summaryrefslogtreecommitdiff
path: root/provider_base
diff options
context:
space:
mode:
Diffstat (limited to 'provider_base')
-rw-r--r--provider_base/common.json13
-rw-r--r--provider_base/files/service-definitions/provider.json.erb6
-rw-r--r--provider_base/files/service-definitions/v1/eip-service.json.erb11
-rw-r--r--provider_base/files/service-definitions/v1/smtp-service.json.erb4
-rw-r--r--provider_base/provider.json32
-rw-r--r--provider_base/services/couchdb.json86
-rw-r--r--provider_base/services/monitor.json18
-rw-r--r--provider_base/services/mx.json24
-rw-r--r--provider_base/services/openvpn.json16
-rw-r--r--provider_base/services/soledad.json14
-rw-r--r--provider_base/services/static.json6
-rw-r--r--provider_base/services/tor.json2
-rw-r--r--provider_base/services/webapp.json48
-rw-r--r--provider_base/tags/development.json4
14 files changed, 191 insertions, 93 deletions
diff --git a/provider_base/common.json b/provider_base/common.json
index 2313bd8b..a4d9c5f2 100644
--- a/provider_base/common.json
+++ b/provider_base/common.json
@@ -3,9 +3,10 @@
"environment": null,
"services": [],
"tags": [],
+ "contacts": "= provider.contacts.default",
"domain": {
- "full_suffix": "= global.provider.domain",
- "internal_suffix": "= global.provider.domain_internal",
+ "full_suffix": "= provider.domain",
+ "internal_suffix": "= provider.domain_internal",
"full": "= node.name + '.' + domain.full_suffix",
"internal": "= node.name + '.' + domain.internal_suffix",
"name": "= node.name + '.' + (dns.public ? domain.full_suffix : domain.internal_suffix)"
@@ -15,7 +16,6 @@
},
"ssh": {
"authorized_keys": "= authorized_keys",
- "known_hosts": "=> known_hosts_file",
"port": 22,
"mosh": {
"ports": "60000:61000",
@@ -24,7 +24,7 @@
},
"hosts": "=> hosts_file",
"x509": {
- "use": false,
+ "use": true,
"cert": "= x509.use ? file(:node_x509_cert, :missing => 'x509 certificate for node $node. Run `leap cert update`') : nil",
"key": "= x509.use ? file(:node_x509_key, :missing => 'x509 key for node $node. Run `leap cert update`') : nil",
"ca_cert": "= try_file :ca_cert"
@@ -35,5 +35,8 @@
},
"name": "common",
"location": null,
- "enabled": true
+ "enabled": true,
+ "mail": {
+ "smarthost": "= nodes_like_me[:services => :mx].exclude(self).field('domain.full')"
+ }
}
diff --git a/provider_base/files/service-definitions/provider.json.erb b/provider_base/files/service-definitions/provider.json.erb
index 5d4c63a0..3e055e9a 100644
--- a/provider_base/files/service-definitions/provider.json.erb
+++ b/provider_base/files/service-definitions/provider.json.erb
@@ -1,13 +1,13 @@
<%=
# grab some fields from provider.json
- hsh = global.provider.pick(
- :languages, :description, :name,
+ hsh = provider.pick(
+ :languages, :description, :name, :services,
:enrollment_policy, :default_language, :service
)
hsh['domain'] = domain.full_suffix
# advertise services that are 'user services' and for which there are actually nodes
- hsh['services'] = global.services[:service_type => :user_service].field(:name).select do |service|
+ hsh['services'] ||= global.services[:service_type => :user_service].field(:name).select do |service|
nodes_like_me[:services => service].any?
