10 files changed, 252 insertions, 21 deletions

diff --git a/provider_base/files/service-definitions/provider.json.erb b/provider_base/files/service-definitions/provider.json.erb
index bc93fac5..5552c423 100644
--- a/provider_base/files/service-definitions/provider.json.erb
+++ b/provider_base/files/service-definitions/provider.json.erb
@@ -9,11 +9,13 @@
 
   hsh['domain'] = domain.full_suffix
 
-  # advertise services that are 'user services'
-  hsh['services'] = global.services[:service_type => :user_service].field(:name)
+  # advertise services that are 'user services' and for which there are actually nodes
+  hsh['services'] = global.services[:service_type => :user_service].field(:name).select do |service|
+    nodes_like_me[:services => service].any?
+  end
 
   hsh['api_version'] = "1"
-  hsh['api_uri'] = "https://" + api.domain + ':' + api.port
+  hsh['api_uri'] = ["https://", api.domain, ':', api.port].join
 
   hsh['ca_cert_uri'] = 'https://' + domain.full_suffix + '/ca.crt'
   hsh['ca_cert_fingerprint'] = fingerprint(:ca_cert)
diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json
index 1fe5cf7b..3dd9bebe 100644
--- a/provider_base/services/webapp.json
+++ b/provider_base/services/webapp.json
@@ -29,10 +29,15 @@
   "service_type": "public_service",
   "api": {
     "domain": "= 'api.' + domain.full_suffix",
-    "port": "4430"
+    "port": 4430
+  },
+  "nickserver": {
+    "domain": "= 'nicknym.' + domain.full_suffix",
+    "port": 6425,
+    "couchdb_user": "= global.services[:couchdb].couch.users[:admin]"
   },
   "dns": {
-    "aliases": "= [domain.full, api.domain]"
+    "aliases": "= [domain.full, api.domain, nickserver.domain]"
   },
   "x509": {
     "use": true,
diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp
index 2d41d45f..22172584 100644
--- a/puppet/manifests/site.pp
+++ b/puppet/manifests/site.pp
@@ -29,6 +29,7 @@ if 'couchdb' in $services {
 
