diff options
21 files changed, 411 insertions, 2 deletions
diff --git a/.gitmodules b/.gitmodules index 717ae5ed..b84dfef2 100644 --- a/.gitmodules +++ b/.gitmodules @@ -73,3 +73,6 @@ [submodule "puppet/modules/haproxy"] path = puppet/modules/haproxy url = git://code.leap.se/puppet_haproxy +[submodule "puppet/modules/postfix"] + path = puppet/modules/postfix + url = git://labs.riseup.net/shared-postfix diff --git a/provider_base/services/mx.json b/provider_base/services/mx.json new file mode 100644 index 00000000..91ad3277 --- /dev/null +++ b/provider_base/services/mx.json @@ -0,0 +1,21 @@ +{ + "mx": { + "contact": "= global.provider.contacts.default" + }, + "stunnel": { + "couch_client": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.port)" + }, + "haproxy": { + "local_ports": "= stunnel.couch_client.field(:accept_port)" + }, + "x509": { + "use": true, + "ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap cert ca`'", + "client_ca_cert": "= file_path :client_ca_cert", + "client_ca_key": "= file_path :client_ca_key", + "commercial_cert": "= file [:commercial_cert, domain.full_suffix]", + "commercial_key": "= file [:commercial_key, domain.full_suffix]", + "commercial_ca_cert": "= try_file :commercial_ca_cert" + }, + "service_type": "user_service" +} diff --git a/provider_base/services/soledad.json b/provider_base/services/soledad.json index 10657563..de24d8ef 100644 --- a/provider_base/services/soledad.json +++ b/provider_base/services/soledad.json @@ -3,4 +3,4 @@ "soledad": { "port": 1111 } -}
\ No newline at end of file +} diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index 08cbbb9e..c7d00c61 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -11,7 +11,6 @@ Package { require => Exec['apt_updated'] } include stdlib -import 'common' include site_config::default include site_config::slow @@ -30,6 +29,10 @@ if $services =~ /\bwebapp\b/ { include site_nickserver } +if $services =~ /\bsoledad\b/ { + include soledad::server +} + if $services =~ /\bmonitor\b/ { include site_nagios } @@ -37,3 +40,8 @@ if $services =~ /\bmonitor\b/ { if $services =~ /\btor\b/ { include site_tor } + +if $services =~ /\bmx\b/ { + include site_mx +} + diff --git a/puppet/modules/leap_mx/manifests/init.pp b/puppet/modules/leap_mx/manifests/init.pp new file mode 100644 index 00000000..652eb85b --- /dev/null +++ b/puppet/modules/leap_mx/manifests/init.pp @@ -0,0 +1,56 @@ +class leap_mx { + + $couchdb_host = 'localhost' + $couchdb_port = '4096' + $couchdb_user = $soledad::couchdb::user + $couchdb_password = $soledad::couchdb::password + + # + # USER AND GROUP + # + + group { 'leap-mx': + ensure => present, + allowdupe => false; + } + + user { 'leap-mx': + ensure => present, + allowdupe => false, + gid => 'leap-mx', + home => '/etc/leap', + require => Group['leap-mx']; + } + + # + # LEAP-MX CONFIG + # + + file { '/etc/leap/mx.conf': + content => template('leap_mx/mx.conf.erb'), + owner => 'leap-mx', + group => 'leap-mx', + mode => '0600', + notify => Service['leap-mx']; + } + + # + # LEAP-MX CODE + # + + package { 'leap-mx': + ensure => installed; + } + + # + # LEAP-MX DAEMON + # + + service { 'leap_mx': + ensure => running, + enable => true, + hasstatus => true, + hasrestart => true, + require => [ Package['leap-mx'] ]; + } +} diff --git a/puppet/modules/leap_mx/templates/mx.conf.erb b/puppet/modules/leap_mx/templates/mx.conf.erb new file mode 100644 index 00000000..bf1e6421 --- /dev/null +++ b/puppet/modules/leap_mx/templates/mx.conf.erb @@ -0,0 +1,15 @@ +[mail1] +path=/var/mail/vmail +recursive=True + +[couchdb] +user=<%= @couchdb_user %> +password=<%= @couchdb_password %> +server=<%= @couchdb_host %> +port=<%= @couchdb_port %> + +[alias map] +port=4242 + +[check recipient] +port=2244
