summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--.gitmodules4
-rw-r--r--puppet/manifests/site.pp8
m---------puppet/modules/apache0
l---------puppet/modules/site-apache1
-rw-r--r--puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf10
-rw-r--r--puppet/modules/site_apt/files/unstable.list1
-rwxr-xr-xpuppet/modules/site_couchdb/files/couchdb160
-rw-r--r--puppet/modules/site_couchdb/files/local.ini84
-rw-r--r--puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp35
-rw-r--r--puppet/modules/site_couchdb/manifests/configure.pp32
-rw-r--r--puppet/modules/site_couchdb/manifests/init.pp63
-rw-r--r--puppet/modules/site_couchdb/manifests/package.pp13
-rw-r--r--puppet/modules/site_shorewall/manifests/eip.pp30
13 files changed, 431 insertions, 10 deletions
diff --git a/.gitmodules b/.gitmodules
index e3e8d6db..c2d42cc5 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -37,3 +37,7 @@
[submodule "puppet/modules/interfaces"]
path = puppet/modules/interfaces
url = git://github.com/x-way/puppet-interfaces.git
+[submodule "puppet/modules/apache"]
+ path = puppet/modules/apache
+ url = git://code.leap.se/puppet_apache
+
diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp
index ef5c3a8a..6abf9b48 100644
--- a/puppet/manifests/site.pp
+++ b/puppet/manifests/site.pp
@@ -4,7 +4,7 @@ node 'default' {
include concat::setup
# include some basic classes
- #include site_config
+ include site_config
# parse services for host
$services=hiera_array('services')
@@ -15,9 +15,7 @@ node 'default' {
include site_config::eip
}
- if 'couchdb' in $services {
- class { 'couchdb':
- #bind => '0.0.0.0'
- }
+ if 'couchdb' in $services {
+ include site_couchdb
}
}
diff --git a/puppet/modules/apache b/puppet/modules/apache
new file mode 160000
+Subproject 104b2e09399e02a8aa9687df0de795644e4b83e
diff --git a/puppet/modules/site-apache b/puppet/modules/site-apache
new file mode 120000
index 00000000..f0517fa5
--- /dev/null
+++ b/puppet/modules/site-apache
@@ -0,0 +1 @@
+site_apache \ No newline at end of file
diff --git a/puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf b/puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf
new file mode 100644
index 00000000..79ad931d
--- /dev/null
+++ b/puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf
@@ -0,0 +1,10 @@
+Listen 0.0.0.0:6984
+
+<VirtualHost *:6984>
+ SSLEngine On
+ SSLProxyEngine On
+ SSLCertificateKeyFile /etc/couchdb/server_key.pem
+ SSLCertificateFile /etc/couchdb/server_cert.pem
+ ProxyPass / http://127.0.0.1:5984/
+ ProxyPassReverse / http://127.0.0.1:5984/
+</VirtualHost>
diff --git a/puppet/modules/site_apt/files/unstable.list b/puppet/modules/site_apt/files/unstable.list
new file mode 100644
index 00000000..0e289136
--- /dev/null
+++ b/puppet/modules/site_apt/files/unstable.list
@@ -0,0 +1 @@
+deb http://http.debian.net/debian unstable main
diff --git a/puppet/modules/site_couchdb/files/couchdb b/puppet/modules/site_couchdb/files/couchdb
new file mode 100755
index 00000000..ccdfe716
--- /dev/null
+++ b/puppet/modules/site_couchdb/files/couchdb
@@ -0,0 +1,160 @@
+#!/bin/sh -e
+
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy of
+# the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations under
+# the License.
+
+### BEGIN INIT INFO
+# Provides: couchdb
+# Required-Start: $local_fs $remote_fs
+# Required-Stop: $local_fs $remote_fs
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: Apache CouchDB init script
+# Description: Apache CouchDB init script for the database server.
