diff options
| -rw-r--r-- | .gitmodules | 4 | ||||
| -rw-r--r-- | puppet/manifests/site.pp | 8 | ||||
| m--------- | puppet/modules/apache | 0 | ||||
| l--------- | puppet/modules/site-apache | 1 | ||||
| -rw-r--r-- | puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf | 10 | ||||
| -rw-r--r-- | puppet/modules/site_apt/files/unstable.list | 1 | ||||
| -rwxr-xr-x | puppet/modules/site_couchdb/files/couchdb | 160 | ||||
| -rw-r--r-- | puppet/modules/site_couchdb/files/local.ini | 84 | ||||
| -rw-r--r-- | puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp | 35 | ||||
| -rw-r--r-- | puppet/modules/site_couchdb/manifests/configure.pp | 32 | ||||
| -rw-r--r-- | puppet/modules/site_couchdb/manifests/init.pp | 63 | ||||
| -rw-r--r-- | puppet/modules/site_couchdb/manifests/package.pp | 13 | ||||
| -rw-r--r-- | puppet/modules/site_shorewall/manifests/eip.pp | 30 |
13 files changed, 431 insertions, 10 deletions
diff --git a/.gitmodules b/.gitmodules index e3e8d6db..c2d42cc5 100644 --- a/.gitmodules +++ b/.gitmodules @@ -37,3 +37,7 @@ [submodule "puppet/modules/interfaces"] path = puppet/modules/interfaces url = git://github.com/x-way/puppet-interfaces.git +[submodule "puppet/modules/apache"] + path = puppet/modules/apache + url = git://code.leap.se/puppet_apache + diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index ef5c3a8a..6abf9b48 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -4,7 +4,7 @@ node 'default' { include concat::setup # include some basic classes - #include site_config + include site_config # parse services for host $services=hiera_array('services') @@ -15,9 +15,7 @@ node 'default' { include site_config::eip } - if 'couchdb' in $services { - class { 'couchdb': - #bind => '0.0.0.0' - } + if 'couchdb' in $services { + include site_couchdb } } diff --git a/puppet/modules/apache b/puppet/modules/apache new file mode 160000 +Subproject 104b2e09399e02a8aa9687df0de795644e4b83e diff --git a/puppet/modules/site-apache b/puppet/modules/site-apache new file mode 120000 index 00000000..f0517fa5 --- /dev/null +++ b/puppet/modules/site-apache @@ -0,0 +1 @@ +site_apache
\ No newline at end of file diff --git a/puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf b/puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf new file mode 100644 index 00000000..79ad931d --- /dev/null +++ b/puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf @@ -0,0 +1,10 @@ +Listen 0.0.0.0:6984 + +<VirtualHost *:6984> + SSLEngine On + SSLProxyEngine On + SSLCertificateKeyFile /etc/couchdb/server_key.pem + SSLCertificateFile /etc/couchdb/server_cert.pem + ProxyPass / http://127.0.0.1:5984/ + ProxyPassReverse / http://127.0.0.1:5984/ +</VirtualHost> diff --git a/puppet/modules/site_apt/files/unstable.list b/puppet/modules/site_apt/files/unstable.list new file mode 100644 index 00000000..0e289136 --- /dev/null +++ b/puppet/modules/site_apt/files/unstable.list @@ -0,0 +1 @@ +deb http://http.debian.net/debian unstable main diff --git a/puppet/modules/site_couchdb/files/couchdb b/puppet/modules/site_couchdb/files/couchdb new file mode 100755 index 00000000..ccdfe716 --- /dev/null +++ b/puppet/modules/site_couchdb/files/couchdb @@ -0,0 +1,160 @@ +#!/bin/sh -e + +# Licensed under the Apache License, Version 2.0 (the "License"); you may not +# use this file except in compliance with the License. You may obtain a copy of +# the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations under +# the License. + +### BEGIN INIT INFO +# Provides: couchdb +# Required-Start: $local_fs $remote_fs +# Required-Stop: $local_fs $remote_fs +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Apache CouchDB init script +# Description: Apache CouchDB init script for the database server. +### END INIT INFO + +SCRIPT_OK=0 +SCRIPT_ERROR=1 + +DESCRIPTION="database server" +NAME=couchdb +SCRIPT_NAME=`basename $0` +COUCHDB=/usr/bin/couchdb +CONFIGURATION_FILE=/etc/default/couchdb +RUN_DIR=/var/run/couchdb +LSB_LIBRARY=/lib/lsb/init-functions + +if test ! -x $COUCHDB; then + exit $SCRIPT_ERROR +fi + +if test -r $CONFIGURATION_FILE; then + . $CONFIGURATION_FILE +fi + +log_daemon_msg () { + # Dummy function to be