diff options
Diffstat (limited to 'provider_base')
-rw-r--r-- | provider_base/common.json | 15 | ||||
-rw-r--r-- | provider_base/files/service-definitions/eip-service.json.erb | 37 | ||||
-rw-r--r-- | provider_base/files/service-definitions/provider.json.erb | 17 | ||||
-rw-r--r-- | provider_base/files/service-definitions/v1/eip-service.json.erb | 48 | ||||
-rw-r--r-- | provider_base/files/service-definitions/v1/smtp-service.json.erb | 29 | ||||
-rw-r--r-- | provider_base/files/service-definitions/v1/soledad-service.json.erb | 29 | ||||
-rw-r--r-- | provider_base/provider.json | 30 | ||||
-rw-r--r-- | provider_base/services/ca.json | 11 | ||||
-rw-r--r-- | provider_base/services/couchdb.json | 28 | ||||
-rw-r--r-- | provider_base/services/openvpn.json | 11 | ||||
-rw-r--r-- | provider_base/services/soledad.json | 6 | ||||
-rw-r--r-- | provider_base/services/webapp.json | 40 | ||||
-rw-r--r-- | provider_base/tags/development.json | 7 | ||||
-rw-r--r-- | provider_base/tags/local.json | 2 | ||||
-rw-r--r-- | provider_base/tags/production.json | 2 | ||||
-rw-r--r-- | provider_base/test/openvpn/client.ovpn.erb | 6 |
16 files changed, 231 insertions, 87 deletions
diff --git a/provider_base/common.json b/provider_base/common.json index e674edb6..2313bd8b 100644 --- a/provider_base/common.json +++ b/provider_base/common.json @@ -1,5 +1,6 @@ { "ip_address": null, + "environment": null, "services": [], "tags": [], "domain": { @@ -13,9 +14,13 @@ "public": "= service_type != 'internal_service'" }, "ssh": { - "authorized_keys": "= file :authorized_keys", + "authorized_keys": "= authorized_keys", "known_hosts": "=> known_hosts_file", - "port": 22 + "port": 22, + "mosh": { + "ports": "60000:61000", + "enabled": false + } }, "hosts": "=> hosts_file", "x509": { @@ -24,11 +29,11 @@ "key": "= x509.use ? file(:node_x509_key, :missing => 'x509 key for node $node. Run `leap cert update`') : nil", "ca_cert": "= try_file :ca_cert" }, - "local": false, - "production": false, "service_type": "internal_service", "development": { "site_config": true }, - "name": "common" + "name": "common", + "location": null, + "enabled": true } diff --git a/provider_base/files/service-definitions/eip-service.json.erb b/provider_base/files/service-definitions/eip-service.json.erb deleted file mode 100644 index 8dc7211d..00000000 --- a/provider_base/files/service-definitions/eip-service.json.erb +++ /dev/null @@ -1,37 +0,0 @@ -<%= - def underscore(words) - words = words.to_s.dup - words.downcase! - words.gsub! /[^a-z]/, '_' - words - end - - hsh = {} - hsh["serial"] = 1 - hsh["version"] = 1 - clusters = {} - gateways = [] - global.services['openvpn'].node_list.each_node do |node| - next if node.vagrant? - gateway = {} - gateway["capabilities"] = node.openvpn.pick( - :ports, :protocols, :user_ips, :adblock, :filter_dns) - gateway["capabilities"]["transport"] = ["openvpn"] - gateway["ip_address"] = node.openvpn.gateway_address - gateway["host"] = node.domain.full - gateway["cluster"] = underscore(node.openvpn.location) - gateways << gateway - clusters[gateway["cluster"]] ||= { - "name" => gateway["cluster"], - "label" => {"en" => node.openvpn.location} - } - end - hsh["gateways"] = gateways - hsh["clusters"] = clusters.values - hsh["openvpn_configuration"] = { - "tls-cipher" => "DHE-RSA-AES128-SHA", - "auth" => "SHA1", - "cipher" => "AES-128-CBC" - } - generate_json hsh -%>