+### END INIT INFO
+
+SCRIPT_OK=0
+SCRIPT_ERROR=1
+
+DESCRIPTION="database server"
+NAME=couchdb
+SCRIPT_NAME=`basename $0`
+COUCHDB=/usr/bin/couchdb
+CONFIGURATION_FILE=/etc/default/couchdb
+RUN_DIR=/var/run/couchdb
+LSB_LIBRARY=/lib/lsb/init-functions
+
+if test ! -x $COUCHDB; then
+ exit $SCRIPT_ERROR
+fi
+
+if test -r $CONFIGURATION_FILE; then
+ . $CONFIGURATION_FILE
+fi
+
+log_daemon_msg () {
+ # Dummy function to be replaced by LSB library.
+
+ echo $@
+}
+
+log_end_msg () {
+ # Dummy function to be replaced by LSB library.
+
+ if test "$1" != "0"; then
+ echo "Error with $DESCRIPTION: $NAME"
+ fi
+ return $1
+}
+
+if test -r $LSB_LIBRARY; then
+ . $LSB_LIBRARY
+fi
+
+run_command () {
+ command="$1"
+ if test -n "$COUCHDB_OPTIONS"; then
+ command="$command $COUCHDB_OPTIONS"
+ fi
+ if test -n "$COUCHDB_USER"; then
+ if su $COUCHDB_USER -c "$command"; then
+ return $SCRIPT_OK
+ else
+ return $SCRIPT_ERROR
+ fi
+ else
+ if $command; then
+ return $SCRIPT_OK
+ else
+ return $SCRIPT_ERROR
+ fi
+ fi
+}
+
+start_couchdb () {
+ # Start Apache CouchDB as a background process.
+
+ mkdir -p "$RUN_DIR"
+ chown -R "$COUCHDB_USER" "$RUN_DIR"
+ command="$COUCHDB -b"
+ if test -n "$COUCHDB_STDOUT_FILE"; then
+ command="$command -o $COUCHDB_STDOUT_FILE"
+ fi
+ if test -n "$COUCHDB_STDERR_FILE"; then
+ command="$command -e $COUCHDB_STDERR_FILE"
+ fi
+ if test -n "$COUCHDB_RESPAWN_TIMEOUT"; then
+ command="$command -r $COUCHDB_RESPAWN_TIMEOUT"
+ fi
+ run_command "$command" > /dev/null
+}
+
+stop_couchdb () {
+ # Stop the running Apache CouchDB process.
+
+ run_command "$COUCHDB -d" > /dev/null
+ pkill -u couchdb
+ # always return true even if no remaining couchdb procs got killed
+ /bin/true
+}
+
+display_status () {
+ # Display the status of the running Apache CouchDB process.
+
+ run_command "$COUCHDB -s"
+}
+
+parse_script_option_list () {
+ # Parse arguments passed to the script and take appropriate action.
+
+ case "$1" in
+ start)
+ log_daemon_msg "Starting $DESCRIPTION" $NAME
+ if start_couchdb; then
+ log_end_msg $SCRIPT_OK
+ else
+ log_end_msg $SCRIPT_ERROR
+ fi
+ ;;
+ stop)
+ log_daemon_msg "Stopping $DESCRIPTION" $NAME
+ if stop_couchdb; then
+ log_end_msg $SCRIPT_OK
+ else
+ log_end_msg $SCRIPT_ERROR
+ fi
+ ;;
+ restart|force-reload)
+ log_daemon_msg "Restarting $DESCRIPTION" $NAME
+ if stop_couchdb; then
+ if start_couchdb; then
+ log_end_msg $SCRIPT_OK
+ else
+ log_end_msg $SCRIPT_ERROR
+ fi
+ else
+ log_end_msg $SCRIPT_ERROR
+ fi
+ ;;
+ status)
+ display_status
+ ;;
+ *)
+ cat << EOF >&2
+Usage: $SCRIPT_NAME {start|stop|restart|force-reload|status}
+EOF
+ exit $SCRIPT_ERROR
+ ;;
+ esac
+}
+
+parse_script_option_list $@
diff --git a/puppet/modules/site_couchdb/files/local.ini b/puppet/modules/site_couchdb/files/local.ini
new file mode 100644
index 00000000..485c9a29
--- /dev/null
+++ b/puppet/modules/site_couchdb/files/local.ini
@@ -0,0 +1,84 @@
+; CouchDB Configuration Settings
+
+; Custom settings should be made in this file. They will override settings
+; in default.ini, but unlike changes made to default.ini, this file won't be
+; overwritten on server upgrade.