replaced by LSB library. + + echo $@ +} + +log_end_msg () { + # Dummy function to be replaced by LSB library. + + if test "$1" != "0"; then + echo "Error with $DESCRIPTION: $NAME" + fi + return $1 +} + +if test -r $LSB_LIBRARY; then + . $LSB_LIBRARY +fi + +run_command () { + command="$1" + if test -n "$COUCHDB_OPTIONS"; then + command="$command $COUCHDB_OPTIONS" + fi + if test -n "$COUCHDB_USER"; then + if su $COUCHDB_USER -c "$command"; then + return $SCRIPT_OK + else + return $SCRIPT_ERROR + fi + else + if $command; then + return $SCRIPT_OK + else + return $SCRIPT_ERROR + fi + fi +} + +start_couchdb () { + # Start Apache CouchDB as a background process. + + mkdir -p "$RUN_DIR" + chown -R "$COUCHDB_USER" "$RUN_DIR" + command="$COUCHDB -b" + if test -n "$COUCHDB_STDOUT_FILE"; then + command="$command -o $COUCHDB_STDOUT_FILE" + fi + if test -n "$COUCHDB_STDERR_FILE"; then + command="$command -e $COUCHDB_STDERR_FILE" + fi + if test -n "$COUCHDB_RESPAWN_TIMEOUT"; then + command="$command -r $COUCHDB_RESPAWN_TIMEOUT" + fi + run_command "$command" > /dev/null +} + +stop_couchdb () { + # Stop the running Apache CouchDB process. + + run_command "$COUCHDB -d" > /dev/null + pkill -u couchdb + # always return true even if no remaining couchdb procs got killed + /bin/true +} + +display_status () { + # Display the status of the running Apache CouchDB process. + + run_command "$COUCHDB -s" +} + +parse_script_option_list () { + # Parse arguments passed to the script and take appropriate action. + + case "$1" in + start) + log_daemon_msg "Starting $DESCRIPTION" $NAME + if start_couchdb; then + log_end_msg $SCRIPT_OK + else + log_end_msg $SCRIPT_ERROR + fi + ;; + stop) + log_daemon_msg "Stopping $DESCRIPTION" $NAME + if stop_couchdb; then + log_end_msg $SCRIPT_OK + else + log_end_msg $SCRIPT_ERROR + fi + ;; + restart|force-reload) + log_daemon_msg "Restarting $DESCRIPTION" $NAME + if stop_couchdb; then + if start_couchdb; then + log_end_msg $SCRIPT_OK + else + log_end_msg $SCRIPT_ERROR + fi + else + log_end_msg $SCRIPT_ERROR + fi + ;; + status) + display_status + ;; + *) + cat << EOF >&2 +Usage: $SCRIPT_NAME {start|stop|restart|force-reload|status} +EOF + exit $SCRIPT_ERROR + ;; + esac +} + +parse_script_option_list $@ diff --git a/puppet/modules/site_couchdb/files/local.ini b/puppet/modules/site_couchdb/files/local.ini new file mode 100644 index 00000000..485c9a29 --- /dev/null +++ b/puppet/modules/site_couchdb/files/local.ini @@ -0,0 +1,84 @@ +; CouchDB Configuration Settings + +; Custom settings should be made in this file. They will override settings +; in default.ini, but unlike changes made to default.ini, this file won't be +; overwritten on server upgrade. + +[couchdb] +;max_document_size = 4294967296 ; bytes + +[httpd] +;port = 5984 +;bind_address = 127.0.0.1 +; Options for the MochiWeb HTTP server. +;server_options = [{backlog, 128}, {acceptor_pool_size, 16}] +; For more socket options, consult Erlang's module 'inet' man page. +;socket_options = [{recbuf, 262144}, {sndbuf, 262144}, {nodelay, true}] + +; Uncomment next line to trigger basic-auth popup on unauthorized requests. +;WWW-Authenticate = Basic realm="administrator" + +; Uncomment next line to set the configuration modification whitelist. Only +; whitelisted values may be changed via the /_config URLs. To allow the admin +; to change this value over HTTP, remember to include {httpd,config_whitelist} +; itself. Excluding it from the list would require editing this file to update +; the whitelist. +;config_whitelist = [{httpd,config_whitelist}, {log,level}, {etc,etc}] + +[httpd_global_handlers] +;_google = {couch_httpd_proxy, handle_proxy_req, <<"http://www.google.com">>} + +[couch_httpd_auth] +; If you set this to true, you should also uncomment the WWW-Authenticate line +; above. If you don't configure a WWW-Authenticate header, CouchDB will send +; Basic realm="server" in order to prevent you getting logged out. +; require_valid_user = false + +[log] +;level = debug + +[os_daemons] +; For any commands listed here, CouchDB will attempt to ensure that +; the process remains alive while CouchDB runs as well as shut them +; down when