11 files changed, 126 insertions, 14 deletions

diff --git a/provider_base/common.json b/provider_base/common.json
index 87af2152..649db0d9 100644
--- a/provider_base/common.json
+++ b/provider_base/common.json
@@ -46,5 +46,9 @@
   "stunnel": {
     "clients": {},
     "servers": {}
+  },
+  "platform": {
+    "version": "= Leap::Platform.version.to_s",
+    "major_version": "= Leap::Platform.major_version"
   }
 }
diff --git a/provider_base/files/service-definitions/v1/eip-service.json.erb b/provider_base/files/service-definitions/v1/eip-service.json.erb
index 3b8976fd..4bd220df 100644
--- a/provider_base/files/service-definitions/v1/eip-service.json.erb
+++ b/provider_base/files/service-definitions/v1/eip-service.json.erb
@@ -42,8 +42,14 @@
     end
     configuration = node.openvpn.configuration
   end
-  hsh["gateways"] = gateways.compact
-  hsh["locations"] = locations
-  hsh["openvpn_configuration"] = configuration
+  if gateways.any?
+    configuration = configuration.dup
+    if configuration['fragment'] && configuration['fragment'] == 1500
+      configuration.delete('fragment')
+    end
+    hsh["gateways"] = gateways.compact
+    hsh["locations"] = locations
+    hsh["openvpn_configuration"] = configuration
+  end
   JSON.sorted_generate hsh
 %>
\ No newline at end of file
diff --git a/provider_base/lib/macros.rb b/provider_base/lib/macros.rb
index 854b92b5..ecc3e6ba 100644
--- a/provider_base/lib/macros.rb
+++ b/provider_base/lib/macros.rb
@@ -9,6 +9,7 @@ require_relative 'macros/core'
 require_relative 'macros/files'
 require_relative 'macros/haproxy'
 require_relative 'macros/hosts'
+require_relative 'macros/keys'
 require_relative 'macros/nodes'
 require_relative 'macros/secrets'
 require_relative 'macros/stunnel'
diff --git a/provider_base/lib/macros/files.rb b/provider_base/lib/macros/files.rb
index 0a491325..958958bc 100644
--- a/provider_base/lib/macros/files.rb
+++ b/provider_base/lib/macros/files.rb
@@ -48,13 +48,22 @@ module LeapCli
     # * if the path does not exist locally, but exists in provider_base, then the default file from
     #   provider_base is copied locally. this is required for rsync to work correctly.
     #
-    def file_path(path)
+    def file_path(path, options={})
       if path.is_a? Symbol
         path = [path, @node.name]
+      elsif path.is_a? String
+        # ensure it prefixed with files/
+        unless path =~ /^files\//
+          path = "files/" + path
+        end
       end
       actual_path = Path.find_file(path)
       if actual_path.nil?
-        Util::log 2, :skipping, "file_path(\"#{path}\") because there is no such file."
+        if options[:missing]
+          raise FileMissing.new(Path.named_path(path), options)
+        else
+          Util::log 2, :skipping, "file_path(\"#{path}\") because there is no such file."
+        end
         nil
       else
         if actual_path =~ /^#{Regexp.escape(Path.provider_base)}/
@@ -70,8 +79,9 @@ module LeapCli
           actual_path += '/' # ensure directories end with /, important for building rsync command
         end
         relative_path = Path.relative_path(actual_path)
+        relative_path.sub!(/^files\//, '') # remove "files/" prefix
         @node.file_paths << relative_path
-        @node.manager.provider.hiera_sync_destination + '/' + relative_path
+        File.join(Leap::Platform.files_dir, relative_path)
       end
     end
 
diff --git a/provider_base/lib/macros/keys.rb b/provider_base/lib/macros/keys.rb
new file mode 100644
index 00000000..ea4c3df2
--- /dev/null
+++ b/provider_base/lib/macros/keys.rb
@@ -0,0 +1,82 @@
+# encoding: utf-8
+
+#
+# Macro for dealing with cryptographic keys
+#
+
+module LeapCli
+  module Macro
+
+    #
+    # return the path to the tor public key
+    # generating key if it is missing
+    #
+    def tor_public_key_path(path_name, key_type)
+      path = file_path(path_name)
+      if path.nil?