+
+[couchdb]
+;max_document_size = 4294967296 ; bytes
+
+[httpd]
+;port = 5984
+;bind_address = 127.0.0.1
+; Options for the MochiWeb HTTP server.
+;server_options = [{backlog, 128}, {acceptor_pool_size, 16}]
+; For more socket options, consult Erlang's module 'inet' man page.
+;socket_options = [{recbuf, 262144}, {sndbuf, 262144}, {nodelay, true}]
+
+; Uncomment next line to trigger basic-auth popup on unauthorized requests.
+;WWW-Authenticate = Basic realm="administrator"
+
+; Uncomment next line to set the configuration modification whitelist. Only
+; whitelisted values may be changed via the /_config URLs. To allow the admin
+; to change this value over HTTP, remember to include {httpd,config_whitelist}
+; itself. Excluding it from the list would require editing this file to update
+; the whitelist.
+;config_whitelist = [{httpd,config_whitelist}, {log,level}, {etc,etc}]
+
+[httpd_global_handlers]
+;_google = {couch_httpd_proxy, handle_proxy_req, <<"http://www.google.com">>}
+
+[couch_httpd_auth]
+; If you set this to true, you should also uncomment the WWW-Authenticate line
+; above. If you don't configure a WWW-Authenticate header, CouchDB will send
+; Basic realm="server" in order to prevent you getting logged out.
+; require_valid_user = false
+
+[log]
+;level = debug
+
+[os_daemons]
+; For any commands listed here, CouchDB will attempt to ensure that
+; the process remains alive while CouchDB runs as well as shut them
+; down when CouchDB exits.
+;foo = /path/to/command -with args
+
+[daemons]
+; enable SSL support by uncommenting the following line and supply the PEM's below.
+; the default ssl port CouchDB listens on is 6984
+;httpsd = {couch_httpd, start_link, [https]}
+
+[ssl]
+;cert_file = /etc/couchdb/server_cert.pem
+;key_file = /etc/couchdb/server_key.pem
+;password = somepassword
+; set to true to validate peer certificates
+;verify_ssl_certificates = false
+; Path to file containing PEM encoded CA certificates (trusted
+; certificates used for verifying a peer certificate). May be omitted if
+; you do not want to verify the peer.
+;cacert_file = /full/path/to/cacertf
+; The verification fun (optionnal) if not specidied, the default
+; verification fun will be used.
+;verify_fun = {Module, VerifyFun}
+;ssl_certificate_max_depth = 1
+; To enable Virtual Hosts in CouchDB, add a vhost = path directive. All requests to
+; the Virual Host will be redirected to the path. In the example below all requests
+; to http://example.com/ are redirected to /database.
+; If you run CouchDB on a specific port, include the port number in the vhost:
+; example.com:5984 = /database
+
+[vhosts]
+;example.com = /database/
+
+[update_notification]
+;unique notifier name=/full/path/to/exe -with "cmd line arg"
+
+; To create an admin account uncomment the '[admins]' section below and add a
+; line in the format 'username = password'. When you next start CouchDB, it
+; will change the password to a hash (so that your passwords don't linger
+; around in plain-text files). You can add more admin accounts with more
+; 'username = password' lines. Don't forget to restart CouchDB after
+; changing this.
