diff options
-rw-r--r-- | provider_base/files/service-definitions/provider.json.erb | 8 | ||||
-rw-r--r-- | provider_base/services/webapp.json | 9 | ||||
-rw-r--r-- | puppet/manifests/site.pp | 1 | ||||
m--------- | puppet/modules/apache | 0 | ||||
-rw-r--r-- | puppet/modules/site_config/manifests/ruby.pp | 14 | ||||
-rw-r--r-- | puppet/modules/site_nickserver/manifests/init.pp | 162 | ||||
-rw-r--r-- | puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb | 23 | ||||
-rw-r--r-- | puppet/modules/site_nickserver/templates/nickserver.yml.erb | 19 | ||||
-rw-r--r-- | puppet/modules/site_webapp/manifests/couchdb.pp | 9 | ||||
-rw-r--r-- | puppet/modules/site_webapp/manifests/init.pp | 28 |
10 files changed, 252 insertions, 21 deletions
diff --git a/provider_base/files/service-definitions/provider.json.erb b/provider_base/files/service-definitions/provider.json.erb index bc93fac5..5552c423 100644 --- a/provider_base/files/service-definitions/provider.json.erb +++ b/provider_base/files/service-definitions/provider.json.erb @@ -9,11 +9,13 @@ hsh['domain'] = domain.full_suffix - # advertise services that are 'user services' - hsh['services'] = global.services[:service_type => :user_service].field(:name) + # advertise services that are 'user services' and for which there are actually nodes + hsh['services'] = global.services[:service_type => :user_service].field(:name).select do |service| + nodes_like_me[:services => service].any? + end hsh['api_version'] = "1" - hsh['api_uri'] = "https://" + api.domain + ':' + api.port + hsh['api_uri'] = ["https://", api.domain, ':', api.port].join hsh['ca_cert_uri'] = 'https://' + domain.full_suffix + '/ca.crt' hsh['ca_cert_fingerprint'] = fingerprint(:ca_cert) diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index 1fe5cf7b..3dd9bebe 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -29,10 +29,15 @@ "service_type": "public_service", "api": { "domain": "= 'api.' + domain.full_suffix", - "port": "4430" + "port": 4430 + }, + "nickserver": { + "domain": "= 'nicknym.' + domain.full_suffix", + "port": 6425, + "couchdb_user": "= global.services[:couchdb].couch.users[:admin]" }, "dns": { - "aliases": "= [domain.full, api.domain]" + "aliases": "= [domain.full, api.domain, nickserver.domain]" }, "x509": { "use": true, diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 2d41d45f..22172584 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -29,6 +29,7 @@ if 'couchdb' in $services { if 'webapp' in $services { include site_webapp + include site_nickserver } if 'monitor' in $services { diff --git a/puppet/modules/apache b/puppet/modules/apache -Subproject 090e59ad1fcba01e868237a83cadf9254cf09d3 +Subproject c3e92a9b3cb02f1546b6b1570f10a968d380005 diff --git a/puppet/modules/site_config/manifests/ruby.pp b/puppet/modules/site_config/manifests/ruby.pp new file mode 100644 index 00000000..2a720114 --- /dev/null +++ b/puppet/modules/site_config/manifests/ruby.pp @@ -0,0 +1,14 @@ +class site_config::ruby { + Class[Ruby] -> Class[rubygems] -> Class[bundler::install] + class { '::ruby': ruby_version => '1.9.3' } + class { 'bundler::install': install_method => 'package' } + include rubygems +} + + +# +# Ruby settings common to all servers +# +# Why this way? So that other classes can do 'include site_ruby' without creating redeclaration errors. +# See https://puppetlabs.com/blog/modeling-class-composition-with-parameterized-classes/ +# diff --git a/puppet/modules/site_nickserver/manifests/init.pp b/puppet/modules/site_nickserver/manifests/init.pp new file mode 100644 index 00000000..7dfa2603 --- /dev/null +++ b/puppet/modules/site_nickserver/manifests/init.pp @@ -0,0 +1,162 @@ +# +# TODO: currently, this is dependent on some things that are set up in site_webapp +# +# (1) HAProxy -> couchdb +# (2) Apache +# +# It would be good in the future to make nickserver installable independently of site_webapp. +# + +class site_nickserver { + tag 'leap_service' + include site_config::ruby + + # + # VARIABLES + # + + $nickserver = hiera('nickserver') + $nickserver_port = $nickserver['port'] # the port that public connects to (should be 6425) + $nickserver_local_port = '64250' # the port that nickserver is actually running on + $nickserver_domain = $nickserver['domain'] + + $couchdb_user = $nickserver['couchdb_user']['username'] + $couchdb_password = $nickserver['couchdb_user']['password'] + $couchdb_host = 'localhost' # couchdb is available on localhost via haproxy, which is bound to 4096. + $couchdb_port = '4096' # See site_webapp/templates/haproxy_couchdb.cfg.erg + + # temporarily for now: + $domain = hiera('domain') + $address_domain = $domain['full_suffix'] + $x509 = hiera('x509') + $x509_key = $x509['key'] + $x509_cert = $x509['cert'] + $x509_ca = $x509['ca_cert'] + + # + # USER AND GROUP + # + + group { 'nickserver': + ensure => present, + allowdupe => false; + } + user { 'nickserver': + ensure => present, + allowdupe => false, + gid => 'nickserver', + home => '/srv/leap/nickserver', + require => Group['nickserver']; + } + + # + # NICKSERVER CODE + # NOTE: in order to support TLS, libssl-dev must be installed before EventMachine gem + # is built/installed. + # + + package { + 'libssl-dev': ensure => installed; + } + vcsrepo { '/srv/leap/nickserver': + ensure => present, + revision => 'origin/master', + provider => git, + source => 'git://code.leap.se/nickserver', + owner => 'nickserver', + group => 'nickserver', + require => [ User['nickserver'], Group['nickserver'] ], + notify => Exec['nickserver_bundler_update']; + } + exec { 'nickserver_bundler_update': + cwd => '/srv/leap/nickserver', + command => '/bin/bash -c "/usr/bin/bundle check || /usr/bin/bundle install --path vendor/bundle"', + unless => '/usr/bin/bundle check', + user => 'nickserver', + timeout => 600, + require => [ Class['bundler::install'], Vcsrepo['/srv/leap/nickserver'], Package['libssl-dev'] ], + notify => Service['nickserver']; + } + + # + # NICKSERVER CONFIG + # + + file { '/etc/leap/nickserver.yml': + content => template('site_nickserver/nickserver.yml.erb'), + owner => nickserver, + group => nickserver, + mode => '0600', + notify => Service['nickserver']; + } + + # + # NICKSERVER DAEMON + # + + file { + '/usr/bin/nickserver': + ensure => link, + target => '/srv/leap/nickserver/bin/nickserver', + require => Vcsrepo['/srv/leap/nickserver']; + '/etc/init.d/nickserver': + owner => root, group => 0, mode => '0755', + source => '/srv/leap/nickserver/dist/debian-init-script', + require => Vcsrepo['/srv/leap/nickserver']; + } + + service { 'nickserver': + ensure => running, + enable => true, + hasrestart => true, + hasstatus => true, + require => File['/etc/init.d/nickserver']; + } + + # + # FIREWALL + # poke a hole in the firewall to allow nickserver requests + # + + file { '/etc/shorewall/macro.nickserver': + content => "PARAM - - tcp $nickserver_port", + notify => Service['shorewall'], + require => Package['shorewall']; + } + + shorewall::rule { 'net2fw-nickserver': + source => 'net', + destination => '$FW', + action => 'nickserver(ACCEPT)', + order => 200; + } + + # + # APACHE REVERSE PROXY + # nickserver doesn't speak TLS natively, let Apache handle that. + # + + apache::module { + 'proxy': ensure => present; + 'proxy_http': ensure => present + } + + apache::vhost::file { + 'nickserver': content => template('site_nickserver/nickserver-proxy.conf.erb') + } + + x509::key { 'nickserver': + content => $x509_key, + notify => Service[apache]; + } + + x509::cert { 'nickserver': + content => $x509_cert, + notify => Service[apache]; + } + + x509::ca { 'nickserver': + content => $x509_ca, + notify => Service[apache]; + } +}
\ No newline at end of file diff --git a/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb b/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb new file mode 100644 index 00000000..67896cd3 --- /dev/null +++ b/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb @@ -0,0 +1,23 @@ +# +# Apache reverse proxy configuration for the Nickserver +# + +Listen 0.0.0.0:<%= @nickserver_port -%> + +<VirtualHost *:<%= @nickserver_port -%>> + ServerName <%= @nickserver_domain %> + ServerAlias <%= @address_domain %> + + SSLEngine on + SSLProtocol -all +SSLv3 +TLSv1 + SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH + SSLHonorCipherOrder on + + SSLCACertificatePath /etc/ssl/certs + SSLCertificateChainFile /etc/ssl/certs/nickserver.pem + SSLCertificateKeyFile /etc/x509/keys/nickserver.key + SSLCertificateFile /etc/x509/certs/nickserver.crt + + ProxyPass / http://localhost:<%= @nickserver_local_port %>/ + ProxyPreserveHost On # preserve