+        generate_tor_key(key_type)
+        file_path(path_name)
+      else
+        path
+      end
+    end
+
+    #
+    # return the path to the tor private key
+    # generating key if it is missing
+    #
+    def tor_private_key_path(path_name, key_type)
+      path = file_path(path_name)
+      if path.nil?
+        generate_tor_key(key_type)
+        file_path(path_name)
+      else
+        path
+      end
+    end
+
+    #
+    # on the command line an onion address can be created
+    # from an rsa public key using this:
+    #
+    #   base64 -d < ./pubkey | sha1sum | awk '{print $1}' |
+    #     perl -e '$l=<>; chomp $l; print pack("H*", $l)' |
+    #     python -c 'import base64, sys; t=sys.stdin.read(); print base64.b32encode(t[:10]).lower()'
+    #
+    # path_name is the named path of the tor public key.
+    #
+    def onion_address(path_name)
+      require 'base32'
+      require 'base64'
+      require 'openssl'
+      path = Path.find_file([path_name, self.name])
+      if path && File.exists?(path)
+        public_key_str = File.readlines(path).grep(/^[^-]/).join
+        public_key     = Base64.decode64(public_key_str)
+        sha1sum_string = Digest::SHA1.new.hexdigest(public_key)
+        sha1sum_binary = [sha1sum_string].pack('H*')
+        Base32.encode(sha1sum_binary.slice(0,10)).downcase
+      else
+        LeapCli.log :warning, 'Tor public key file "%s" does not exist' % tor_public_key_path
+      end
+    end
+
+    private
+
+    def generate_tor_key(key_type)
+      if key_type == 'RSA'
+        require 'certificate_authority'
+        keypair = CertificateAuthority::MemoryKeyMaterial.new
+        bit_size = 1024
+        LeapCli.log :generating, "%s bit RSA Tor key" % bit_size do
+          keypair.generate_key(bit_size)
+          LeapCli::Util.write_file! [:node_tor_priv_key, self.name], keypair.private_key.to_pem
+          LeapCli::Util.write_file! [:node_tor_pub_key, self.name], keypair.public_key.to_pem
+        end
+      else
+        LeapCli.bail! 'tor.key.type of %s is not yet supported' % key_type
+      end
+    end
+
+  end
+end
diff --git a/provider_base/provider.json b/provider_base/provider.json
index 743964ee..9ef0f76a 100644
--- a/provider_base/provider.json
+++ b/provider_base/provider.json
@@ -44,7 +44,7 @@
     "digest": "SHA256",
     "life_span": "10y",
     "server_certificates": {
-      "bit_size": 2048,
+      "bit_size": 4096,
       "digest": "SHA256",
       "life_span": "1y"
     },
@@ -56,7 +56,6 @@
       "unlimited_prefix": "UNLIMITED"
     }
   },
-  "hiera_sync_destination": "/etc/leap",
   "client_version": {
     "min": "0.5",
     "max": null
diff --git a/provider_base/services/_couchdb_multimaster.json b/provider_base/services/_couchdb_multimaster.json
index 8c433188..0f340e00 100644
--- a/provider_base/services/_couchdb_multimaster.json
+++ b/provider_base/services/_couchdb_multimaster.json
@@ -8,8 +8,8 @@
       "ednp_server": "= stunnel_server(couch.bigcouch.ednp_port)"
     },
     "clients": {
-      "epmd_clients": "= stunnel_client(nodes_like_me[:services => :couchdb], couch.bigcouch.epmd_port)",
-      "ednp_clients": "= stunnel_client(nodes_like_me[:services => :couchdb], couch.bigcouch.ednp_port)"
+      "epmd_clients": "= stunnel_client(nodes_like_me['services' => 'couchdb']['couch.mode' => 'multimaster'], couch.bigcouch.epmd_port)",
