summaryrefslogtreecommitdiff
path: root/provider_base
diff options
context:
space:
mode:
Diffstat (limited to 'provider_base')
-rw-r--r--provider_base/README9
-rw-r--r--provider_base/common.json34
-rw-r--r--provider_base/files/branding/head.scss1
-rw-r--r--provider_base/files/branding/tail.scss1
-rw-r--r--provider_base/files/service-definitions/eip-service.json.erb37
-rw-r--r--provider_base/files/service-definitions/provider.json.erb20
-rw-r--r--provider_base/provider.json30
-rw-r--r--provider_base/services/ca.json11
-rw-r--r--provider_base/services/couchdb.json22
-rw-r--r--provider_base/services/dns.json7
-rw-r--r--provider_base/services/monitor.json6
-rw-r--r--provider_base/services/openvpn.json16
-rw-r--r--provider_base/services/tor.json6
-rw-r--r--provider_base/services/webapp.json34
-rw-r--r--provider_base/tags/local.json3
-rw-r--r--provider_base/tags/production.json3
-rw-r--r--provider_base/test/openvpn/client.ovpn.erb26
17 files changed, 266 insertions, 0 deletions
diff --git a/provider_base/README b/provider_base/README
new file mode 100644
index 00000000..bb80df50
--- /dev/null
+++ b/provider_base/README
@@ -0,0 +1,9 @@
+This directory holds the base provider files that actual providers inherit from.
+
+For example:
+
+ the file........ myproject/provider/common.json
+ inherits from... myproject/leap_platform/provider_base/common.json
+
+
+
diff --git a/provider_base/common.json b/provider_base/common.json
new file mode 100644
index 00000000..e674edb6
--- /dev/null
+++ b/provider_base/common.json
@@ -0,0 +1,34 @@
+{
+ "ip_address": null,
+ "services": [],
+ "tags": [],
+ "domain": {
+ "full_suffix": "= global.provider.domain",
+ "internal_suffix": "= global.provider.domain_internal",
+ "full": "= node.name + '.' + domain.full_suffix",
+ "internal": "= node.name + '.' + domain.internal_suffix",
+ "name": "= node.name + '.' + (dns.public ? domain.full_suffix : domain.internal_suffix)"
+ },
+ "dns": {
+ "public": "= service_type != 'internal_service'"
+ },
+ "ssh": {
+ "authorized_keys": "= file :authorized_keys",
+ "known_hosts": "=> known_hosts_file",
+ "port": 22
+ },
+ "hosts": "=> hosts_file",
+ "x509": {
+ "use": false,
+ "cert": "= x509.use ? file(:node_x509_cert, :missing => 'x509 certificate for node $node. Run `leap cert update`') : nil",
+ "key": "= x509.use ? file(:node_x509_key, :missing => 'x509 key for node $node. Run `leap cert update`') : nil",
+ "ca_cert": "= try_file :ca_cert"
+ },
+ "local": false,
+ "production": false,
+ "service_type": "internal_service",
+ "development": {
+ "site_config": true
+ },
+ "name": "common"
+}
diff --git a/provider_base/files/branding/head.scss b/provider_base/files/branding/head.scss
new file mode 100644
index 00000000..c100a004
--- /dev/null
+++ b/provider_base/files/branding/head.scss
@@ -0,0 +1 @@
+// no head.scss set
diff --git a/provider_base/files/branding/tail.scss b/provider_base/files/branding/tail.scss
new file mode 100644
index 00000000..919aeec6
--- /dev/null
+++ b/provider_base/files/branding/tail.scss
@@ -0,0 +1 @@
+// no tail.scss set
diff --git a/provider_base/files/service-definitions/eip-service.json.erb b/provider_base/files/service-definitions/eip-service.json.erb
new file mode 100644
index 00000000..8dc7211d
--- /dev/null
+++ b/provider_base/files/service-definitions/eip-service.json.erb
@@ -0,0 +1,37 @@
+<%=
+ def underscore(words)
+ words = words.to_s.dup
+ words.downcase!
+ words.gsub! /[^a-z]/, '_'
+ words
+ end
+
+ hsh = {}
+ hsh["serial"] = 1
+ hsh["version"] = 1
+ clusters = {}
+ gateways = []
+ global.services['openvpn'].node_list.each_node do |node|
+ next if node.vagrant?