Host header in HTTP request +</VirtualHost> diff --git a/puppet/modules/site_nickserver/templates/nickserver.yml.erb b/puppet/modules/site_nickserver/templates/nickserver.yml.erb new file mode 100644 index 00000000..7aab5605 --- /dev/null +++ b/puppet/modules/site_nickserver/templates/nickserver.yml.erb @@ -0,0 +1,19 @@ +# +# configuration for nickserver. +# + +domain: "<%= @address_domain %>" + +couch_host: "<%= @couchdb_host %>" +couch_port: <%= @couchdb_port %> +couch_database: "users" +couch_user: "<%= @couchdb_user %>" +couch_password: "<%= @couchdb_password %>" + +hkp_url: "https://hkps.pool.sks-keyservers.net:/pks/lookup" + +user: "nickserver" +port: <%= @nickserver_local_port %> +pid_file: "/var/run/nickserver" +log_file: "/var/log/nickserver.log" + diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index 7a3839c8..b4ef0980 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -29,18 +29,21 @@ class site_webapp::couchdb { content => template('site_webapp/couchdb.yml.admin.erb'), owner => leap-webapp, group => leap-webapp, - mode => '0600'; + mode => '0600', + require => Vcsrepo['/srv/leap/webapp']; '/srv/leap/webapp/config/couchdb.yml.webapp': content => template('site_webapp/couchdb.yml.erb'), owner => leap-webapp, group => leap-webapp, - mode => '0600'; + mode => '0600', + require => Vcsrepo['/srv/leap/webapp']; '/srv/leap/webapp/logs/production.log': owner => leap-webapp, group => leap-webapp, - mode => '0666'; + mode => '0666', + require => Vcsrepo['/srv/leap/webapp']; '/usr/local/sbin/migrate_design_documents': source => 'puppet:///modules/site_webapp/migrate_design_documents', diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index b01141ae..1dfe6936 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -11,13 +11,7 @@ class site_webapp { $api_version = $webapp['api_version'] $secret_token = $webapp['secret_token'] - Class[Ruby] -> Class[rubygems] -> Class[bundler::install] - - class { 'ruby': ruby_version => '1.9.3' } - - class { 'bundler::install': install_method => 'package' } - - include rubygems + include site_config::ruby include site_webapp::apache include site_webapp::couchdb include site_webapp::client_ca @@ -77,30 +71,37 @@ class site_webapp { file { '/srv/leap/webapp/public/provider.json': content => $provider, + require => Vcsrepo['/srv/leap/webapp'], owner => leap-webapp, group => leap-webapp, mode => '0644'; '/srv/leap/webapp/public/ca.crt': ensure => link, + require => Vcsrepo['/srv/leap/webapp'], target => '/usr/local/share/ca-certificates/leap_api.crt'; "/srv/leap/webapp/public/${api_version}": ensure => directory, + require => Vcsrepo['/srv/leap/webapp'], owner => leap-webapp, group => leap-webapp, mode => '0755'; "/srv/leap/webapp/public/${api_version}/config/": ensure => directory, + require => Vcsrepo['/srv/leap/webapp'], owner => leap-webapp, group => leap-webapp, mode => '0755'; "/srv/leap/webapp/public/${api_version}/config/eip-service.json": content => $eip_service, + require => Vcsrepo['/srv/leap/webapp'], owner => leap-webapp, group => leap-webapp, mode => '0644'; "/srv/leap/webapp/public/${api_version}/config/soledad-service.json": content => $soledad_service, + require => Vcsrepo['/srv/leap/webapp'], owner => leap-webapp, group => leap-webapp, mode => '0644'; "/srv/leap/webapp/public/${api_version}/config/smtp-service.json": content => $smtp_service, + require => Vcsrepo['/srv/leap/webapp'], owner => leap-webapp, group => leap-webapp, mode => '0644'; } @@ -111,19 +112,19 @@ class site_webapp { target => $webapp['favicon']; '/srv/leap/webapp/app/assets/stylesheets/tail.scss': - ensure => 'link', + ensure => 'link', require => Vcsrepo['/srv/leap/webapp'], - target => $webapp['tail_scss']; + target => $webapp['tail_scss']; '/srv/leap/webapp/app/assets/stylesheets/head.scss': - ensure => 'link', + ensure => 'link', require => Vcsrepo['/srv/leap/webapp'], - target => $webapp['head_scss']; + target => $webapp['head_scss']; '/srv/leap/webapp/public/img': - ensure => 'link', + ensure => 'link', require => Vcsrepo['/srv/leap/webapp'], - target => $webapp['img_dir']; + target => $webapp['img_dir']; } file { @@ -132,6 +133,7 @@ class site_webapp { owner => leap-webapp, group => leap-webapp, mode => '0600', + require => Vcsrepo['/srv/leap/webapp'], notify => Service['apache']; } |