\ No newline at end of file diff --git a/puppet/modules/postfix b/puppet/modules/postfix new file mode 160000 +Subproject 8e43dc85da5a5e45e88aef5f7c32c9cc1c35201 diff --git a/puppet/modules/site_mx/manifests/couchdb.pp b/puppet/modules/site_mx/manifests/couchdb.pp new file mode 100644 index 00000000..f842ceab --- /dev/null +++ b/puppet/modules/site_mx/manifests/couchdb.pp @@ -0,0 +1,35 @@ +class site_mx::couchdb { + + $stunnel = hiera('stunnel') + $couch_client = $stunnel['couch_client'] + $couch_client_connect = $couch_client['connect'] + + include x509::variables + $x509 = hiera('x509') + $key = $x509['key'] + $cert = $x509['cert'] + $ca = $x509['ca_cert'] + $cert_name = 'leap_couchdb' + $ca_name = 'leap_ca' + $ca_path = "${x509::variables::local_CAs}/${ca_name}.crt" + $cert_path = "${x509::variables::certs}/${cert_name}.crt" + $key_path = "${x509::variables::keys}/${cert_name}.key" + + class { 'site_stunnel::setup': + cert_name => $cert_name, + key => $key, + cert => $cert, + ca_name => $ca_name, + ca => $ca + } + + $couchdb_stunnel_client_defaults = { + 'connect_port' => $couch_client_connect, + 'client' => true, + 'cafile' => $ca_path, + 'key' => $key_path, + 'cert' => $cert_path, + } + + create_resources(site_stunnel::clients, $couch_client, $couchdb_stunnel_client_defaults) +} diff --git a/puppet/modules/site_mx/manifests/haproxy.pp b/puppet/modules/site_mx/manifests/haproxy.pp new file mode 100644 index 00000000..988eeaf3 --- /dev/null +++ b/puppet/modules/site_mx/manifests/haproxy.pp @@ -0,0 +1,14 @@ +class site_mx::haproxy { + + include site_haproxy + + $haproxy = hiera('haproxy') + $local_ports = $haproxy['local_ports'] + + # Template uses $global_options, $defaults_options + concat::fragment { 'leap_haproxy_webapp_couchdb': + target => '/etc/haproxy/haproxy.cfg', + order => '20', + content => template('site_webapp/haproxy_couchdb.cfg.erb'), + } +} diff --git a/puppet/modules/site_mx/manifests/init.pp b/puppet/modules/site_mx/manifests/init.pp new file mode 100644 index 00000000..4cf3f41a --- /dev/null +++ b/puppet/modules/site_mx/manifests/init.pp @@ -0,0 +1,10 @@ +class site_mx { + tag 'leap_service' + + include site_postfix::mx + include site_mx::haproxy + include site_shorewall::mx + include site_shorewall::service::smtp + include site_mx::couchdb + include leap_mx +} diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp new file mode 100644 index 00000000..0581f147 --- /dev/null +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -0,0 +1,41 @@ +class site_postfix::mx { + + $domain_hash = hiera ('domain') + $domain = $domain_hash['full_suffix'] + $mx_hash = hiera('mx') + $cert_name = hiera('name') + + $root_mail_recipient = $mx_hash['contact'] + $postfix_smtp_listen = 'all' + + postfix::config { + 'mydestination': + value => "\$myorigin, localhost, localhost.