\ No newline at end of file diff --git a/provider_base/files/service-definitions/provider.json.erb b/provider_base/files/service-definitions/provider.json.erb index f26f25a2..5d4c63a0 100644 --- a/provider_base/files/service-definitions/provider.json.erb +++ b/provider_base/files/service-definitions/provider.json.erb @@ -1,20 +1,21 @@ <%= - hsh = {} - # grab some fields from provider.json hsh = global.provider.pick( :languages, :description, :name, - :enrollment_policy, :default_language, :domain + :enrollment_policy, :default_language, :service ) + hsh['domain'] = domain.full_suffix - # advertise services that are 'user services' - hsh['services'] = global.services[:service_type => :user_service].field(:name) + # advertise services that are 'user services' and for which there are actually nodes + hsh['services'] = global.services[:service_type => :user_service].field(:name).select do |service| + nodes_like_me[:services => service].any? + end hsh['api_version'] = "1" - hsh['api_uri'] = "https://" + api.domain + ':' + api.port + hsh['api_uri'] = ["https://", api.domain, ':', api.port].join - hsh['ca_cert_uri'] = 'https://' + global.provider.domain + '/ca.crt' + hsh['ca_cert_uri'] = 'https://' + domain.full_suffix + '/ca.crt' hsh['ca_cert_fingerprint'] = fingerprint(:ca_cert) - generate_json hsh + hsh.dump_json %>
\ No newline at end of file diff --git a/provider_base/files/service-definitions/v1/eip-service.json.erb b/provider_base/files/service-definitions/v1/eip-service.json.erb new file mode 100644 index 00000000..feaea25b --- /dev/null +++ b/provider_base/files/service-definitions/v1/eip-service.json.erb @@ -0,0 +1,48 @@ +<%= + def underscore(words) + words = words.to_s.dup + words.downcase! + words.gsub! /[^a-z]/, '_' + words + end + + def add_gateway(node, locations, options={}) + return nil if options[:ip] == 'REQUIRED' + gateway = {} + gateway["capabilities"] = node.openvpn.pick(:ports, :protocols, :user_ips, :adblock, :filter_dns) + gateway["capabilities"]["transport"] = ["openvpn"] + gateway["host"] = node.domain.full + gateway["ip_address"] = options[:ip] + gateway["capabilities"]["limited"] = options[:limited] + if node['location'] + location_name = underscore(node.location.name) + gateway["location"] = location_name + locations[location_name] ||= node.location + end + gateway + end + + hsh = {} + hsh["serial"] = 1 + hsh["version"] = 1 + locations = {} + gateways = [] + nodes_like_me[:services => 'openvpn'].each_node do |node| + if node.openvpn.allow_limited && node.openvpn.allow_unlimited + gateways << add_gateway(node, locations, :ip => node.openvpn.gateway_address, :limited => false) + gateways << add_gateway(node, locations, :ip => node.openvpn.second_gateway_address, :limited => true) + elsif node.openvpn.allow_unlimited + gateways << add_gateway(node, locations, :ip => node.openvpn.gateway_address, :limited => false) + elsif node.openvpn.allow_limited + gateways << add_gateway(node, locations, :ip => node.openvpn.gateway_address, :limited => true) + end + end + hsh["gateways"] = gateways.compact + hsh["locations"] = locations + hsh["openvpn_configuration"] = { + "tls-cipher" => "DHE-RSA-AES128-SHA", + "auth" => "SHA1", + "cipher" => "AES-128-CBC" + } + JSON.sorted_generate hsh +%>
\ No newline at end of file diff --git a/provider_base/files/service-definitions/v1/smtp-service.json.erb b/provider_base/files/service-definitions/v1/smtp-service.json.erb new file mode 100644 index 00000000..60129f5f --- /dev/null +++ b/provider_base/files/service-definitions/v1/smtp-service.json.erb @@ -0,0 +1,29 @@ +<%= + def underscore(words) + words = words.to_s.dup + words.downcase! + words.gsub! /[^a-z]/, '_' + words + end + + hsh = {} + hsh["serial"] = 1 + hsh["version"] = 1 + locations = {} + hosts = {} + nodes_like_me[:services => 'mx'].each_node do |node| + host = {} + host["hostname"] = node.domain.full + host["ip_address"] = node.ip_address + host["port"] = 25 # hard coded for now, later node.smtp.port + if node['location'] + location_name = underscore(node.location.name) + host["location"] = location_name + locations[location_name] ||= node.location + end + hosts[node.name] = host + end + hsh["hosts"] = hosts + hsh["locations"] = locations + JSON.sorted_generate hsh +%>