+;[admins]
+;admin = mysecretpassword
diff --git a/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp b/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp
new file mode 100644
index 00000000..87b21e62
--- /dev/null
+++ b/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp
@@ -0,0 +1,35 @@
+define site_couchdb::apache_ssl_proxy ($key, $cert) {
+
+ include apache::ssl
+ apache::module {
+ 'rewrite': ensure => present;
+ 'proxy': ensure => present;
+ 'proxy_http': ensure => present;
+ }
+ apache::vhost::file { 'couchdb_proxy': }
+ # prevent 0-default.conf and 0-default_ssl.conf from apache module
+ # from starting on port 80 / 443
+ file { '/etc/apache2/ports.conf':
+ content => '',
+ mode => '0644',
+ owner => 'root',
+ group => 'root',
+ }
+
+ file { '/etc/couchdb/server_cert.pem':
+ mode => '0644',
+ owner => 'couchdb',
+ group => 'couchdb',
+ content => $cert,
+ notify => Service[apache],
+ }
+
+ file { '/etc/couchdb/server_key.pem':
+ mode => '0600',
+ owner => 'couchdb',
+ group => 'couchdb',
+ content => $key,
+ notify => Service[apache],
+ }
+
+}
diff --git a/puppet/modules/site_couchdb/manifests/configure.pp b/puppet/modules/site_couchdb/manifests/configure.pp
new file mode 100644
index 00000000..25ea7a0b
--- /dev/null
+++ b/puppet/modules/site_couchdb/manifests/configure.pp
@@ -0,0 +1,32 @@
+class site_couchdb::configure {
+ Class[site_couchdb::package] -> Class[couchdb]
+
+ class { 'couchdb':
+ require => Class['site_couchdb::package'], }
+
+
+ file { '/etc/init.d/couchdb':
+ source => 'puppet:///modules/site_couchdb/couchdb',
+ mode => '0755',
+ owner => 'root',
+ group => 'root',
+ }
+
+ file { '/etc/couchdb/local.d/admin.ini':
+ content => "[admins]
+admin = $site_couchdb::couchdb_admin_pw
+",
+ mode => '0600',
+ owner => 'couchdb',
+ group => 'couchdb',
+ notify => Service[couchdb]
+ }
+
+
+ exec { '/etc/init.d/couchdb restart; sleep 6':
+ path => ['/bin', '/usr/bin',],
+ subscribe => File['/etc/couchdb/local.d/admin.ini',
+ '/etc/couchdb/local.ini'],
+ refreshonly => true
+ }
+}
diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp
new file mode 100644
index 00000000..30ce7f54
--- /dev/null
+++ b/puppet/modules/site_couchdb/manifests/init.pp
@@ -0,0 +1,63 @@
+class site_couchdb {
+
+ $x509 = hiera('x509')
+ $key = $x509['key']
+ $cert = $x509['cert']
+ $couchdb_config = hiera('couch')
+ $couchdb_users = $couchdb_config['users']
+ $couchdb_admin = $couchdb_users['admin']
+ $couchdb_admin_user = $couchdb_admin['username']
+ $couchdb_admin_pw = $couchdb_admin['password']
+ $couchdb_webapp = $couchdb_users['webapp']
+ $couchdb_webapp_user = $couchdb_webapp['username']
+ $couchdb_webapp_pw = $couchdb_webapp['password']
+ $couchdb_ca_daemon = $couchdb_users['ca_daemon']
+ $couchdb_ca_daemon_user = $couchdb_ca_daemon['username']
+ $couchdb_ca_daemon_pw = $couchdb_ca_daemon['password']
+
+ Class['site_couchdb::package']
+ -> Package ['couchdb']
+ -> File['/etc/init.d/couchdb']
+ -> File['/etc/couchdb/local.ini']
+ -> File['/etc/couchdb/local.d/admin.ini']
+ -> File['/etc/couchdb/couchdb.netrc']
+ -> Couchdb::Create_db[leap_web]
+ -> Couchdb::Create_db[leap_ca]
+ -> Couchdb::Add_user[$couchdb_webapp_user]
+ -> Couchdb::Add_user[$couchdb_ca_daemon_user]
+ -> Site_couchdb::Apache_ssl_proxy['apache_ssl_proxy']
+