\$mydomain, ${domain}"; + 'smtpd_recipient_restrictions': + value => 'check_recipient_access tcp:localhost:2244,permit_tls_all_clientcerts,reject_unauth_destination'; + 'mailbox_size_limit': value => '0'; + 'home_mailbox': value => 'Maildir/'; + 'virtual_alias_maps': value => 'tcp:localhost:4242'; + 'luser_relay': value => 'vmail'; + 'local_recipient_maps': value => ''; + 'debug_peer_list': value => '127.0.0.1'; + } + + include site_postfix::mx::smtpd_checks + include site_postfix::mx::tls + + user { 'vmail': + ensure => present, + comment => 'Leap Mailspool', + home => '/var/mail/vmail', + shell => '/bin/false', + managehome => true, + } + + class { 'postfix': + root_mail_recipient => $root_mail_recipient, + smtp_listen => 'all', + require => [ X509::Key[$cert_name], X509::Cert[$cert_name], + User['vmail'] ] + } +} diff --git a/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp b/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp new file mode 100644 index 00000000..ab75130e --- /dev/null +++ b/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp @@ -0,0 +1,10 @@ +class site_postfix::mx::smtp_auth { + $x509 = hiera('x509') + + postfix::config { + 'smtpd_tls_cert_file': value => $x509['client_ca_cert']; + 'smtpd_tls_key_file': value => $x509['client_ca_key']; + 'smtpd_tls_ask_ccert': value => 'yes'; + #'smtpd_tls_CAfile': value => + } +} diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp new file mode 100644 index 00000000..b2f2d7c2 --- /dev/null +++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp @@ -0,0 +1,9 @@ +class site_postfix::mx::smtpd_checks { + + postfix::config { + 'smtpd_delay_reject': value => 'yes'; + 'smtpd_data_restrictions': + value => 'permit_mynetworks, reject_unauth_pipelining, permit'; + } + +} diff --git a/puppet/modules/site_postfix/manifests/mx/tls.pp b/puppet/modules/site_postfix/manifests/mx/tls.pp new file mode 100644 index 00000000..7da38100 --- /dev/null +++ b/puppet/modules/site_postfix/manifests/mx/tls.pp @@ -0,0 +1,31 @@ +class site_postfix::mx::tls { + + $x509 = hiera('x509') + $key = $x509['key'] + $cert = $x509['cert'] + $client_ca = $x509['client_ca_cert'] + + include x509::variables + $cert_name = hiera('name') + $cert_path = "${x509::variables::certs}/${cert_name}.crt" + $key_path = "${x509::variables::keys}/${cert_name}.key" + + x509::key { $cert_name: + content => $key, + } + + x509::cert { $cert_name: + content => $cert, + } + + postfix::config { + 'smtpd_use_tls': value => 'yes'; + 'smtpd_tls_CAfile': value => $client_ca; + 'smtpd_tls_cert_file': value => $cert_path; + 'smtpd_tls_key_file': value => $key_path; + 'smtpd_tls_req_ccert': value => 'yes'; + 'smtpd_tls_security_level': + value => 'encrypt'; + } + +} diff --git a/puppet/modules/site_shorewall/manifests/mx.pp b/puppet/modules/site_shorewall/manifests/mx.pp new file mode 100644 index 00000000..5ec95fdd --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/mx.pp @@ -0,0 +1,24 @@ +class site_shorewall::mx { + + include site_shorewall::defaults + + $smtpd_ports = '25' + + # define macro for incoming services + file { '/etc/shorewall/macro.leap_mx': + content => "PARAM - - tcp ${smtpd_ports} ", + notify => Service['shorewall'], + require => Package['shorewall'] + } + + + shorewall::rule { + 'net2fw-mx': + source => 'net', + destination => '$FW', + action => 'leap_mx(ACCEPT)', + order => 200; + } + + include site_shorewall::service::smtp +} diff --git a/puppet/modules/site_shorewall/manifests/service/smtp.pp b/puppet/modules/site_shorewall/manifests/service/smtp.pp new file mode 100644 index 00000000..7fbdf14e --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/service/smtp.pp @@ -0,0 +1,13 @@ +class site_shorewall::service::smtp { + + include site_shorewall::defaults + + shorewall::rule { + 'fw2net-http': + source => '$FW', + destination => 'net', + action => 'SMTP(ACCEPT)', + order => 200; + } + +} diff --git a/puppet/modules/site_shorewall/manifests/soledad.pp b/puppet/modules/site_shorewall/manifests/soledad.pp