\ No newline at end of file diff --git a/provider_base/files/service-definitions/v1/soledad-service.json.erb b/provider_base/files/service-definitions/v1/soledad-service.json.erb new file mode 100644 index 00000000..0cd1c927 --- /dev/null +++ b/provider_base/files/service-definitions/v1/soledad-service.json.erb @@ -0,0 +1,29 @@ +<%= + def underscore(words) + words = words.to_s.dup + words.downcase! + words.gsub! /[^a-z]/, '_' + words + end + + hsh = {} + hsh["serial"] = 1 + hsh["version"] = 1 + locations = {} + hosts = {} + nodes_like_me[:services => 'soledad'].each_node do |node| + host = {} + host["hostname"] = node.domain.full + host["ip_address"] = node.ip_address + host["port"] = node.soledad.port + if node['location'] + location_name = underscore(node.location.name) + host["location"] = location_name + locations[location_name] ||= node.location + end + hosts[node.name] = host + end + hsh["hosts"] = hosts + hsh["locations"] = locations + JSON.sorted_generate hsh +%>
\ No newline at end of file diff --git a/provider_base/provider.json b/provider_base/provider.json index 8ce848f3..b6a7af21 100644 --- a/provider_base/provider.json +++ b/provider_base/provider.json @@ -8,22 +8,46 @@ "en": "REQUIRED" }, "contacts": { - "default": "REQUIRED" + "default": "REQUIRED", + "english": "= contacts.default.split('@').join(' at the domain ')" }, "languages": ["en"], "default_language": "en", "enrollment_policy": "open", + "service": { + "levels": [ + // bandwidth limit is in Bytes, storage limit is in MB. + {"id": 1, "name": "free", "storage":50}, + {"id": 2, "name": "basic", "storage":1000, "rate": ["US$10", "€10"]}, + {"id": 3, "name": "pro", "storage":10000, "rate": ["US$20", "€20"]} + ], + "default_service_level": 1, + "bandwidth_limit": 102400, + "allow_free": "= global.provider.service.levels.select {|l| l['rate'].nil?}.any?", + "allow_paid": "= global.provider.service.levels.select {|l| !l['rate'].nil?}.any?", + "allow_anonymous": "= global.provider.service.levels.select {|l| l['name'] == 'anonymous'}.any?", + "allow_registration": "= global.provider.service.levels.select {|l| l['name'] != 'anonymous'}.any?", + "allow_limited_bandwidth": "= global.provider.service.levels.select {|l| l['bandwidth'] == 'limited'}.any?", + "allow_unlimited_bandwidth": "= global.provider.service.levels.select {|l| l['bandwidth'].nil?}.any?" + }, "ca": { "name": "= global.provider.ca.organization + ' Root CA'", "organization": "= global.provider.name[global.provider.default_language]", - "organizational_unit": "= 'https://' + global.common.domain.full_suffix", + "organizational_unit": "= 'https://' + global.provider.domain", "bit_size": 4096, "digest": "SHA256", "life_span": "10y", "server_certificates": { - "bit_size": 3248, + "bit_size": 2024, "digest": "SHA256", "life_span": "1y" + }, + "client_certificates": { + "bit_size": 2024, + "digest": "SHA256", + "life_span": "2m", + "limited_prefix": "LIMITED", + "unlimited_prefix": "UNLIMITED" } }, "hiera_sync_destination": "/etc/leap" diff --git a/provider_base/services/ca.json b/provider_base/services/ca.json deleted file mode 100644 index 3fb8bf6c..00000000 --- a/provider_base/services/ca.json +++ /dev/null @@ -1,11 +0,0 @@ -{ - "ca_daemon": { - "couchdb_hosts": "= hostnames nodes[:services => :couchdb][:local => local]", - "couchdb_user": "= global.services[:couchdb].couch.users[:ca_daemon]" - }, - "service_type": "internal_service", - "x509": { - "use": true, - "ca_key": "= file(:ca_key, :missing => 'CA