ca, - notify => Service['stunnel']; - } - - $couchdb_stunnel_client_defaults = { - 'client' => true, - 'cafile' => $ca_path, - 'key' => $key_path, - 'cert' => $cert_path, - 'verify' => '2', - 'rndfile' => '/var/lib/stunnel4/.rnd', - 'debuglevel' => '4' - } - - create_resources(site_webapp::couchdb_stunnel::clients, hiera('stunnel'), $couchdb_stunnel_client_defaults) - -} - diff --git a/puppet/modules/site_webapp/manifests/couchdb_stunnel/clients.pp b/puppet/modules/site_webapp/manifests/couchdb_stunnel/clients.pp deleted file mode 100644 index eac43b08..00000000 --- a/puppet/modules/site_webapp/manifests/couchdb_stunnel/clients.pp +++ /dev/null @@ -1,17 +0,0 @@ -define site_webapp::couchdb_stunnel::clients - ( $accept_port, $connect, $client, $cafile, $key, $cert, - $verify, $pid = $name, $rndfile, $debuglevel ) { - - stunnel::service { $name: - accept => "127.0.0.1:${accept_port}", - connect => "${connect}:6984", - client => $client, - cafile => $cafile, - key => $key, - cert => $cert, - verify => $verify, - pid => "/var/run/stunnel4/${pid}.pid", - rndfile => $rndfile, - debuglevel => $debuglevel - } - } |