new file mode 100644 index 00000000..f3272c04 --- /dev/null +++ b/puppet/modules/site_shorewall/manifests/soledad.pp @@ -0,0 +1,20 @@ +class site_shorewall::soledad { + + include site_shorewall::defaults + + # define macro for incoming services + file { '/etc/shorewall/macro.leap_soledad': + content => 'PARAM - - tcp 2424', + notify => Service['shorewall'], + require => Package['shorewall'] + } + + shorewall::rule { + 'net2fw-soledad': + source => 'net', + destination => '$FW', + action => 'leap_soledad(ACCEPT)', + order => 200; + } +} + diff --git a/puppet/modules/soledad/manifests/init.pp b/puppet/modules/soledad/manifests/init.pp new file mode 100644 index 00000000..08ba88a7 --- /dev/null +++ b/puppet/modules/soledad/manifests/init.pp @@ -0,0 +1,34 @@ +class soledad { + + group { 'soledad': + ensure => present, + allowdupe => false; + } + + user { 'soledad': + ensure => present, + allowdupe => false, + gid => 'soledad', + home => '/srv/leap/soledad', + require => Group['soledad']; + } + + file { + '/srv/leap/soledad': + ensure => directory, + owner => 'soledad', + group => 'soledad', + require => User['soledad']; + + '/var/lib/soledad': + ensure => directory, + owner => 'soledad', + group => 'soledad', + require => User['soledad']; + } + + package { 'soledad-common': + ensure => installed, + require => User['soledad']; + } +} diff --git a/puppet/modules/soledad/manifests/server.pp b/puppet/modules/soledad/manifests/server.pp new file mode 100644 index 00000000..06de8642 --- /dev/null +++ b/puppet/modules/soledad/manifests/server.pp @@ -0,0 +1,62 @@ +class soledad::server { + tag 'leap_service' + include soledad + + $couchdb = hiera('couch') + $couchdb_host = 'localhost' + $couchdb_port = '4096' + $couchdb_user = $couchdb['users']['soledad']['username'] + $couchdb_password = $couchdb['users']['soledad']['password'] + + $x509 = hiera('x509') + $x509_key = $x509['key'] + $x509_cert = $x509['cert'] + $x509_ca = $x509['ca_cert'] + + x509::key { 'soledad': + content => $x509_key, + notify => Service['soledad-server']; + } + + x509::cert { 'soledad': + content => $x509_cert, + notify => Service['soledad-server']; + } + + x509::ca { 'soledad': + content => $x509_ca, + notify => Service['soledad-server']; + } + + # + # SOLEDAD CONFIG + # + + file { '/etc/leap/soledad-server.conf': + content => template('soledad/soledad-server.conf.erb'), + owner => 'soledad', + group => 'soledad', + mode => '0600', + notify => Service['soledad-server'], + require => Class['soledad']; + } + + package { 'soledad-server': + ensure => installed + } + + file { '/etc/default/soledad': + content => "CERT_PATH=/etc/x509/certs/soledad.crt\nPRIVKEY_PATH=/etc/x509/keys/soledad.key\n", + require => Package['soledad-server'] + } + + service { 'soledad-server': + ensure => running, + enable => true, + hasstatus => true, + hasrestart => true, + require => [ Class['soledad'], Package['soledad-server'] ]; + } + + include site_shorewall::soledad +} diff --git a/puppet/modules/soledad/templates/soledad-server.conf.erb b/puppet/modules/soledad/templates/soledad-server.conf.erb new file mode 100644 index 00000000..47d1f6e4 --- /dev/null +++ b/puppet/modules/soledad/templates/soledad-server.conf.erb @@ -0,0 +1,3 @@ +[soledad-server] +couch_url = http://<%= @couchdb_user %>:<%= @couchdb_password %>@<%= @couchdb_host %>:<%= @couchdb_port %> + diff --git a/puppet/modules/stunnel b/puppet/modules/stunnel -Subproject fc1589a5f09d80f58d730d4e1f6a8058483f61f +Subproject 75d387fc8aff12232fdeae2efbbfccdd91f9465 |