key. Run `leap cert ca` to create the Certificate Authority.')" - } -} diff --git a/provider_base/services/couchdb.json b/provider_base/services/couchdb.json index 1c8005c2..a26579c8 100644 --- a/provider_base/services/couchdb.json +++ b/provider_base/services/couchdb.json @@ -1,21 +1,37 @@ { - "service_type": "internal_service", "x509": { "use": true }, + "stunnel": { + "couch_server": "= stunnel_server(couch.port)", + "epmd_server": "= stunnel_server(couch.bigcouch.epmd_port)", + "epmd_clients": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.bigcouch.epmd_port)", + "ednp_server": "= stunnel_server(couch.bigcouch.ednp_port)", + "ednp_clients": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.bigcouch.ednp_port)" + }, "couch": { + "port": 5984, + "bigcouch": { + "epmd_port": 4369, + "ednp_port": 9002, + "cookie": "= secret :bigcouch_cookie", + "neighbors": "= nodes_like_me[:services => :couchdb].exclude(self).field('domain.full')" + }, "users": { "admin": { "username": "admin", - "password": "= secret :couch_admin_password" + "password": "= secret :couch_admin_password", + "salt": "= hex_secret :couch_admin_password_salt, 128" }, "webapp": { "username": "webapp", - "password": "= secret :couch_webapp_password" + "password": "= secret :couch_webapp_password", + "salt": "= hex_secret :couch_webapp_password_salt, 128" }, - "ca_daemon": { - "username": "ca_daemon", - "password": "= secret :couch_ca_daemon_password" + "soledad": { + "username": "soledad", + "password": "= secret :couch_soledad_password", + "salt": "= hex_secret :couch_soledad_password_salt, 128" } } } diff --git a/provider_base/services/openvpn.json b/provider_base/services/openvpn.json index 7b67ccb3..5d77f946 100644 --- a/provider_base/services/openvpn.json +++ b/provider_base/services/openvpn.json @@ -5,12 +5,19 @@ "client_ca_cert": "= file :client_ca_cert, :missing => 'Certificate Authority. Run `leap cert ca`'", "dh": "= file :dh_params, :missing => 'Diffie-Hellman parameters. Run `leap cert dh`'" }, + "location": null, "openvpn": { - "location": "Location Unknown", + "gateway_address": "REQUIRED", + "second_gateway_address": "= openvpn.allow_limited && openvpn.allow_unlimited ? 'REQUIRED' : nil", "ports": ["80", "443", "53", "1194"], "protocols": ["tcp", "udp"], "filter_dns": false, "adblock": false, - "user_ips": false + "user_ips": false, + "allow_limited": "= global.provider.service.allow_limited_bandwidth", + "allow_unlimited": "= global.provider.service.allow_unlimited_bandwidth", + "limited_prefix": "= global.provider.ca.client_certificates.limited_prefix", + "unlimited_prefix": "= global.provider.ca.client_certificates.unlimited_prefix", + "rate_limit": "= openvpn.allow_limited ? global.provider.service.bandwidth_limit : nil" } } diff --git a/provider_base/services/soledad.json b/provider_base/services/soledad.json new file mode 100644 index 00000000..10657563 --- /dev/null +++ b/provider_base/services/soledad.json @@ -0,0 +1,6 @@ +{ + "service_type": "public_service", + "soledad": { + "port": 1111 + } +}
\ No newline at end of file diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json index 8ccd3e3e..93396ec7 100644 --- a/provider_base/services/webapp.json +++ b/provider_base/services/webapp.json @@ -1,34 +1,52 @@ { "webapp": { "modules": ["user", "billing", "help"], - "couchdb_hosts": "= hostnames nodes[:services => :couchdb][:local => local]", - // NOTE: this is bad, but pending a fix to https://leap.se/code/issues/1163 - // before we can use user "webapp" - "couchdb_user": "= global.services[:couchdb].couch.users[:admin]", + "couchdb_admin_user": "= global.services[:couchdb].couch.users[:admin]", +// "couchdb_webapp_user": "= global.services[:couchdb].couch.users[:webapp]", + "couchdb_webapp_user": "= global.services[:couchdb].couch.users[:admin]", "favicon": "= file_path 