3 files changed, 60 insertions, 20 deletions

diff --git a/lib/leap_cli/commands/compile.rb b/lib/leap_cli/commands/compile.rb
index 8f6c7769..c388e5c3 100644
--- a/lib/leap_cli/commands/compile.rb
+++ b/lib/leap_cli/commands/compile.rb
@@ -265,56 +265,86 @@ remove this directory if you don't use it.
     # serial is any number less than 2^32 (4294967296)
     #
     def compile_zone_file
-      provider = manager.env('default').provider
+      provider   = manager.env('default').provider
       hosts_seen = {}
-      f = $stdout
-      f.puts ZONE_HEADER % {:domain => provider.domain, :ns => provider.domain, :contact => provider.contacts.default.first.sub('@','.')}
-      max_width = manager.nodes.values.inject(0) {|max, node| [max, relative_hostname(node.domain.full, provider).length].max }
-      put_line = lambda do |host, line|
-        host = '@' if host == ''
-        f.puts("%-#{max_width}s %s" % [host, line])
-      end
+      lines      = []
+
+      #
+      # header
+      #
+      lines << ZONE_HEADER % {:domain => provider.domain, :ns => provider.domain, :contact => provider.contacts.default.first.sub('@','.')}
 
-      f.puts ORIGIN_HEADER
+      #
+      # common records
+      #
+      lines << ORIGIN_HEADER
       # 'A' records for primary domain
       manager.nodes[:environment => '!local'].each_node do |node|
         if node.dns['aliases'] && node.dns.aliases.include?(provider.domain)
-          put_line.call "", "IN A      #{node.ip_address}"
+          lines << ["@", "IN A      #{node.ip_address}"]
         end
       end
-
       # NS records
       if provider['dns'] && provider.dns['nameservers']
         provider.dns.nameservers.each do |ns|
-          put_line.call "", "IN NS #{ns}."
+          lines << ["@", "IN NS #{ns}."]
         end
       end
 
-      # all other records
+      # environment records
       manager.environment_names.each do |env|
         next if env == 'local'
         nodes = manager.nodes[:environment => env]
         next unless nodes.any?
-        f.puts ENV_HEADER % (env.nil? ? 'default' : env)
+        spf = nil
+        lines << ENV_HEADER % (env.nil? ? 'default' : env)
         nodes.each_node do |node|
           if node.dns.public
-            hostname = relative_hostname(node.domain.full, provider)
-            put_line.call relative_hostname(node.domain.full, provider), "IN A      #{node.ip_address}"
+            lines << [relative_hostname(node.domain.full, provider), "IN A      #{node.ip_address}"]
           end
           if node.dns['aliases']
             node.dns.aliases.each do |host_alias|
               if host_alias != node.domain.full && host_alias != provider.domain
-                put_line.call relative_hostname(host_alias, provider), "IN A      #{node.ip_address}"
+                lines << [relative_hostname(host_alias, provider), "IN A      #{node.ip_address}"]
               end
             end
           end
           if node.services.include? 'mx'
-            put_line.call relative_hostname(node.domain.full_suffix, provider), "IN MX 10  #{relative_hostname(node.domain.full, provider)}"
+            mx_domain = relative_hostname(node.domain.full_suffix, provider)
+            lines << [mx_domain, "IN MX 10  #{relative_hostname(node.domain.full, provider)}"]
+            spf ||= [mx_domain, spf_record(node)]
           end
         end
+        lines << spf if spf
+      end
+
+      # print the lines
+      max_width = lines.inject(0) {|max, line| line.is_a?(Array) ? [max, line[0].length].max : max}
+      lines.each do |host, line|
+        if line.nil?
+          puts(host)
+        else
+          host = '@' if host == ''
+          puts("%-#{max_width}s %s" % [host, line])
+        end
       end
     end
 
+    #
+    # allow mail from any mx node, plus the webapp nodes.
+    #
+    # TODO: ipv6
+    #
+    def spf_record(node)
+      ips = node.nodes_like_me['services' => 'webapp'].values.collect {|n|
+        "ip4:" + n.ip_address
+      }
+      # TXT strings may not be longer than 255 characters, although
+      # you can chain multiple strings together.
+      strings = "v=spf1 MX #{ips.join(' ')} -all".scan(/.{1,255}/).join('" "')
+      %(IN TXT    "#{strings}")
+    end
+
     ENV_HEADER = %[
 ;;
 ;; ENVIRONMENT %s
diff --git a/lib/leap_cli/commands/db.rb b/lib/leap_cli/commands/db.rb
index e4fd3858..5703e4bd 100644
--- a/lib/leap_cli/commands/db.rb
+++ b/lib/leap_cli/commands/db.rb
@@ -40,7 +40,6 @@ module LeapCli; module Commands
   def destroy_all_dbs(nodes)
     ssh_connect(nodes) do |ssh|
       ssh.run('/etc/init.d/bigcouch stop && test ! -z "$(ls /opt/bigcouch/var/lib/ 2> /dev/null)" && rm -r /opt/bigcouch/var/lib/* && echo "db destroyed" || echo "db already destroyed"')
-      ssh.run('grep ^seq_dir /etc/leap/tapicero.yaml | cut -f2 -d\" | xargs rm -rv')
     end
   end
 
diff --git a/lib/leap_cli/macros/stunnel.rb b/lib/leap_cli/macros/stunnel.rb
index f16308c7..821bda38 100644
--- a/lib/leap_cli/macros/stunnel.rb
+++ b/lib/leap_cli/macros/stunnel.rb
@@ -49,12 +49,14 @@ module LeapCli
       result = Config::ObjectList.new
       node_list.each_node do |node|
         if node.name != self.name || options[:include_self]
+          s_port = stunnel_port(port)
           result["#{node.name}_#{port}"] = Config::Object[
             'accept_port', @next_stunnel_port,
             'connect', node.domain.internal,
-            'connect_port', stunnel_port(port),
+            'connect_port', s_port,
             'original_port', port
           ]
+          manager.connections.add(:from => @node.ip_address, :to => node.ip_address, :port => s_port)
           @next_stunnel_port += 1
         end
       end
@@ -76,6 +78,15 @@ module LeapCli
       }
     end
 
+    #
+    # lists the ips that connect to this node, on particular ports.
+    #
+    def stunnel_firewall
+      manager.connections.select {|connection|
+        connection['to'] == @node.ip_address
+      }
+    end
+
     private
 
     #