 if 'webapp' in $services {
   include site_webapp
+  include site_nickserver
 }
 
 if 'monitor' in $services {
diff --git a/puppet/modules/apache b/puppet/modules/apache
-Subproject 090e59ad1fcba01e868237a83cadf9254cf09d3
+Subproject c3e92a9b3cb02f1546b6b1570f10a968d380005
diff --git a/puppet/modules/site_config/manifests/ruby.pp b/puppet/modules/site_config/manifests/ruby.pp
new file mode 100644
index 00000000..2a720114
--- /dev/null
+++ b/puppet/modules/site_config/manifests/ruby.pp
@@ -0,0 +1,14 @@
+class site_config::ruby {
+  Class[Ruby] -> Class[rubygems] -> Class[bundler::install]
+  class { '::ruby': ruby_version => '1.9.3' }
+  class { 'bundler::install': install_method => 'package' }
+  include rubygems
+}
+
+
+#
+# Ruby settings common to all servers
+#
+# Why this way? So that other classes can do 'include site_ruby' without creating redeclaration errors.
+# See https://puppetlabs.com/blog/modeling-class-composition-with-parameterized-classes/
+#
diff --git a/puppet/modules/site_nickserver/manifests/init.pp b/puppet/modules/site_nickserver/manifests/init.pp
new file mode 100644
index 00000000..7dfa2603
--- /dev/null
+++ b/puppet/modules/site_nickserver/manifests/init.pp
@@ -0,0 +1,162 @@
+#
+# TODO: currently, this is dependent on some things that are set up in site_webapp
+#
+# (1) HAProxy -> couchdb
+# (2) Apache
+#
+# It would be good in the future to make nickserver installable independently of site_webapp.
+#
+
+class site_nickserver {
+  tag 'leap_service'
+  include site_config::ruby
+
+  #
+  # VARIABLES
+  #
+
+  $nickserver        = hiera('nickserver')
+  $nickserver_port   = $nickserver['port']  # the port that public connects to (should be 6425)
+  $nickserver_local_port = '64250'          # the port that nickserver is actually running on
+  $nickserver_domain = $nickserver['domain']
+
+  $couchdb_user      = $nickserver['couchdb_user']['username']
+  $couchdb_password  = $nickserver['couchdb_user']['password']
+  $couchdb_host      = 'localhost'    # couchdb is available on localhost via haproxy, which is bound to 4096.
+  $couchdb_port      = '4096'         # See site_webapp/templates/haproxy_couchdb.cfg.erg
+
+  # temporarily for now:
+  $domain          = hiera('domain')
+  $address_domain  = $domain['full_suffix']
+  $x509            = hiera('x509')
+  $x509_key        = $x509['key']
+  $x509_cert       = $x509['cert']
+  $x509_ca         = $x509['ca_cert']
+
+  #
+  # USER AND GROUP
+  #
+
+  group { 'nickserver':
+    ensure    => present,
+    allowdupe => false;
+  }
+  user { 'nickserver':
+    ensure    => present,
+    allowdupe => false,
+    gid       => 'nickserver',
+    home      => '/srv/leap/nickserver',
+    require   => Group['nickserver'];
+  }
+
+  #
+  # NICKSERVER CODE
+  # NOTE: in order to support TLS, libssl-dev must be installed before EventMachine gem
+  # is built/installed.
+  #
+
+  package {
+    'libssl-dev': ensure => installed;
+  }
+  vcsrepo { '/srv/leap/nickserver':
+    ensure   => present,
+    revision => 'origin/master',
+    provider => git,
+    source   => 'git://code.leap.se/nickserver',
+    owner    => 'nickserver',
+    group    => 'nickserver',
+    require  => [ User['nickserver'], Group['nickserver'] ],
+    notify   => Exec['nickserver_bundler_update'];
+  }
+  exec { 'nickserver_bundler_update':
+    cwd     => '/srv/leap/nickserver',
+    command => '/bin/bash -c "/usr/bin/bundle check || /usr/bin/bundle install --path vendor/bundle"',
+    unless  => '/usr/bin/bundle check',
+    user    => 'nickserver',
+    timeout => 600,
+    require => [ Class['bundler::install'], Vcsrepo['/srv/leap/nickserver'], Package['libssl-dev'] ],
+    notify  => Service['nickserver'];
+  }
+
+  #
+  # NICKSERVER CONFIG
+  #
+
+  file { '/etc/leap/nickserver.yml':
+    content => template('site_nickserver/nickserver.yml.erb'),
+    owner   => nickserver,
+    group   => nickserver,