+ # Setup couchdb
+ include site_couchdb::package
+ include site_couchdb::configure
+ include couchdb::deploy_config
+
+ site_couchdb::apache_ssl_proxy { 'apache_ssl_proxy':
+ key => $key,
+ cert => $cert
+ }
+
+ couchdb::query::setup { 'localhost':
+ user => $couchdb_admin_user,
+ pw => $couchdb_admin_pw
+ }
+
+ # Populate couchdb
+ couchdb::add_user { $couchdb_webapp_user:
+ roles => '["certs"]',
+ pw => $couchdb_webapp_pw
+ }
+
+ couchdb::add_user { $couchdb_ca_daemon_user:
+ roles => '["certs"]',
+ pw => $couchdb_ca_daemon_pw
+ }
+
+ couchdb::create_db { 'leap_web':
+ readers => "{ \"names\": [\"$couchdb_webapp_user\"], \"roles\": [] }"
+ }
+
+ couchdb::create_db { 'leap_ca':
+ readers => "{ \"names\": [], \"roles\": [\"certs\"] }"
+ }
+}
diff --git a/puppet/modules/site_couchdb/manifests/package.pp b/puppet/modules/site_couchdb/manifests/package.pp
new file mode 100644
index 00000000..c091316a
--- /dev/null
+++ b/puppet/modules/site_couchdb/manifests/package.pp
@@ -0,0 +1,13 @@
+class site_couchdb::package {
+
+ # for now, we need to install couchdb from unstable,
+ # because of this bug while installing:
+ # http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=681549
+ # can be removed when couchdb/1.2.0-2 is integrated into testing
+ apt::sources_list { 'unstable.list':
+ source => [ 'puppet:///modules/site_apt/unstable.list'],
+ }
+ apt::preferences_snippet{
+ 'couchdb': release => 'unstable', priority => 999;
+ }
+}
diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp
index 7a86db21..7dee6b7a 100644
--- a/puppet/modules/site_shorewall/manifests/eip.pp
+++ b/puppet/modules/site_shorewall/manifests/eip.pp
@@ -11,11 +11,9 @@ class site_shorewall::eip {
$openvpn_config = hiera('openvpn')
$openvpn_ports = $openvpn_config['ports']
$openvpn_gateway_address = $site_config::eip::openvpn_gateway_address
+ $interface = hiera('interface')
- notify {"openvpn: $openvpn":}
- notify {"openvpn_ports: $openvpn_ports":}
-
- # define macro, allowing incoming openvpn and ssh
+ # define macro for incoming services
file { '/etc/shorewall/macro.leap_eip':
content => "PARAM - - tcp 1194,$ssh_port
PARAM - - udp 1194
@@ -57,6 +55,11 @@ PARAM - - udp 1194
destinationzone => 'all',
policy => 'ACCEPT',
order => 100;
+ 'fw-to-all':
+ sourcezone => '$FW',
+ destinationzone => 'all',
+ policy => 'ACCEPT',
+ order => 100;
'all-to-all':
sourcezone => 'all',
destinationzone => 'all',
@@ -65,19 +68,30 @@ PARAM - - udp 1194
}
shorewall::rule {
+ # ping party
'all2all-ping':
source => 'all',
destination => 'all',
action => 'Ping(ACCEPT)',
order => 200;
+<<<<<<< HEAD
'net2fw-openvpn_ssh':
+=======
+ # outside to server
+ 'net2fw-ssh':
+ source => 'net',
+ destination => '$FW',
+ action => 'SSH(ACCEPT)',
+ order => 200;
+ 'net2fw-openvpn':
+>>>>>>> feature/couchdb
source => 'net',
destination => '$FW',
action => 'leap_eip(ACCEPT)',
order => 200;
- # eip gw itself to outside
+ # server to outside
'fw2all-http':
source => '$FW',
destination => 'all',
@@ -94,8 +108,14 @@ PARAM - - udp 1194
action => 'Git(ACCEPT)',
order => 200;
+<<<<<<< HEAD
#'eip2fw-https':
# source => 'eip',
+=======
+ # Webfrontend is running on another server
+ #'eip2fw-https':
+ # source => 'eip',
+>>>>>>> feature/couchdb
# destination => '$FW',
# action => 'HTTPS(ACCEPT)',
# order => 200;