'branding/favicon.ico'", "tail_scss": "= file_path 'branding/tail.scss'", "head_scss": "= file_path 'branding/head.scss'", - "img_dir": "= file_path 'branding/img'" + "img_dir": "= file_path 'branding/img'", + "client_certificates": "= global.provider.ca.client_certificates", + "allow_limited_certs": "= global.provider.service.allow_limited_bandwidth", + "allow_unlimited_certs": "= global.provider.service.allow_unlimited_bandwidth", + "allow_anonymous_certs": "= global.provider.service.allow_anonymous", + "secret_token": "= secret :webapp_secret_token", + "api_version": 1 + }, + "stunnel": { + "couch_client": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.port)" + }, + "haproxy": { + "local_ports": "= stunnel.couch_client.field(:accept_port)" }, "definition_files": { "provider": "= file :provider_json_template", - "eip_service": "= file :eip_service_json_template" + "eip_service": "= file [:eip_service_json_template, 'v'+webapp.api_version.to_s]", + "soledad_service": "= file [:soledad_service_json_template, 'v'+webapp.api_version.to_s]", + "smtp_service": "= file [:smtp_service_json_template, 'v'+webapp.api_version.to_s]" }, "service_type": "public_service", "api": { "domain": "= 'api.' + domain.full_suffix", - "port": "4430" + "port": 4430 + }, + "nickserver": { + "domain": "= 'nicknym.' + domain.full_suffix", + "port": 6425, + "couchdb_user": "= global.services[:couchdb].couch.users[:admin]" }, "dns": { - "aliases": "= [domain.full, api.domain]" + "aliases": "= [domain.full_suffix, domain.full, api.domain, nickserver.domain]" }, "x509": { "use": true, "ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap cert ca`'", "client_ca_cert": "= file_path :client_ca_cert", "client_ca_key": "= file_path :client_ca_key", - "commercial_cert": "= file [:commercial_cert, global.provider.domain]", - "commercial_key": "= file [:commercial_key, global.provider.domain]", + "commercial_cert": "= file [:commercial_cert, domain.full_suffix]", + "commercial_key": "= file [:commercial_key, domain.full_suffix]", "commercial_ca_cert": "= try_file :commercial_ca_cert" } -}
\ No newline at end of file +} diff --git a/provider_base/tags/development.json b/provider_base/tags/development.json new file mode 100644 index 00000000..6d4f9e25 --- /dev/null +++ b/provider_base/tags/development.json @@ -0,0 +1,7 @@ +{ + "environment": "development", + "domain": { + "full_suffix": "= 'dev.' + global.provider.domain", + "internal_suffix": "= 'dev.' + global.provider.domain_internal" + } +}
\ No newline at end of file diff --git a/provider_base/tags/local.json b/provider_base/tags/local.json index 9cb16602..48312b33 100644 --- a/provider_base/tags/local.json +++ b/provider_base/tags/local.json @@ -1,3 +1,3 @@ { - "local": true + "environment": "local" }
\ No newline at end of file diff --git a/provider_base/tags/production.json b/provider_base/tags/production.json index b35c0650..ea17498f 100644 --- a/provider_base/tags/production.json +++ b/provider_base/tags/production.json @@ -1,3 +1,3 @@ { - "production": true + "environment": "production" }
\ No newline at end of file diff --git a/provider_base/test/openvpn/client.ovpn.erb b/provider_base/test/openvpn/client.ovpn.erb index a0bdd307..af183ef4 100644 --- a/provider_base/test/openvpn/client.ovpn.erb +++ b/provider_base/test/openvpn/client.ovpn.erb @@ -18,9 +18,11 @@ tls-cipher DHE-RSA-AES128-SHA </ca> <cert> -<%= read_file! :test_client_cert -%> +<%# read_file! :test_client_cert -%> +<%= cert -%> </cert> <key> -<%= read_file! :test_client_key -%> +<%# read_file! :test_client_key -%> +<%= key -%> </key> |