5 files changed, 56 insertions, 23 deletions

diff --git a/puppet/modules/site_config/manifests/remove_files.pp b/puppet/modules/site_config/manifests/remove_files.pp
index 8b2f9541..07487d6a 100644
--- a/puppet/modules/site_config/manifests/remove_files.pp
+++ b/puppet/modules/site_config/manifests/remove_files.pp
@@ -41,6 +41,7 @@ class site_config::remove_files {
     '/srv/leap/couchdb/designs/tmp_users':
       recurse => true,
       rmdirs => true;
+    '/etc/leap/soledad-server.conf':;
   }
 
   if member($::services, 'webapp') {
diff --git a/puppet/modules/site_couchdb/manifests/setup.pp b/puppet/modules/site_couchdb/manifests/setup.pp
index 69bd1c6a..fef48505 100644
--- a/puppet/modules/site_couchdb/manifests/setup.pp
+++ b/puppet/modules/site_couchdb/manifests/setup.pp
@@ -12,27 +12,40 @@ class site_couchdb::setup {
 
   $user = $site_couchdb::couchdb_admin_user
 
-  # /etc/couchdb/couchdb-admin.netrc is deployed by couchdb::query::setup
-  # we symlink to couchdb.netrc for puppet commands.
-  # we symlink this to /root/.netrc for couchdb_scripts (eg. backup)
-  # and makes life easier for the admin (i.e. using curl/wget without
-  # passing credentials)
+  # setup /etc/couchdb/couchdb-admin.netrc for couchdb admin access
+  couchdb::query::setup { 'localhost':
+    user => $user,
+    pw   => $site_couchdb::couchdb_admin_pw
+  }
+
+  # We symlink /etc/couchdb/couchdb-admin.netrc to /etc/couchdb/couchdb.netrc
+  # for puppet commands, and to to /root/.netrc for couchdb_scripts
+  # (eg. backup) and to makes life easier for the admin on the command line
+  # (i.e. using curl/wget without passing credentials)
   file {
     '/etc/couchdb/couchdb.netrc':
       ensure  => link,
       target  => "/etc/couchdb/couchdb-${user}.netrc";
-
     '/root/.netrc':
       ensure  => link,
       target  => '/etc/couchdb/couchdb.netrc';
+  }
 
-    '/srv/leap/couchdb':
-      ensure => directory
+  # setup /etc/couchdb/couchdb-soledad-admin.netrc file for couchdb admin
+  # access, accessible only for the soledad-admin user to create soledad
+  # userdbs
+  file { '/etc/couchdb/couchdb-soledad-admin.netrc':
+    content => "machine localhost login ${user} password ${site_couchdb::couchdb_admin_pw}",
+    mode    => '0400',
+    owner   => 'soledad-admin',
+    group   => 'root',
+    require => [ Package['couchdb'], User['soledad-admin'] ];
   }
 
-  couchdb::query::setup { 'localhost':
-    user  => $user,
-    pw    => $site_couchdb::couchdb_admin_pw,
+  # Checkout couchdb_scripts repo
+  file {
+    '/srv/leap/couchdb':
+      ensure => directory
   }
 
   vcsrepo { '/srv/leap/couchdb/scripts':
diff --git a/puppet/modules/soledad/manifests/init.pp b/puppet/modules/soledad/manifests/init.pp
index 7cf0b729..6a2c328e 100644
--- a/puppet/modules/soledad/manifests/init.pp
+++ b/puppet/modules/soledad/manifests/init.pp
@@ -1,18 +1,29 @@
+# set up users, group and directories for soledad-server
+# although the soledad users are already created by the
+# soledad-server package
 class soledad {
 
   group { 'soledad':
-    ensure    => present,
-    allowdupe => false;
+    ensure => present,
+    system => true,
   }
 
   user { 'soledad':
     ensure    => present,
-    allowdupe => false,
+    system    => true,
     gid       => 'soledad',
     home      => '/srv/leap/soledad',
     require   => Group['soledad'];
   }
 
+  user { 'soledad-admin':
+    ensure  => present,
+    system  => true,
+    gid     => 'soledad',
+    home    => '/srv/leap/soledad',
+    require => Group['soledad'];
+  }
+
   file {
     '/srv/leap/soledad':
       ensure  => directory,
diff --git a/puppet/modules/soledad/manifests/server.pp b/puppet/modules/soledad/manifests/server.pp
index b71fab69..e437c8f2 100644
--- a/puppet/modules/soledad/manifests/server.pp
+++ b/puppet/modules/soledad/manifests/server.pp
@@ -1,3 +1,4 @@
+# setup soledad-server
 class soledad::server {
   tag 'leap_service'
   include soledad
@@ -22,13 +23,19 @@ class soledad::server {
   # SOLEDAD CONFIG
   #
 
-  file { '/etc/leap/soledad-server.conf':
-    content => template('soledad/soledad-server.conf.erb'),
-    owner   => 'soledad',
-    group   => 'soledad',
-    mode    => '0600',
-    notify  => Service['soledad-server'],
-    require => Class['soledad'];
+  file {
+    '/etc/soledad':
+      ensure => directory,
+      owner  => 'root',
+      group  => 'root',
+      mode   => '0755';
+    '/etc/soledad/soledad-server.conf':
+      content => template('soledad/soledad-server.conf.erb'),
+      owner   => 'soledad',
+      group   => 'soledad',
+      mode    => '0640',
+      notify  => Service['soledad-server'],
+      require => Class['soledad'];
   }
 
   package { $sources['soledad']['package']:
diff --git a/puppet/modules/soledad/templates/soledad-server.conf.erb b/puppet/modules/soledad/templates/soledad-server.conf.erb
index 47d1f6e4..42cf44d8 100644
--- a/puppet/modules/soledad/templates/soledad-server.conf.erb
+++ b/puppet/modules/soledad/templates/soledad-server.conf.erb
@@ -1,3 +1,4 @@
 [soledad-server]
-couch_url = http://<%= @couchdb_user %>:<%= @couchdb_password %>@<%= @couchdb_host %>:<%= @couchdb_port %>
-
+couch_url   = http://<%= @couchdb_user %>:<%= @couchdb_password %>@<%= @couchdb_host %>:<%= @couchdb_port %>
+create_cmd  = sudo -u soledad-admin /usr/bin/create-user-db
+admin_netrc = /etc/couchdb/couchdb-soledad-admin.netrc