+      "ednp_clients": "= stunnel_client(nodes_like_me['services' => 'couchdb']['couch.mode' => 'multimaster'], couch.bigcouch.ednp_port)"
     }
   },
   "couch": {
@@ -18,7 +18,7 @@
       "epmd_port": 4369,
       "ednp_port": 9002,
       "cookie": "= secret :bigcouch_cookie",
-      "neighbors": "= nodes_like_me['services' => 'couchdb']['couch.master' => true].exclude(self).field('domain.full')"
+      "neighbors": "= nodes_like_me['services' => 'couchdb']['couch.mode' => 'multimaster'].exclude(self).field('domain.full')"
     }
   }
 }
diff --git a/provider_base/services/monitor.json b/provider_base/services/monitor.json
index c24724bf..56ca015b 100644
--- a/provider_base/services/monitor.json
+++ b/provider_base/services/monitor.json
@@ -1,6 +1,7 @@
 {
   "nagios": {
     "nagiosadmin_pw": "= secret :nagios_admin_password",
+    "domains_internal": "= global.tags.field('domain.internal_suffix').compact.uniq",
     "hosts": "= (self.environment == 'local' ? nodes_like_me : nodes[:environment => '!local']).pick_fields('domain.internal', 'domain.full_suffix', 'ip_address', 'services', 'openvpn.gateway_address', 'ssh.port')"
   },
   "hosts": "= self.environment == 'local' ? hosts_file(nodes_like_me) : hosts_file(nodes[:environment => '!local'])",
diff --git a/provider_base/services/openvpn.json b/provider_base/services/openvpn.json
index 1906244c..11cb0dc2 100644
--- a/provider_base/services/openvpn.json
+++ b/provider_base/services/openvpn.json
@@ -24,7 +24,8 @@
       "auth": "SHA1",
       "cipher": "AES-128-CBC",
       "keepalive": "10 30",
-      "tun-ipv6": true
+      "tun-ipv6": true,
+      "fragment": 1500
     }
   },
   "obfsproxy": {
diff --git a/provider_base/services/tor.json b/provider_base/services/tor.json
index fc365a19..55d3d2ee 100644
--- a/provider_base/services/tor.json
+++ b/provider_base/services/tor.json
@@ -3,6 +3,13 @@
     "bandwidth_rate": 6550,
     "contacts": "= [provider.contacts['tor'] || provider.contacts.default].flatten",
     "nickname": "= (self.name + secret(:tor_family)).sub('_','')[0..18]",
-    "family": "= nodes[:services => 'tor'][:environment => '!local'].field('tor.nickname').join(',')"
+    "family": "= nodes[:services => 'tor'][:environment => '!local'].field('tor.nickname').join(',')",
+    "hidden_service": {
+      "active": null,
+      "key_type": "RSA",
+      "public_key": "= tor_public_key_path(:node_tor_pub_key, tor.hidden_service.key_type) if tor.hidden_service.active",
+      "private_key": "= tor_private_key_path(:node_tor_priv_key, tor.hidden_service.key_type) if tor.hidden_service.active",
+      "address": "= onion_address(:node_tor_pub_key) if tor.hidden_service.active"
+    }
   }
 }
diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json
index 3af0dade..67744f99 100644
--- a/provider_base/services/webapp.json
+++ b/provider_base/services/webapp.json
@@ -1,6 +1,7 @@
 {
   "webapp": {
     "admins": [],
+    "forbidden_usernames": ["admin", "administrator", "arin-admin", "certmaster", "contact", "info", "maildrop", "postmaster", "ssladmin", "www-data"],
     "domain": "= domain.full_suffix",
     "modules": ["user", "billing", "help"],
     "couchdb_webapp_user": {
@@ -21,7 +22,7 @@
     "secure": false,
     "git": {
       "source": "https://leap.se/git/leap_web",
-      "revision": "origin/master"
+      "revision": "origin/version/0.6"
     },
     "client_version": "= provider.client_version",
     "nagios_test_user": {