+ gateway = {}
+ gateway["capabilities"] = node.openvpn.pick(
+ :ports, :protocols, :user_ips, :adblock, :filter_dns)
+ gateway["capabilities"]["transport"] = ["openvpn"]
+ gateway["ip_address"] = node.openvpn.gateway_address
+ gateway["host"] = node.domain.full
+ gateway["cluster"] = underscore(node.openvpn.location)
+ gateways << gateway
+ clusters[gateway["cluster"]] ||= {
+ "name" => gateway["cluster"],
+ "label" => {"en" => node.openvpn.location}
+ }
+ end
+ hsh["gateways"] = gateways
+ hsh["clusters"] = clusters.values
+ hsh["openvpn_configuration"] = {
+ "tls-cipher" => "DHE-RSA-AES128-SHA",
+ "auth" => "SHA1",
+ "cipher" => "AES-128-CBC"
+ }
+ generate_json hsh
+%> \ No newline at end of file
diff --git a/provider_base/files/service-definitions/provider.json.erb b/provider_base/files/service-definitions/provider.json.erb
new file mode 100644
index 00000000..f26f25a2
--- /dev/null
+++ b/provider_base/files/service-definitions/provider.json.erb
@@ -0,0 +1,20 @@
+<%=
+ hsh = {}
+
+ # grab some fields from provider.json
+ hsh = global.provider.pick(
+ :languages, :description, :name,
+ :enrollment_policy, :default_language, :domain
+ )
+
+ # advertise services that are 'user services'
+ hsh['services'] = global.services[:service_type => :user_service].field(:name)
+
+ hsh['api_version'] = "1"
+ hsh['api_uri'] = "https://" + api.domain + ':' + api.port
+
+ hsh['ca_cert_uri'] = 'https://' + global.provider.domain + '/ca.crt'
+ hsh['ca_cert_fingerprint'] = fingerprint(:ca_cert)
+
+ generate_json hsh
+%> \ No newline at end of file
diff --git a/provider_base/provider.json b/provider_base/provider.json
new file mode 100644
index 00000000..8ce848f3
--- /dev/null
+++ b/provider_base/provider.json
@@ -0,0 +1,30 @@
+{
+ "domain": "REQUIRED",
+ "domain_internal": "= domain.sub(/\\..*$/,'.i')",
+ "name": {
+ "en": "REQUIRED"
+ },
+ "description": {
+ "en": "REQUIRED"
+ },
+ "contacts": {
+ "default": "REQUIRED"
+ },
+ "languages": ["en"],
+ "default_language": "en",
+ "enrollment_policy": "open",
+ "ca": {
+ "name": "= global.provider.ca.organization + ' Root CA'",
+ "organization": "= global.provider.name[global.provider.default_language]",
+ "organizational_unit": "= 'https://' + global.common.domain.full_suffix",
+ "bit_size": 4096,
+ "digest": "SHA256",
+ "life_span": "10y",
+ "server_certificates": {
+ "bit_size": 3248,
+ "digest": "SHA256",
+ "life_span": "1y"
+ }
+ },
+ "hiera_sync_destination": "/etc/leap"
+}
diff --git a/provider_base/services/ca.json b/provider_base/services/ca.json
new file mode 100644
index 00000000..3fb8bf6c
--- /dev/null
+++ b/provider_base/services/ca.json
@@ -0,0 +1,11 @@
+{
+ "ca_daemon": {
+ "couchdb_hosts": "= hostnames nodes[:services => :couchdb][:local => local]",
+ "couchdb_user": "= global.services[:couchdb].couch.users[:ca_daemon]"
+ },
+ "service_type": "internal_service",
+ "x509": {
+ "use": true,
+ "ca_key": "= file(:ca_key, :missing => 'CA key. Run `leap cert ca` to create the Certificate Authority.')"
+ }
+}
diff --git a/provider_base/services/couchdb.json b/provider_base/services/couchdb.json
new file mode 100644
index 00000000..1c8005c2
--- /dev/null
+++ b/provider_base/services/couchdb.json
@@ -0,0 +1,22 @@
+{
+ "service_type": "internal_service",
+ "x509": {
+ "use": true
+ },
+ "couch": {
+ "users": {
+ "admin": {
+ "username": "admin",
+ "password": "= secret :couch_admin_password"
+ },
+ "webapp": {
+ "username": "webapp",
+ "password": "= secret :couch_webapp_password"
+ },
+ "ca_daemon": {
+ "username": "ca_daemon",
+ "password": "= secret :couch_ca_daemon_password"
+ }
+ }
+ }
+}
diff --git a/provider_base/services/dns.json b/provider_base/services/dns.json
new file mode 100644
index 00000000..677d9b2c
--- /dev/null
+++ b/provider_base/services/dns.json
@@ -0,0 +1,7 @@
+{
+ "hosts": {
+ "public": "= nodes['dns.public' => true].fields('domain.name', 'dns.aliases', 'ip_address')",
+ "private": "= nodes['dns.public' => false].fields('domain.name', 'dns.aliases', 'ip_address')"
+ },
+ "service_type": "public_service"