+    mode    => '0600',
+    notify  => Service['nickserver'];
+  }
+
+  #
+  # NICKSERVER DAEMON
+  #
+
+  file {
+    '/usr/bin/nickserver':
+      ensure  => link,
+      target  => '/srv/leap/nickserver/bin/nickserver',
+      require => Vcsrepo['/srv/leap/nickserver'];
+    '/etc/init.d/nickserver':
+      owner   => root, group => 0, mode => '0755',
+      source  => '/srv/leap/nickserver/dist/debian-init-script',
+      require => Vcsrepo['/srv/leap/nickserver'];
+  }
+
+  service { 'nickserver':
+    ensure     => running,
+    enable     => true,
+    hasrestart => true,
+    hasstatus  => true,
+    require    => File['/etc/init.d/nickserver'];
+  }
+
+  #
+  # FIREWALL
+  # poke a hole in the firewall to allow nickserver requests
+  #
+
+  file { '/etc/shorewall/macro.nickserver':
+    content => "PARAM   -       -       tcp    $nickserver_port",
+    notify  => Service['shorewall'],
+    require => Package['shorewall'];
+  }
+
+  shorewall::rule { 'net2fw-nickserver':
+    source      => 'net',
+    destination => '$FW',
+    action      => 'nickserver(ACCEPT)',
+    order       => 200;
+  }
+
+  #
+  # APACHE REVERSE PROXY
+  # nickserver doesn't speak TLS natively, let Apache handle that.
+  #
+
+  apache::module {
+    'proxy': ensure => present;
+    'proxy_http': ensure => present
+  }
+
+  apache::vhost::file {
+    'nickserver': content => template('site_nickserver/nickserver-proxy.conf.erb')
+  }
+
+  x509::key { 'nickserver':
+    content => $x509_key,
+    notify  => Service[apache];
+  }
+
+  x509::cert { 'nickserver':
+    content => $x509_cert,
+    notify  => Service[apache];
+  }
+
+  x509::ca { 'nickserver':
+    content => $x509_ca,
+    notify  => Service[apache];
+  }
+}
\ No newline at end of file
diff --git a/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb b/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb
new file mode 100644
index 00000000..67896cd3
--- /dev/null
+++ b/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb
@@ -0,0 +1,23 @@
+#
+# Apache reverse proxy configuration for the Nickserver
+#
+
+Listen 0.0.0.0:<%= @nickserver_port -%>
+
+<VirtualHost *:<%= @nickserver_port -%>>
+  ServerName <%= @nickserver_domain %>
+  ServerAlias <%= @address_domain %>
+
+  SSLEngine on
+  SSLProtocol -all +SSLv3 +TLSv1
+  SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH
+  SSLHonorCipherOrder on
+
+  SSLCACertificatePath /etc/ssl/certs
+  SSLCertificateChainFile /etc/ssl/certs/nickserver.pem
+  SSLCertificateKeyFile /etc/x509/keys/nickserver.key
+  SSLCertificateFile /etc/x509/certs/nickserver.crt
+
+  ProxyPass / http://localhost:<%= @nickserver_local_port %>/
+  ProxyPreserveHost On  # preserve Host header in HTTP request
+</VirtualHost>
diff --git a/puppet/modules/site_nickserver/templates/nickserver.yml.erb b/puppet/modules/site_nickserver/templates/nickserver.yml.erb
new file mode 100644
index 00000000..7aab5605
--- /dev/null
+++ b/puppet/modules/site_nickserver/templates/nickserver.yml.erb
@@ -0,0 +1,19 @@
+#
+# configuration for nickserver.
+#
+
+domain: "<%= @address_domain %>"
+
+couch_host: "<%= @couchdb_host %>"
+couch_port: <%= @couchdb_port %>
+couch_database: "users"
+couch_user: "<%= @couchdb_user %>"
+couch_password: "<%= @couchdb_password %>"
+
+hkp_url: "https://hkps.pool.sks-keyservers.net:/pks/lookup"
+
+user: "nickserver"
+port: <%= @nickserver_local_port %>
+pid_file: "/var/run/nickserver"
+log_file: "/var/log/nickserver.log"
+
diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp
index 7a3839c8..b4ef0980 100644
--- a/puppet/modules/site_webapp/manifests/couchdb.pp
+++ b/puppet/modules/site_webapp/manifests/couchdb.pp
@@ -29,18 +29,21 @@ class site_webapp::couchdb {
       content => template('site_webapp/couchdb.yml.admin.erb'),
       owner   => leap-webapp,
       group   => leap-webapp,
-      mode    => '0600';
+      mode    => '0600',
+      require => Vcsrepo['/srv/leap/webapp'];
 
