summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--provider_base/services/webapp.json7
-rw-r--r--puppet/manifests/site.pp1
-rw-r--r--puppet/modules/site_config/manifests/ruby.pp14
-rw-r--r--puppet/modules/site_nickserver/manifests/init.pp120
-rw-r--r--puppet/modules/site_nickserver/templates/nickserver.yml.erb7
-rw-r--r--puppet/modules/site_webapp/manifests/init.pp8
6 files changed, 149 insertions, 8 deletions
diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json
index 5f0bdc9e..3dd9bebe 100644
--- a/provider_base/services/webapp.json
+++ b/provider_base/services/webapp.json
@@ -31,8 +31,13 @@
"domain": "= 'api.' + domain.full_suffix",
"port": 4430
},
+ "nickserver": {
+ "domain": "= 'nicknym.' + domain.full_suffix",
+ "port": 6425,
+ "couchdb_user": "= global.services[:couchdb].couch.users[:admin]"
+ },
"dns": {
- "aliases": "= [domain.full, api.domain]"
+ "aliases": "= [domain.full, api.domain, nickserver.domain]"
},
"x509": {
"use": true,
diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp
index 2d41d45f..22172584 100644
--- a/puppet/manifests/site.pp
+++ b/puppet/manifests/site.pp
@@ -29,6 +29,7 @@ if 'couchdb' in $services {
if 'webapp' in $services {
include site_webapp
+ include site_nickserver
}
if 'monitor' in $services {
diff --git a/puppet/modules/site_config/manifests/ruby.pp b/puppet/modules/site_config/manifests/ruby.pp
new file mode 100644
index 00000000..2a720114
--- /dev/null
+++ b/puppet/modules/site_config/manifests/ruby.pp
@@ -0,0 +1,14 @@
+class site_config::ruby {
+ Class[Ruby] -> Class[rubygems] -> Class[bundler::install]
+ class { '::ruby': ruby_version => '1.9.3' }
+ class { 'bundler::install': install_method => 'package' }
+ include rubygems
+}
+
+
+#
+# Ruby settings common to all servers
+#
+# Why this way? So that other classes can do 'include site_ruby' without creating redeclaration errors.
+# See https://puppetlabs.com/blog/modeling-class-composition-with-parameterized-classes/
+#
diff --git a/puppet/modules/site_nickserver/manifests/init.pp b/puppet/modules/site_nickserver/manifests/init.pp
new file mode 100644
index 00000000..4a80d8fd
--- /dev/null
+++ b/puppet/modules/site_nickserver/manifests/init.pp
@@ -0,0 +1,120 @@
+#
+# TODO: currently, this is dependent on the HAProxy stuff that is in site_webapp.
+# it would be good to factor that out into a site_haproxy, so that nickserver could be applied independently.
+#
+
+class site_nickserver {
+ tag 'leap_service'
+ include site_config::ruby
+
+ #
+ # VARIABLES
+ #
+
+ $nickserver = hiera('nickserver')
+ $nickserver_port = $nickserver['port']
+ $couchdb_user = $nickserver['couchdb_user']['username']
+ $couchdb_password = $nickserver['couchdb_user']['password']
+ $couchdb_host = 'localhost' # couchdb is available on localhost via haproxy, which is bound to 4096.