+} \ No newline at end of file
diff --git a/provider_base/services/monitor.json b/provider_base/services/monitor.json
new file mode 100644
index 00000000..f5e4d922
--- /dev/null
+++ b/provider_base/services/monitor.json
@@ -0,0 +1,6 @@
+{
+ "nagios": {
+ "nagiosadmin_pw": "= secret :nagios_admin_password",
+ "hosts": "= nodes_like_me.fields('domain.internal', 'ip_address', 'services', 'openvpn.gateway_address')"
+ }
+}
diff --git a/provider_base/services/openvpn.json b/provider_base/services/openvpn.json
new file mode 100644
index 00000000..7b67ccb3
--- /dev/null
+++ b/provider_base/services/openvpn.json
@@ -0,0 +1,16 @@
+{
+ "service_type": "user_service",
+ "x509": {
+ "use": true,
+ "client_ca_cert": "= file :client_ca_cert, :missing => 'Certificate Authority. Run `leap cert ca`'",
+ "dh": "= file :dh_params, :missing => 'Diffie-Hellman parameters. Run `leap cert dh`'"
+ },
+ "openvpn": {
+ "location": "Location Unknown",
+ "ports": ["80", "443", "53", "1194"],
+ "protocols": ["tcp", "udp"],
+ "filter_dns": false,
+ "adblock": false,
+ "user_ips": false
+ }
+}
diff --git a/provider_base/services/tor.json b/provider_base/services/tor.json
new file mode 100644
index 00000000..9173b8d4
--- /dev/null
+++ b/provider_base/services/tor.json
@@ -0,0 +1,6 @@
+{
+ "tor": {
+ "bandwidth_rate": 6550,
+ "contacts": "= global.provider.contacts['tor'] || global.provider.contacts.default"
+ }
+}
diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json
new file mode 100644
index 00000000..e3055c6f
--- /dev/null
+++ b/provider_base/services/webapp.json
@@ -0,0 +1,34 @@
+{
+ "webapp": {
+ "modules": ["user", "billing", "help"],
+ "couchdb_hosts": "= hostnames nodes[:services => :couchdb][:local => local]",
+ # NOTE: this is bad, but pending a fix to https://leap.se/code/issues/1163
+ # before we can use user "webapp"
+ "couchdb_user": "= global.services[:couchdb].couch.users[:admin]",
+ "favicon": "= file_path 'branding/favicon.ico'",
+ "tail_scss": "= file_path 'branding/tail.scss'",
+ "head_scss": "= file_path 'branding/head.scss'",
+ "img_dir": "= file_path 'branding/img'"
+ },
+ "definition_files": {
+ "provider": "= file :provider_json_template",
+ "eip_service": "= file :eip_service_json_template"
+ },
+ "service_type": "public_service",
+ "api": {
+ "domain": "= 'api.' + domain.full_suffix",
+ "port": "4430"
+ },
+ "dns": {
+ "aliases": "= [domain.full, api.domain]"
+ },
+ "x509": {
+ "use": true,
+ "ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap cert ca`'",
+ "client_ca_cert": "= file_path :client_ca_cert",
+ "client_ca_key": "= file_path :client_ca_key",
+ "commercial_cert": "= file [:commercial_cert, global.provider.domain]",
+ "commercial_key": "= file [:commercial_key, global.provider.domain]",
+ "commercial_ca_cert": "= try_file :commercial_ca_cert"
+ }
+} \ No newline at end of file
diff --git a/provider_base/tags/local.json b/provider_base/tags/local.json
new file mode 100644
index 00000000..9cb16602
--- /dev/null
+++ b/provider_base/tags/local.json
@@ -0,0 +1,3 @@
+{
+ "local": true
+} \ No newline at end of file
diff --git a/provider_base/tags/production.json b/provider_base/tags/production.json
new file mode 100644
index 00000000..b35c0650
--- /dev/null
+++ b/provider_base/tags/production.json
@@ -0,0 +1,3 @@
+{
+ "production": true
+} \ No newline at end of file
diff --git a/provider_base/test/openvpn/client.ovpn.erb b/provider_base/test/openvpn/client.ovpn.erb
new file mode 100644
index 00000000..a0bdd307
--- /dev/null
+++ b/provider_base/test/openvpn/client.ovpn.erb
@@ -0,0 +1,26 @@
+client
+dev tun
+remote-cert-tls server
+remote-random
+nobind
+script-security 2
+verb 3
+auth SHA1
+cipher AES-128-CBC
+tls-cipher DHE-RSA-AES128-SHA
+
+<% vpn_nodes.each_node do |node| -%>
+<%= "remote #{node.openvpn.gateway_address} 1194 udp"%>
+<% end -%>
+
+<ca>
+<%= read_file! :ca_cert -%>
+</ca>
+
+<cert>
+<%= read_file! :test_client_cert -%>
+</cert>
+
+<key>
+<%= read_file! :test_client_key -%>
+</key>
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-05 00:53:03 +0000