     '/srv/leap/webapp/config/couchdb.yml.webapp':
       content => template('site_webapp/couchdb.yml.erb'),
       owner   => leap-webapp,
       group   => leap-webapp,
-      mode    => '0600';
+      mode    => '0600',
+      require => Vcsrepo['/srv/leap/webapp'];
 
     '/srv/leap/webapp/logs/production.log':
       owner   => leap-webapp,
       group   => leap-webapp,
-      mode    => '0666';
+      mode    => '0666',
+      require => Vcsrepo['/srv/leap/webapp'];
 
     '/usr/local/sbin/migrate_design_documents':
       source => 'puppet:///modules/site_webapp/migrate_design_documents',
diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp
index b01141ae..1dfe6936 100644
--- a/puppet/modules/site_webapp/manifests/init.pp
+++ b/puppet/modules/site_webapp/manifests/init.pp
@@ -11,13 +11,7 @@ class site_webapp {
   $api_version      = $webapp['api_version']
   $secret_token     = $webapp['secret_token']
 
-  Class[Ruby] -> Class[rubygems] -> Class[bundler::install]
-
-  class { 'ruby': ruby_version => '1.9.3' }
-
-  class { 'bundler::install': install_method => 'package' }
-
-  include rubygems
+  include site_config::ruby
   include site_webapp::apache
   include site_webapp::couchdb
   include site_webapp::client_ca
@@ -77,30 +71,37 @@ class site_webapp {
   file {
     '/srv/leap/webapp/public/provider.json':
       content => $provider,
+      require => Vcsrepo['/srv/leap/webapp'],
       owner   => leap-webapp, group => leap-webapp, mode => '0644';
 
     '/srv/leap/webapp/public/ca.crt':
       ensure  => link,
+      require => Vcsrepo['/srv/leap/webapp'],
       target  => '/usr/local/share/ca-certificates/leap_api.crt';
 
     "/srv/leap/webapp/public/${api_version}":
       ensure => directory,
+      require => Vcsrepo['/srv/leap/webapp'],
       owner  => leap-webapp, group => leap-webapp, mode => '0755';
 
     "/srv/leap/webapp/public/${api_version}/config/":
       ensure => directory,
+      require => Vcsrepo['/srv/leap/webapp'],
       owner  => leap-webapp, group => leap-webapp, mode => '0755';
 
     "/srv/leap/webapp/public/${api_version}/config/eip-service.json":
       content => $eip_service,
+      require => Vcsrepo['/srv/leap/webapp'],
       owner   => leap-webapp, group => leap-webapp, mode => '0644';
 
     "/srv/leap/webapp/public/${api_version}/config/soledad-service.json":
       content => $soledad_service,
+      require => Vcsrepo['/srv/leap/webapp'],
       owner   => leap-webapp, group => leap-webapp, mode => '0644';
 
     "/srv/leap/webapp/public/${api_version}/config/smtp-service.json":
       content => $smtp_service,
+      require => Vcsrepo['/srv/leap/webapp'],
       owner   => leap-webapp, group => leap-webapp, mode => '0644';
   }
 
@@ -111,19 +112,19 @@ class site_webapp {
       target  => $webapp['favicon'];
 
     '/srv/leap/webapp/app/assets/stylesheets/tail.scss':
-      ensure => 'link',
+      ensure  => 'link',
       require => Vcsrepo['/srv/leap/webapp'],
-      target => $webapp['tail_scss'];
+      target  => $webapp['tail_scss'];
 
     '/srv/leap/webapp/app/assets/stylesheets/head.scss':
-      ensure => 'link',
+      ensure  => 'link',
       require => Vcsrepo['/srv/leap/webapp'],
-      target => $webapp['head_scss'];
+      target  => $webapp['head_scss'];
 
     '/srv/leap/webapp/public/img':
-      ensure => 'link',
+      ensure  => 'link',
       require => Vcsrepo['/srv/leap/webapp'],
-      target => $webapp['img_dir'];
+      target  => $webapp['img_dir'];
   }
 
   file {
@@ -132,6 +133,7 @@ class site_webapp {
       owner   => leap-webapp,
       group   => leap-webapp,
       mode    => '0600',
+      require => Vcsrepo['/srv/leap/webapp'],
       notify  => Service['apache'];
   }