diff options
39 files changed, 229 insertions, 277 deletions
diff --git a/platform.rb b/platform.rb index 5f442c0c..c68aac86 100644 --- a/platform.rb +++ b/platform.rb @@ -4,7 +4,7 @@ Leap::Platform.define do self.version = "0.2.4" - self.compatible_cli = "1.2.2".."1.99" + self.compatible_cli = "1.2.3".."1.99" # # the facter facts that should be gathered diff --git a/provider_base/services/mx.json b/provider_base/services/mx.json index 25ccf4f0..f999dd23 100644 --- a/provider_base/services/mx.json +++ b/provider_base/services/mx.json @@ -12,8 +12,8 @@ "x509": { "use": true, "ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap cert ca`'", - "client_ca_cert": "= file_path :client_ca_cert", - "client_ca_key": "= file_path :client_ca_key", + "client_ca_cert": "= file :client_ca_cert, :missing => 'Certificate Authority. Run `leap cert ca`'", + "client_ca_key": "= file :client_ca_key, :missing => 'Certificate Authority. Run `leap cert ca`'", "commercial_cert": "= file [:commercial_cert, domain.full_suffix]", "commercial_key": "= file [:commercial_key, domain.full_suffix]", "commercial_ca_cert": "= try_file :commercial_ca_cert" diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index ee61e5ab..6f2beb8a 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -20,8 +20,7 @@ "couch_client": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.port)" }, "haproxy": { - "local_ports": "= stunnel.couch_client.field(:accept_port)", - "servers": "= haproxy_servers(nodes_like_me[:services => :couchdb], stunnel.couch_client)" + "servers": "= haproxy_servers(nodes_like_me[:services => :couchdb], stunnel.couch_client, global.services[:couchdb].couch.port)" }, "definition_files": { "provider": "= file :provider_json_template", @@ -45,8 +44,8 @@ "x509": { "use": true, "ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap cert ca`'", - "client_ca_cert": "= file_path :client_ca_cert", - "client_ca_key": "= file_path :client_ca_key", + "client_ca_cert": "= file :client_ca_cert, :missing => 'Certificate Authority. Run `leap cert ca`'", + "client_ca_key": "= file :client_ca_key, :missing => 'Certificate Authority. Run `leap cert ca`'", "commercial_cert": "= file [:commercial_cert, domain.full_suffix]", "commercial_key": "= file [:commercial_key, domain.full_suffix]", "commercial_ca_cert": "= try_file :commercial_ca_cert" diff --git a/puppet/manifests/setup.pp b/puppet/manifests/setup.pp index 84e4c056..ba58e728 100644 --- a/puppet/manifests/setup.pp +++ b/puppet/manifests/setup.pp @@ -22,3 +22,11 @@ if hiera('squid_deb_proxy_client', false) { include site_squid_deb_proxy::client } +# shorewall is installed/half-configured during setup.pp (Bug #3871) +# we need to include shorewall::interface{eth0} in setup.pp so +# packages can be installed during main puppetrun, even before shorewall +# is configured completly +if ( $::virtual == 'virtualbox' ) { + include site_config::vagrant +} + diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp index bce3a08b..9f5d82d8 100644 --- a/puppet/manifests/site.pp +++ b/puppet/manifests/site.pp @@ -5,15 +5,7 @@ Exec { path => '/usr/bin:/usr/sbin/:/bin:/sbin:/usr/local/bin:/usr/local/sbin' } $services=join(hiera_array('services', ['']), ' ') notice("Services for ${fqdn}: ${services}") -# make sure apt is updated before any packages are installed -include apt::update -Package { require => Exec['apt_updated'] } - -include stdlib - include site_config::default -include site_config::slow - # configure eip if $services =~ /\bopenvpn\b/ { diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb index 2cac297e..9e2dbcaf 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb @@ -16,9 +16,9 @@ Listen 0.0.0.0:<%= api_port %> SSLHonorCipherOrder on SSLCACertificatePath /etc/ssl/certs - SSLCertificateChainFile /etc/ssl/certs/leap_api.pem - SSLCertificateKeyFile /etc/x509/keys/leap_api.key - SSLCertificateFile /etc/x509/certs/leap_api.crt + SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::ca_name') %>.crt + SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.key + SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.crt RequestHeader set X_FORWARDED_PROTO 'https' diff --git a/puppet/modules/site_config/manifests/caching_resolver.pp b/puppet/modules/site_config/manifests/caching_resolver.pp index 922c394f..3d7b9206 100644 --- a/puppet/modules/site_config/manifests/caching_resolver.pp +++ b/puppet/modules/site_config/manifests/caching_resolver.pp @@ -1,4 +1,5 @@ class site_config::caching_resolver { + tag 'leap_base' # Setup a conf.d directory to place additional unbound configuration files. # There must be at least one file in the directory, or unbound will not start, diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index 0a4e75b6..16932ab2 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -3,6 +3,15 @@ class site_config::default { $domain_hash = hiera('domain') + # make sure apt is updated before any packages are installed + include apt::update + Package { require => Exec['apt_updated'] } + + include stdlib + + include site_config::slow + + include concat::setup # default class, used by all hosts @@ -15,11 +24,18 @@ class site_config::default { # configure ssh and include ssh-keys include site_config::sshd + # include classes for special environments + # i.e. openstack/aws nodes, vagrant nodes + # fix dhclient from changing resolver information if $::ec2_instance_id { include site_config::dhclient } + if ( $::virtual == 'virtualbox' ) { + include site_config::vagrant + } + # configure /etc/resolv.conf include site_config::resolvconf diff --git a/puppet/modules/site_config/manifests/params.pp b/puppet/modules/site_config/manifests/params.pp index 237ee454..008a4e1f 100644 --- a/puppet/modules/site_config/manifests/params.pp +++ b/puppet/modules/site_config/manifests/params.pp @@ -5,7 +5,7 @@ class site_config::params { $ec2_local_ipv4_interface = getvar("interface_${::ec2_local_ipv4}") if $::virtual == 'virtualbox' { - $interface = [ 'eth0', 'eth1' ] + $interface = 'eth1' } elsif hiera('interface','') != '' { $interface = hiera('interface') @@ -17,9 +17,14 @@ class site_config::params { $interface = $ec2_local_ipv4_interface } elsif $::interfaces =~ /eth0/ { - $interface = eth0 + $interface = 'eth0' } else { fail("unable to determine a valid interface, please set a valid interface for this node in nodes/${::hostname}.json") } + + $ca_name = 'leap_ca' + $client_ca_name = 'leap_client_ca' + $ca_bundle_name = 'leap_ca_bundle' + $cert_name = 'leap' } diff --git a/puppet/modules/site_config/manifests/vagrant.pp b/puppet/modules/site_config/manifests/vagrant.pp new file mode 100644 index 00000000..04266735 --- /dev/null +++ b/puppet/modules/site_config/manifests/vagrant.pp @@ -0,0 +1,10 @@ +class site_config::vagrant { + # class for vagrant nodes + + # eth0 on vagrant nodes is the uplink if + shorewall::interface { 'eth0': + zone => 'net', + options => 'tcpflags,blacklist,nosmurfs'; + } + +} diff --git a/puppet/modules/site_config/manifests/x509/ca.pp b/puppet/modules/site_config/manifests/x509/ca.pp new file mode 100644 index 00000000..b16d0eeb --- /dev/null +++ b/puppet/modules/site_config/manifests/x509/ca.pp @@ -0,0 +1,9 @@ +class site_config::x509::ca { + + $x509 = hiera('x509') + $ca = $x509['ca_cert'] + + x509::ca { $site_config::params::ca_name: + content => $ca + } +} diff --git a/puppet/modules/site_config/manifests/x509/ca_bundle.pp b/puppet/modules/site_config/manifests/x509/ca_bundle.pp new file mode 100644 index 00000000..4cbe574a --- /dev/null +++ b/puppet/modules/site_config/manifests/x509/ca_bundle.pp @@ -0,0 +1,16 @@ +class site_config::x509::ca_bundle { + + # CA bundle -- we want to have the possibility of allowing multiple CAs. + # For now, the reason is to transition to using client CA. In the future, + # we will want to be able to smoothly phase out one CA and phase in another. + # I tried "--capath" for this, but it did not work. + + + $x509 = hiera('x509') + $ca = $x509['ca_cert'] + $client_ca = $x509['client_ca_cert'] + + x509::ca { $site_config::params::ca_bundle_name: + content => "${ca}${client_ca}" + } +} diff --git a/puppet/modules/site_config/manifests/x509/cert_key.pp b/puppet/modules/site_config/manifests/x509/cert_key.pp new file mode 100644 index 00000000..d55c6cf2 --- /dev/null +++ b/puppet/modules/site_config/manifests/x509/cert_key.pp @@ -0,0 +1,15 @@ +class site_config::x509::cert_key { + + $x509 = hiera('x509') + $key = $x509['key'] + $cert = $x509['cert'] + + x509::key { $site_config::params::cert_name: + content => $key + } + + x509::cert { $site_config::params::cert_name: + content => $cert + } + +} diff --git a/puppet/modules/site_config/manifests/x509/client_ca.pp b/puppet/modules/site_config/manifests/x509/client_ca.pp new file mode 100644 index 00000000..3e914cf5 --- /dev/null +++ b/puppet/modules/site_config/manifests/x509/client_ca.pp @@ -0,0 +1,14 @@ +class site_config::x509::client_ca { + + ## + ## This is for the special CA that is used exclusively for generating + ## client certificates by the webapp. + ## + + $x509 = hiera('x509') + $client_ca = $x509['client_ca_cert'] + + x509::ca { $site_config::params::client_ca_name: + content => $client_ca + } +} diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index 43abd616..f4f93828 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -1,11 +1,6 @@ class site_couchdb { tag 'leap_service' - $x509 = hiera('x509') - $key = $x509['key'] - $cert = $x509['cert'] - $ca = $x509['ca_cert'] - $couchdb_config = hiera('couch') $couchdb_users = $couchdb_config['users'] $couchdb_admin = $couchdb_users['admin'] @@ -36,7 +31,8 @@ class site_couchdb { class { 'couchdb::bigcouch::package::cloudant': } - Class ['couchdb::bigcouch::package::cloudant'] + Class['site_config::default'] + -> Class ['couchdb::bigcouch::package::cloudant'] -> Service ['couchdb'] -> Class ['site_couchdb::bigcouch::add_nodes'] -> Couchdb::Create_db['users'] @@ -44,11 +40,7 @@ class site_couchdb { -> Couchdb::Add_user[$couchdb_webapp_user] -> Couchdb::Add_user[$couchdb_soledad_user] - class { 'site_couchdb::stunnel': - key => $key, - cert => $cert, - ca => $ca - } + class { 'site_couchdb::stunnel': } class { 'site_couchdb::bigcouch::add_nodes': } diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index d982013e..7ba303fe 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -1,4 +1,4 @@ -class site_couchdb::stunnel ($key, $cert, $ca) { +class site_couchdb::stunnel { $stunnel = hiera('stunnel') @@ -18,22 +18,15 @@ class site_couchdb::stunnel ($key, $cert, $ca) { $ednp_server_connect = $ednp_server['connect'] $ednp_clients = $stunnel['ednp_clients'] + + + include site_config::x509::cert_key + include site_config::x509::ca + include x509::variables - $cert_name = 'leap_couchdb' - $ca_name = 'leap_ca' - $ca_path = "${x509::variables::local_CAs}/${ca_name}.crt" - $cert_path = "${x509::variables::certs}/${cert_name}.crt" - $key_path = "${x509::variables::keys}/${cert_name}.key" - - # basic setup: ensure cert, key, ca files are in place, and some generic - # stunnel things are done - class { 'site_stunnel::setup': - cert_name => $cert_name, - key => $key, - cert => $cert, - ca_name => $ca_name, - ca => $ca - } + $ca_path = "${x509::variables::local_CAs}/${site_config::params::ca_name}.crt" + $cert_path = "${x509::variables::certs}/${site_config::params::cert_name}.crt" + $key_path = "${x509::variables::keys}/${site_config::params::cert_name}.key" # setup a stunnel server for the webapp to connect to couchdb stunnel::service { 'couch_server': @@ -46,7 +39,10 @@ class site_couchdb::stunnel ($key, $cert, $ca) { verify => '2', pid => '/var/run/stunnel4/couchserver.pid', rndfile => '/var/lib/stunnel4/.rnd', - debuglevel => '4' + debuglevel => '4', + require => [ + Class['Site_config::X509::Cert_key'], + Class['Site_config::X509::Ca'] ]; } @@ -62,7 +58,10 @@ class site_couchdb::stunnel ($key, $cert, $ca) { verify => '2', pid => '/var/run/stunnel4/epmd_server.pid', rndfile => '/var/lib/stunnel4/.rnd', - debuglevel => '4' + debuglevel => '4', + require => [ + Class['Site_config::X509::Cert_key'], + Class['Site_config::X509::Ca'] ]; } # setup stunnel clients for Erlang Port Mapper Daemon (epmd) to connect @@ -88,7 +87,10 @@ class site_couchdb::stunnel ($key, $cert, $ca) { verify => '2', pid => '/var/run/stunnel4/ednp_server.pid', rndfile => '/var/lib/stunnel4/.rnd', - debuglevel => '4' + debuglevel => '4', + require => [ + Class['Site_config::X509::Cert_key'], + Class['Site_config::X509::Ca'] ]; } # setup stunnel clients for Erlang Distributed Node Protocol (ednp) to connect diff --git a/puppet/modules/site_mx/manifests/couchdb.pp b/puppet/modules/site_mx/manifests/couchdb.pp index f842ceab..b1f3bd02 100644 --- a/puppet/modules/site_mx/manifests/couchdb.pp +++ b/puppet/modules/site_mx/manifests/couchdb.pp @@ -5,23 +5,11 @@ class site_mx::couchdb { $couch_client_connect = $couch_client['connect'] include x509::variables - $x509 = hiera('x509') - $key = $x509['key'] - $cert = $x509['cert'] - $ca = $x509['ca_cert'] - $cert_name = 'leap_couchdb' - $ca_name = 'leap_ca' - $ca_path = "${x509::variables::local_CAs}/${ca_name}.crt" - $cert_path = "${x509::variables::certs}/${cert_name}.crt" - $key_path = "${x509::variables::keys}/${cert_name}.key" + $ca_path = "${x509::variables::local_CAs}/${site_config::params::ca_name}.crt" + $cert_path = "${x509::variables::certs}/${site_config::params::cert_name}.crt" + $key_path = "${x509::variables::keys}/${site_config::params::cert_name}.key" - class { 'site_stunnel::setup': - cert_name => $cert_name, - key => $key, - cert => $cert, - ca_name => $ca_name, - ca => $ca - } + include site_stunnel $couchdb_stunnel_client_defaults = { 'connect_port' => $couch_client_connect, diff --git a/puppet/modules/site_mx/manifests/init.pp b/puppet/modules/site_mx/manifests/init.pp index 4cf3f41a..527dc4a5 100644 --- a/puppet/modules/site_mx/manifests/init.pp +++ b/puppet/modules/site_mx/manifests/init.pp @@ -1,5 +1,11 @@ class site_mx { tag 'leap_service' + Class['site_config::default'] -> Class['site_mx'] + + include site_config::x509::cert_key + include site_config::x509::ca + include site_config::x509::client_ca + include site_postfix::mx include site_mx::haproxy diff --git a/puppet/modules/site_nagios/manifests/init.pp b/puppet/modules/site_nagios/manifests/init.pp index cab32905..c3cfa02e 100644 --- a/puppet/modules/site_nagios/manifests/init.pp +++ b/puppet/modules/site_nagios/manifests/init.pp @@ -1,4 +1,6 @@ class site_nagios { tag 'leap_service' + Class['site_config::default'] -> Class['site_nagios'] + include site_nagios::server } diff --git a/puppet/modules/site_nickserver/manifests/init.pp b/puppet/modules/site_nickserver/manifests/init.pp index 153355f1..a12ed3a2 100644 --- a/puppet/modules/site_nickserver/manifests/init.pp +++ b/puppet/modules/site_nickserver/manifests/init.pp @@ -11,6 +11,8 @@ class site_nickserver { tag 'leap_service' + Class['site_config::default'] -> Class['site_nickserver'] + include site_config::ruby # @@ -34,10 +36,10 @@ class site_nickserver { # temporarily for now: $domain = hiera('domain') $address_domain = $domain['full_suffix'] - $x509 = hiera('x509') - $x509_key = $x509['key'] - $x509_cert = $x509['cert'] - $x509_ca = $x509['ca_cert'] + + + include site_config::x509::cert_key + include site_config::x509::ca # # USER AND GROUP @@ -122,7 +124,10 @@ class site_nickserver { enable => true, hasrestart => true, hasstatus => true, - require => File['/etc/init.d/nickserver']; + require => [ + File['/etc/init.d/nickserver'], + Class['Site_config::X509::Cert_key'], + Class['Site_config::X509::Ca'] ]; } # @@ -158,18 +163,4 @@ class site_nickserver { content => template('site_nickserver/nickserver-proxy.conf.erb') } - x509::key { 'nickserver': - content => $x509_key, - notify => Service[apache]; - } - - x509::cert { 'nickserver': - content => $x509_cert, - notify => Service[apache]; - } - - x509::ca { 'nickserver': - content => $x509_ca, - notify => Service[apache]; - } } diff --git a/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb b/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb index 67896cd3..ae06410e 100644 --- a/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb +++ b/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb @@ -14,9 +14,9 @@ Listen 0.0.0.0:<%= @nickserver_port -%> SSLHonorCipherOrder on SSLCACertificatePath /etc/ssl/certs - SSLCertificateChainFile /etc/ssl/certs/nickserver.pem - SSLCertificateKeyFile /etc/x509/keys/nickserver.key - SSLCertificateFile /etc/x509/certs/nickserver.crt + SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::ca_name') %>.crt + SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.key + SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.crt ProxyPass / http://localhost:<%= @nickserver_local_port %>/ ProxyPreserveHost On # preserve Host header in HTTP request diff --git a/puppet/modules/site_openvpn/manifests/dh_key.pp b/puppet/modules/site_openvpn/manifests/dh_key.pp new file mode 100644 index 00000000..13cc0f5b --- /dev/null +++ b/puppet/modules/site_openvpn/manifests/dh_key.pp @@ -0,0 +1,10 @@ +class site_openvpn::dh_key { + + $x509_config = hiera('x509') + + file { '/etc/openvpn/keys/dh.pem': + content => $x509_config['dh'], + mode => '0644', + } + +} diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index b2bb0d3a..6ab0d430 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -20,8 +20,13 @@ class site_openvpn { tag 'leap_service' + include site_config::x509::cert_key + include site_config::x509::ca_bundle + + + Class['site_config::default'] -> Class['site_openvpn'] + $openvpn_config = hiera('openvpn') - $x509_config = hiera('x509') $openvpn_ports = $openvpn_config['ports'] if $::ec2_instance_id { @@ -56,8 +61,8 @@ class site_openvpn { $openvpn_limited_udp_cidr = '21' } - # deploy ca + server keys - include site_openvpn::keys + # deploy dh keys + include site_openvpn::dh_key if $openvpn_allow_unlimited and $openvpn_allow_limited { $unlimited_gateway_address = $openvpn_gateway_address @@ -132,7 +137,11 @@ class site_openvpn { command => '/etc/init.d/openvpn restart', refreshonly => true, subscribe => File['/etc/openvpn'], - require => [ Package['openvpn'], File['/etc/openvpn'] ]; + require => [ + Package['openvpn'], + File['/etc/openvpn'], + Class['Site_config::X509::Cert_key'], + Class['Site_config::X509::Ca_bundle'] ]; } cron { 'add_gateway_ips.sh': diff --git a/puppet/modules/site_openvpn/manifests/keys.pp b/puppet/modules/site_openvpn/manifests/keys.pp deleted file mode 100644 index f3c5b423..00000000 --- a/puppet/modules/site_openvpn/manifests/keys.pp +++ /dev/null @@ -1,51 +0,0 @@ -class site_openvpn::keys { - - x509::key { - 'leap_openvpn': - content => $site_openvpn::x509_config['key'], - notify => Service[openvpn]; - } - - x509::cert { - 'leap_openvpn': - content => $site_openvpn::x509_config['cert'], - notify => Service[openvpn]; - } - - x509::ca { - 'leap_ca': - content => $site_openvpn::x509_config['ca_cert'], - notify => Service[openvpn]; - } - - file { '/etc/openvpn/keys/dh.pem': - content => $site_openvpn::x509_config['dh'], - mode => '0644', - } - - # - # CA bundle -- we want to have the possibility of allowing multiple CAs. - # For now, the reason is to transition to using client CA. In the future, - # we will want to be able to smoothly phase out one CA and phase in another. - # I tried "--capath" for this, but it did not work. - # - - concat { - '/etc/openvpn/ca_bundle.pem': - owner => root, - group => root, - mode => 644, - warn => true, - notify => Service['openvpn']; - } - - concat::fragment { - 'client_ca_cert': - content => $site_openvpn::x509_config['client_ca_cert'], - target => '/etc/openvpn/ca_bundle.pem'; - 'ca_cert': - content => $site_openvpn::x509_config['ca_cert'], - target => '/etc/openvpn/ca_bundle.pem'; - } - -} diff --git a/puppet/modules/site_openvpn/manifests/server_config.pp b/puppet/modules/site_openvpn/manifests/server_config.pp index 5ba9812f..befeaef7 100644 --- a/puppet/modules/site_openvpn/manifests/server_config.pp +++ b/puppet/modules/site_openvpn/manifests/server_config.pp @@ -80,15 +80,15 @@ define site_openvpn::server_config( openvpn::option { "ca ${openvpn_configname}": key => 'ca', - value => '/etc/openvpn/ca_bundle.pem', + value => "${x509::variables::local_CAs}/${site_config::params::ca_bundle_name}.crt", server => $openvpn_configname; "cert ${openvpn_configname}": key => 'cert', - value => '/etc/x509/certs/leap_openvpn.crt', + value => "${x509::variables::certs}/${site_config::params::cert_name}.crt", server => $openvpn_configname; "key ${openvpn_configname}": key => 'key', - value => '/etc/x509/keys/leap_openvpn.key', + value => "${x509::variables::keys}/${site_config::params::cert_name}.key", server => $openvpn_configname; "dh ${openvpn_configname}": key => 'dh', diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 2d8f3db5..32465e01 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -8,6 +8,9 @@ class site_postfix::mx { $root_mail_recipient = $mx_hash['contact'] $postfix_smtp_listen = 'all' + include site_config::x509::cert_key + include site_config::x509::client_ca + postfix::config { 'mydestination': value => "\$myorigin, localhost, localhost.\$mydomain, ${domain}"; @@ -45,6 +48,8 @@ submission inet n - n - - smtpd -o smtpd_recipient_restrictions=\$submission_recipient_restrictions -o smtpd_helo_restrictions=\$submission_helo_restrictions", require => [ - X509::Key[$cert_name], X509::Cert[$cert_name], User['vmail'] ] + Class['Site_config::X509::Cert_key'], + Class['Site_config::X509::Client_ca'], + User['vmail'] ] } } diff --git a/puppet/modules/site_postfix/manifests/mx/tls.pp b/puppet/modules/site_postfix/manifests/mx/tls.pp index 8c9da9db..34df72bb 100644 --- a/puppet/modules/site_postfix/manifests/mx/tls.pp +++ b/puppet/modules/site_postfix/manifests/mx/tls.pp @@ -1,26 +1,14 @@ class site_postfix::mx::tls { - $x509 = hiera('x509') - $key = $x509['key'] - $cert = $x509['cert'] - $client_ca = $x509['client_ca_cert'] - include x509::variables - $cert_name = hiera('name') - $cert_path = "${x509::variables::certs}/${cert_name}.crt" - $key_path = "${x509::variables::keys}/${cert_name}.key" - - x509::key { $cert_name: - content => $key, - } + $ca_path = "${x509::variables::local_CAs}/${site_config::params::client_ca_name}.crt" + $cert_path = "${x509::variables::certs}/${site_config::params::cert_name}.crt" + $key_path = "${x509::variables::keys}/${site_config::params::cert_name}.key" - x509::cert { $cert_name: - content => $cert, - } postfix::config { 'smtpd_use_tls': value => 'yes'; - 'smtpd_tls_CAfile': value => $client_ca; + 'smtpd_tls_CAfile': value => $ca_path; 'smtpd_tls_cert_file': value => $cert_path; 'smtpd_tls_key_file': value => $key_path; 'smtpd_tls_ask_ccert': value => 'yes'; diff --git a/puppet/modules/site_stunnel/manifests/clients.pp b/puppet/modules/site_stunnel/manifests/clients.pp index ed766e1a..b2c8db1f 100644 --- a/puppet/modules/site_stunnel/manifests/clients.pp +++ b/puppet/modules/site_stunnel/manifests/clients.pp @@ -21,6 +21,10 @@ define site_stunnel::clients ( verify => $verify, pid => "/var/run/stunnel4/${pid}.pid", rndfile => $rndfile, - debuglevel => $debuglevel + debuglevel => $debuglevel, + require => [ + Class['Site_config::X509::Cert_key'], + Class['Site_config::X509::Ca'] ]; + } } diff --git a/puppet/modules/site_stunnel/manifests/setup.pp b/puppet/modules/site_stunnel/manifests/setup.pp deleted file mode 100644 index 92eeb425..00000000 --- a/puppet/modules/site_stunnel/manifests/setup.pp +++ /dev/null @@ -1,24 +0,0 @@ -class site_stunnel::setup ($cert_name, $key, $cert, $ca_name, $ca) { - - include site_stunnel - - x509::key { - $cert_name: - content => $key, - notify => Service['stunnel']; - } - - x509::cert { - $cert_name: - content => $cert, - notify => Service['stunnel']; - } - - x509::ca { - $ca_name: - content => $ca, - notify => Service['stunnel']; - } - -} - diff --git a/puppet/modules/site_tor/manifests/init.pp b/puppet/modules/site_tor/manifests/init.pp index ac830f0d..16ee4c30 100644 --- a/puppet/modules/site_tor/manifests/init.pp +++ b/puppet/modules/site_tor/manifests/init.pp @@ -1,6 +1,7 @@ class site_tor { tag 'leap_service' - + Class['site_config::default'] -> Class['site_tor'] + $tor = hiera('tor') $bandwidth_rate = $tor['bandwidth_rate'] $tor_type = $tor['type'] diff --git a/puppet/modules/site_webapp/manifests/apache.pp b/puppet/modules/site_webapp/manifests/apache.pp index 3d28ec83..d604b00f 100644 --- a/puppet/modules/site_webapp/manifests/apache.pp +++ b/puppet/modules/site_webapp/manifests/apache.pp @@ -11,9 +11,15 @@ class site_webapp::apache { $commercial_key = $x509['commercial_key'] $commercial_cert = $x509['commercial_cert'] $commercial_root = $x509['commercial_ca_cert'] - $api_key = $x509['key'] - $api_cert = $x509['cert'] - $api_root = $x509['ca_cert'] + + include site_config::x509::cert_key + include site_config::x509::ca + + include x509::variables + + X509::Cert[$site_config::params::cert_name] ~> Service[apache] + X509::Key[$site_config::params::cert_name] ~> Service[apache] + X509::Ca[$site_config::params::ca_name] ~> Service[apache] class { '::apache': no_default_site => true, ssl => true } @@ -37,29 +43,17 @@ class site_webapp::apache { 'leap_webapp': content => $commercial_key, notify => Service[apache]; - - 'leap_api': - content => $api_key, - notify => Service[apache]; } x509::cert { 'leap_webapp': content => $commercial_cert, notify => Service[apache]; - - 'leap_api': - content => $api_cert, - notify => Service[apache]; } x509::ca { 'leap_webapp': content => $commercial_root, notify => Service[apache]; - - 'leap_api': - content => $api_root, - notify => Service[apache]; } } diff --git a/puppet/modules/site_webapp/manifests/client_ca.pp b/puppet/modules/site_webapp/manifests/client_ca.pp deleted file mode 100644 index 0d9b15d6..00000000 --- a/puppet/modules/site_webapp/manifests/client_ca.pp +++ /dev/null @@ -1,25 +0,0 @@ -## -## This is for the special CA that is used exclusively for generating -## client certificates by the webapp. -## - -class site_webapp::client_ca { - include x509::variables - - $x509 = hiera('x509') - $cert_path = "${x509::variables::certs}/leap_client_ca.crt" - $key_path = "${x509::variables::keys}/leap_client_ca.key" - - x509::key { - 'leap_client_ca': - source => $x509['client_ca_key'], - group => 'leap-webapp', - notify => Service[apache]; - } - - x509::cert { - 'leap_client_ca': - source => $x509['client_ca_cert'], - notify => Service[apache]; - } -} diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index ac01a5bc..5a5cccad 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -14,15 +14,6 @@ class site_webapp::couchdb { $couch_client_connect = $couch_client['connect'] include x509::variables - $x509 = hiera('x509') - $key = $x509['key'] - $cert = $x509['cert'] - $ca = $x509['ca_cert'] - $cert_name = 'leap_couchdb' - $ca_name = 'leap_ca' - $ca_path = "${x509::variables::local_CAs}/${ca_name}.crt" - $cert_path = "${x509::variables::certs}/${cert_name}.crt" - $key_path = "${x509::variables::keys}/${cert_name}.key" file { '/srv/leap/webapp/config/couchdb.yml.admin': @@ -60,13 +51,7 @@ class site_webapp::couchdb { mode => '0744'; } - class { 'site_stunnel::setup': - cert_name => $cert_name, - key => $key, - cert => $cert, - ca_name => $ca_name, - ca => $ca - } + include site_stunnel exec { 'migrate_design_documents': cwd => '/srv/leap/webapp', @@ -77,10 +62,10 @@ class site_webapp::couchdb { $couchdb_stunnel_client_defaults = { 'connect_port' => $couch_client_connect, - 'client' => true, - 'cafile' => $ca_path, - 'key' => $key_path, - 'cert' => $cert_path, + 'client' => true, + 'cafile' => "${x509::variables::local_CAs}/${site_config::params::ca_name}.crt", + 'key' => "${x509::variables::keys}/${site_config::params::cert_name}.key", + 'cert' => "${x509::variables::certs}/${site_config::params::cert_name}.crt", } create_resources(site_stunnel::clients, $couch_client, $couchdb_stunnel_client_defaults) diff --git a/puppet/modules/site_webapp/manifests/haproxy.pp b/puppet/modules/site_webapp/manifests/haproxy.pp index 4a7e3c25..b69c69da 100644 --- a/puppet/modules/site_webapp/manifests/haproxy.pp +++ b/puppet/modules/site_webapp/manifests/haproxy.pp @@ -3,7 +3,6 @@ class site_webapp::haproxy { include site_haproxy $haproxy = hiera('haproxy') - $local_ports = $haproxy['local_ports'] # Template uses $global_options, $defaults_options concat::fragment { 'leap_haproxy_webapp_couchdb': diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index b4d5bb14..4b06cea6 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -11,11 +11,14 @@ class site_webapp { $api_version = $webapp['api_version'] $secret_token = $webapp['secret_token'] + Class['site_config::default'] -> Class['site_webapp'] + include site_config::ruby include site_webapp::apache include site_webapp::couchdb - include site_webapp::client_ca include site_webapp::haproxy + include site_config::x509::cert_key + include site_config::x509::ca group { 'leap-webapp': ensure => present, diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb index 05d62d41..0ce623fc 100644 --- a/puppet/modules/site_webapp/templates/config.yml.erb +++ b/puppet/modules/site_webapp/templates/config.yml.erb @@ -3,8 +3,8 @@ production: admins: <%= @webapp['admins'].inspect %> domain: <%= @provider_domain %> force_ssl: <%= @webapp['secure'] %> - client_ca_key: <%= scope.lookupvar('site_webapp::client_ca::key_path') %> - client_ca_cert: <%= scope.lookupvar('site_webapp::client_ca::cert_path') %> + client_ca_key: <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.key + client_ca_cert: <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.crt secret_token: "<%= @secret_token %>" client_cert_lifespan: <%= cert_options['life_span'].to_i %> client_cert_bit_size: <%= cert_options['bit_size'].to_i %> diff --git a/puppet/modules/soledad/manifests/server.pp b/puppet/modules/soledad/manifests/server.pp index 393d416a..0c073443 100644 --- a/puppet/modules/soledad/manifests/server.pp +++ b/puppet/modules/soledad/manifests/server.pp @@ -9,29 +9,12 @@ class soledad::server { $couchdb_user = $couchdb['couchdb_admin_user']['username'] $couchdb_password = $couchdb['couchdb_admin_user']['password'] - $x509 = hiera('x509') - $x509_key = $x509['key'] - $x509_cert = $x509['cert'] - $x509_ca = $x509['ca_cert'] + include site_config::x509::cert_key + include site_config::x509::ca $soledad = hiera('soledad') $soledad_port = $soledad['port'] - x509::key { 'soledad': - content => $x509_key, - notify => Service['soledad-server']; - } - - x509::cert { 'soledad': - content => $x509_cert, - notify => Service['soledad-server']; - } - - x509::ca { 'soledad': - content => $x509_ca, - notify => Service['soledad-server']; - } - # # SOLEDAD CONFIG # @@ -47,8 +30,9 @@ class soledad::server { package { 'soledad-server': ensure => latest, - require => [ Class['site_apt::preferences::twisted'], - Class['site_apt::leap_repo'] ]; + require => [ + Class['site_apt::preferences::twisted'], + Class['site_apt::leap_repo'] ]; } file { '/etc/default/soledad': @@ -65,7 +49,11 @@ class soledad::server { enable => true, hasstatus => true, hasrestart => true, - require => [ Class['soledad'], Package['soledad-server'] ]; + require => [ + Class['soledad'], + Package['soledad-server'], + Class['Site_config::X509::Cert_key'], + Class['Site_config::X509::Ca'] ]; } include site_shorewall::soledad diff --git a/puppet/modules/soledad/templates/default-soledad.erb b/puppet/modules/soledad/templates/default-soledad.erb index fd38903a..32504e38 100644 --- a/puppet/modules/soledad/templates/default-soledad.erb +++ b/puppet/modules/soledad/templates/default-soledad.erb @@ -1,5 +1,5 @@ # this file is managed by puppet START=yes -CERT_PATH=/etc/x509/certs/soledad.crt -PRIVKEY_PATH=/etc/x509/keys/soledad.key +CERT_PATH=<%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.crt +PRIVKEY_PATH=<%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.key HTTPS_PORT=<%=@soledad_port%> diff --git a/puppet/modules/stunnel b/puppet/modules/stunnel -Subproject 75d387fc8aff12232fdeae2efbbfccdd91f9465 +Subproject ec49fd93c2469bc5c13f7e6a7d25468613e1b84 |