CouchDB exits. +;foo = /path/to/command -with args + +[daemons] +; enable SSL support by uncommenting the following line and supply the PEM's below. +; the default ssl port CouchDB listens on is 6984 +;httpsd = {couch_httpd, start_link, [https]} + +[ssl] +;cert_file = /etc/couchdb/server_cert.pem +;key_file = /etc/couchdb/server_key.pem +;password = somepassword +; set to true to validate peer certificates +;verify_ssl_certificates = false +; Path to file containing PEM encoded CA certificates (trusted +; certificates used for verifying a peer certificate). May be omitted if +; you do not want to verify the peer. +;cacert_file = /full/path/to/cacertf +; The verification fun (optionnal) if not specidied, the default +; verification fun will be used. +;verify_fun = {Module, VerifyFun} +;ssl_certificate_max_depth = 1 +; To enable Virtual Hosts in CouchDB, add a vhost = path directive. All requests to +; the Virual Host will be redirected to the path. In the example below all requests +; to http://example.com/ are redirected to /database. +; If you run CouchDB on a specific port, include the port number in the vhost: +; example.com:5984 = /database + +[vhosts] +;example.com = /database/ + +[update_notification] +;unique notifier name=/full/path/to/exe -with "cmd line arg" + +; To create an admin account uncomment the '[admins]' section below and add a +; line in the format 'username = password'. When you next start CouchDB, it +; will change the password to a hash (so that your passwords don't linger +; around in plain-text files). You can add more admin accounts with more +; 'username = password' lines. Don't forget to restart CouchDB after +; changing this. +;[admins] +;admin = mysecretpassword diff --git a/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp b/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp new file mode 100644 index 00000000..87b21e62 --- /dev/null +++ b/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp @@ -0,0 +1,35 @@ +define site_couchdb::apache_ssl_proxy ($key, $cert) { + + include apache::ssl + apache::module { + 'rewrite': ensure => present; + 'proxy': ensure => present; + 'proxy_http': ensure => present; + } + apache::vhost::file { 'couchdb_proxy': } + # prevent 0-default.conf and 0-default_ssl.conf from apache module + # from starting on port 80 / 443 + file { '/etc/apache2/ports.conf': + content => '', + mode => '0644', + owner => 'root', + group => 'root', + } + + file { '/etc/couchdb/server_cert.pem': + mode => '0644', + owner => 'couchdb', + group => 'couchdb', + content => $cert, + notify => Service[apache], + } + + file { '/etc/couchdb/server_key.pem': + mode => '0600', + owner => 'couchdb', + group => 'couchdb', + content => $key, + notify => Service[apache], + } + +} diff --git a/puppet/modules/site_couchdb/manifests/configure.pp b/puppet/modules/site_couchdb/manifests/configure.pp new file mode 100644 index 00000000..25ea7a0b --- /dev/null +++ b/puppet/modules/site_couchdb/manifests/configure.pp @@ -0,0 +1,32 @@ +class site_couchdb::configure { + Class[site_couchdb::package] -> Class[couchdb] + + class { 'couchdb': + require => Class['site_couchdb::package'], } + + + file { '/etc/init.d/couchdb': + source => 'puppet:///modules/site_couchdb/couchdb', + mode => '0755', + owner => 'root', + group => 'root', + } + + file { '/etc/couchdb/local.d/admin.ini': + content => "[admins] +admin = $site_couchdb::couchdb_admin_pw +", + mode => '0600', + owner => 'couchdb', + group => 'couchdb', + notify => Service[couchdb] + } + + + exec { '/etc/init.d/couchdb restart; sleep 6': + path => ['/bin', '/usr/bin',], + subscribe => File['/etc/couchdb/local.d/admin.ini', + '/etc/couchdb/local.ini'], + refreshonly => true + } +} diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp new file mode 100644 index 00000000..30ce7f54 --- /dev/null +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -0,0 +1,63 @@ +class site_couchdb { + + $x509 = hiera('x509') + $key = $x509['key'] + $cert = $x509['cert'] + $couchdb_config = hiera('couch') + $couchdb_users = $couchdb_config['users'] + $couchdb_admin = $couchdb_users['admin'] + $couchdb_admin_user = $couchdb_admin['username'] + $couchdb_admin_pw = $couchdb_admin['password'] + $couchdb_webapp = $couchdb_users['webapp'] + $couchdb_webapp_user = $couchdb_webapp['username'] + $couchdb_webapp_pw = $couchdb_webapp['password'] + $couchdb_ca_daemon = $couchdb_users['ca_daemon'] + $couchdb_ca_daemon_user = $couchdb_ca_daemon['username'] + $couchdb_ca_daemon_pw = $couchdb_ca_daemon['password'] + + Class['site_couchdb::package'] + -> Package ['couchdb'] + -> File['/etc/init.d/couchdb'] + -> File['/etc/couchdb/local.ini'] + -> File['/etc/couchdb/local.d/admin.ini'] + -> File['/etc/couchdb/couchdb.netrc'] + -> Couchdb::Create_db[leap_web] + -> Couchdb::Create_db[leap_ca] + -> Couchdb::Add_user[$couchdb_webapp_user] + -> Couchdb::Add_user[$couchdb_ca_daemon_user] + -> Site_couchdb::Apache_ssl_proxy['apache_ssl_proxy'] + + # Setup couchdb + include site_couchdb::package + include site_couchdb::configure + include couchdb::deploy_config + + site_couchdb::apache_ssl_proxy { 'apache_ssl_proxy': + key => $key, + cert => $cert + } + + couchdb::query::setup { 'localhost': + user => $couchdb_admin_user, + pw => $couchdb_admin_pw + } + + # Populate couchdb + couchdb::add_user { $couchdb_webapp_user: + roles => '["certs"]', + pw => $couchdb_webapp_pw + } + + couchdb::add_user { $couchdb_ca_daemon_user: + roles => '["certs"]', + pw => $couchdb_ca_daemon_pw + } + + couchdb::create_db { 'leap_web': + readers => "{ \"names\": [\"$couchdb_webapp_user\"], \"roles\": [] }" + } + + couchdb::create_db { 'leap_ca': + readers => "{ \"names\": [], \"roles\": [\"certs\"] }" + } +} diff --git a/puppet/modules/site_couchdb/manifests/package.pp b/puppet/modules/site_couchdb/manifests/package.pp new file mode 100644 index 00000000..c091316a --- /dev/null +++ b/puppet/modules/site_couchdb/manifests/package.pp @@ -0,0 +1,13 @@ +class site_couchdb::package { + + # for now, we need to install couchdb from unstable, + # because of this bug while installing: + # http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=681549 + # can be removed when couchdb/1.2.0-2 is integrated into testing + apt::sources_list { 'unstable.list': + source => [ 'puppet:///modules/site_apt/unstable.list'], + } + apt::preferences_snippet{ + 'couchdb': release => 'unstable', priority => 999; + } +} diff --git a/puppet/modules/site_shorewall/manifests/eip.pp b/puppet/modules/site_shorewall/manifests/eip.pp index 7a86db21..7dee6b7a 100644 --- a/puppet/modules/site_shorewall/manifests/eip.pp +++ b/puppet/modules/site_shorewall/manifests/eip.pp @@ -11,11 +11,9 @@ class site_shorewall::eip { $openvpn_config = hiera('openvpn') $openvpn_ports = $openvpn_config['ports'] $openvpn_gateway_address = $site_config::eip::openvpn_gateway_address + $interface = hiera('interface') - notify {"openvpn: $openvpn":} - notify {"openvpn_ports: $openvpn_ports":} - - # define macro, allowing incoming openvpn and ssh + # define macro for incoming services file { '/etc/shorewall/macro.leap_eip': content => "PARAM - - tcp 1194,$ssh_port PARAM - - udp 1194 @@ -57,6 +55,11 @@ PARAM - - udp 1194 destinationzone => 'all', policy => 'ACCEPT', order => 100; + 'fw-to-all': + sourcezone => '$FW', + destinationzone => 'all', + policy => 'ACCEPT', + order => 100; 'all-to-all': sourcezone => 'all', destinationzone => 'all', @@ -65,19 +68,30 @@ PARAM - - udp 1194 } shorewall::rule { + # ping party 'all2all-ping': source => 'all', destination => 'all', action => 'Ping(ACCEPT)', order => 200; +<<<<<<< HEAD 'net2fw-openvpn_ssh': +======= + # outside to server + 'net2fw-ssh': + source => 'net', + destination => '$FW', + action => 'SSH(ACCEPT)', + order => 200; + 'net2fw-openvpn': +>>>>>>> feature/couchdb source => 'net', destination => '$FW', action => 'leap_eip(ACCEPT)', order => 200; - # eip gw itself to outside + # server to outside 'fw2all-http': source => '$FW', destination => 'all', @@ -94,8 +108,14 @@ PARAM - - udp 1194 action => 'Git(ACCEPT)', order => 200; +<<<<<<< HEAD #'eip2fw-https': # source => 'eip', +======= + # Webfrontend is running on another server + #'eip2fw-https': + # source => 'eip', +>>>>>>> feature/couchdb # destination => '$FW', # action => 'HTTPS(ACCEPT)', # order => 200; |