+ $couchdb_port = '4096' # See site_webapp/templates/haproxy_couchdb.cfg.erg
+
+ #
+ # USER AND GROUP
+ #
+
+ group { 'nickserver':
+ ensure => present,
+ allowdupe => false;
+ }
+ user { 'nickserver':
+ ensure => present,
+ allowdupe => false,
+ gid => 'nickserver',
+ groups => 'ssl-cert',
+ home => '/srv/leap/nickserver',
+ require => Group['nickserver'];
+ }
+
+ #
+ # NICKSERVER CODE
+ #
+
+ #file { '/srv/leap/nickserver':
+ # ensure => directory,
+ # owner => 'nickserver',
+ # group => 'nickserver',
+ # require => User['nickserver'];
+ #}
+ vcsrepo { '/srv/leap/nickserver':
+ ensure => present,
+ revision => 'origin/master',
+ provider => git,
+ source => 'git://code.leap.se/nickserver',
+ owner => 'nickserver',
+ group => 'nickserver',
+ require => [ User['nickserver'], Group['nickserver'] ],
+ notify => Exec['nickserver_bundler_update'];
+ }
+ exec { 'nickserver_bundler_update':
+ cwd => '/srv/leap/nickserver',
+ command => '/bin/bash -c "/usr/bin/bundle check || /usr/bin/bundle install --path vendor/bundle"',
+ unless => '/usr/bin/bundle check',
+ user => 'nickserver',
+ timeout => 600,
+ require => [ Class['bundler::install'], Vcsrepo['/srv/leap/nickserver'] ],
+ notify => Service['nickserver'];
+ }
+
+ #
+ # NICKSERVER CONFIG
+ #
+
+ file { '/etc/leap/nickserver.yml':
+ content => template('site_nickserver/nickserver.yml.erb'),
+ owner => nickserver,
+ group => nickserver,
+ mode => '0600',
+ notify => Service['nickserver'];
+ }
+
+ #
+ # NICKSERVER DAEMON
+ #
+
+ file {
+ '/usr/bin/nickserver':
+ ensure => link,
+ target => '/srv/leap/nickserver/bin/nickserver',
+ require => Vcsrepo['/srv/leap/nickserver'];
+ '/etc/init.d/nickserver':
+ owner => root, group => 0, mode => '0755',
+ source => '/srv/leap/nickserver/dist/debian-init-script',
+ require => Vcsrepo['/srv/leap/nickserver'];
+ }
+
+ service { 'nickserver':
+ ensure => running,
+ enable => true,
+ hasrestart => true,
+ hasstatus => true,
+ require => File['/etc/init.d/nickserver'];
+ }
+
+ #
+ # FIREWALL
+ #
+
+ file { '/etc/shorewall/macro.nickserver':
+ content => "PARAM - - tcp $nickserver_port",
+ notify => Service['shorewall'],
+ require => Package['shorewall'];
+ }
+
+ shorewall::rule { 'net2fw-nickserver':
+ source => 'net',
+ destination => '$FW',
+ action => 'nickserver(ACCEPT)',
+ order => 200;
+ }
+
+} \ No newline at end of file
diff --git a/puppet/modules/site_nickserver/templates/nickserver.yml.erb b/puppet/modules/site_nickserver/templates/nickserver.yml.erb
new file mode 100644
index 00000000..ec1c22ed
--- /dev/null
+++ b/puppet/modules/site_nickserver/templates/nickserver.yml.erb
@@ -0,0 +1,7 @@
+couch_host: <%= @couchdb_host %>
+couch_port: <%= @couchdb_port %>
+couch_database: 'users'
+couch_user: <%= @couchdb_user %>
+couch_password: <%= @couchdb_password %>
+hkp_url: 'https://hkps.pool.sks-keyservers.net:/pks/lookup'
+port: <%= @nickserver_port %>
diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp
index 5c084a0c..80b7c271 100644
--- a/puppet/modules/site_webapp/manifests/init.pp
+++ b/puppet/modules/site_webapp/manifests/init.pp
@@ -11,13 +11,7 @@ class site_webapp {
$api_version = $webapp['api_version']
$secret_token = $webapp['secret_token']
- Class[Ruby] -> Class[rubygems] -> Class[bundler::install]
-
- class { 'ruby': ruby_version => '1.9.3' }
-
- class { 'bundler::install': install_method => 'package' }
-
- include rubygems
+ include site_config::ruby
include site_webapp::apache
include site_webapp::couchdb
include site_webapp::client_ca