end
diff --git a/provider_base/files/service-definitions/v1/eip-service.json.erb b/provider_base/files/service-definitions/v1/eip-service.json.erb
index feaea25b..3b8976fd 100644
--- a/provider_base/files/service-definitions/v1/eip-service.json.erb
+++ b/provider_base/files/service-definitions/v1/eip-service.json.erb
@@ -27,6 +27,7 @@
hsh["version"] = 1
locations = {}
gateways = []
+ configuration = nil
nodes_like_me[:services => 'openvpn'].each_node do |node|
if node.openvpn.allow_limited && node.openvpn.allow_unlimited
gateways << add_gateway(node, locations, :ip => node.openvpn.gateway_address, :limited => false)
@@ -36,13 +37,13 @@
elsif node.openvpn.allow_limited
gateways << add_gateway(node, locations, :ip => node.openvpn.gateway_address, :limited => true)
end
+ if configuration && node.openvpn.configuration != configuration
+ log :error, "OpenVPN nodes in the environment `#{node.environment}` have conflicting `openvpn.configuration` values. This will result in bad errors."
+ end
+ configuration = node.openvpn.configuration
end
hsh["gateways"] = gateways.compact
hsh["locations"] = locations
- hsh["openvpn_configuration"] = {
- "tls-cipher" => "DHE-RSA-AES128-SHA",
- "auth" => "SHA1",
- "cipher" => "AES-128-CBC"
- }
+ hsh["openvpn_configuration"] = configuration
JSON.sorted_generate hsh
%> \ No newline at end of file
diff --git a/provider_base/files/service-definitions/v1/smtp-service.json.erb b/provider_base/files/service-definitions/v1/smtp-service.json.erb
index 60129f5f..45f240ac 100644
--- a/provider_base/files/service-definitions/v1/smtp-service.json.erb
+++ b/provider_base/files/service-definitions/v1/smtp-service.json.erb
@@ -15,7 +15,7 @@
host = {}
host["hostname"] = node.domain.full
host["ip_address"] = node.ip_address
- host["port"] = 25 # hard coded for now, later node.smtp.port
+ host["port"] = 465 # hard coded for now, later node.smtp.port
if node['location']
location_name = underscore(node.location.name)
host["location"] = location_name
@@ -26,4 +26,4 @@
hsh["hosts"] = hosts
hsh["locations"] = locations
JSON.sorted_generate hsh
-%> \ No newline at end of file
+%>
diff --git a/provider_base/provider.json b/provider_base/provider.json
index b6a7af21..fa69318b 100644
--- a/provider_base/provider.json
+++ b/provider_base/provider.json
@@ -8,8 +8,8 @@
"en": "REQUIRED"
},
"contacts": {
- "default": "REQUIRED",
- "english": "= contacts.default.split('@').join(' at the domain ')"
+ "default": ["REQUIRED"],
+ "english": "= contacts.default.map {|email| email.split('@').join(' at the domain ')}.join(', ')"
},
"languages": ["en"],
"default_language": "en",
@@ -23,32 +23,36 @@
],
"default_service_level": 1,
"bandwidth_limit": 102400,
- "allow_free": "= global.provider.service.levels.select {|l| l['rate'].nil?}.any?",
- "allow_paid": "= global.provider.service.levels.select {|l| !l['rate'].nil?}.any?",
- "allow_anonymous": "= global.provider.service.levels.select {|l| l['name'] == 'anonymous'}.any?",
- "allow_registration": "= global.provider.service.levels.select {|l| l['name'] != 'anonymous'}.any?",
- "allow_limited_bandwidth": "= global.provider.service.levels.select {|l| l['bandwidth'] == 'limited'}.any?",
- "allow_unlimited_bandwidth": "= global.provider.service.levels.select {|l| l['bandwidth'].nil?}.any?"
+ "allow_free": "= provider.service.levels.select {|l| l['rate'].nil?}.any?",
+ "allow_paid": "= provider.service.levels.select {|l| !l['rate'].nil?}.any?",
+ "allow_anonymous": "= provider.service.levels.select {|l| l['name'] == 'anonymous'}.any?",
+ "allow_registration": "= provider.service.levels.select {|l| l['name'] != 'anonymous'}.any?",
+ "allow_limited_bandwidth": "= provider.service.levels.select {|l| l['bandwidth'] == 'limited'}.any?",
+ "allow_unlimited_bandwidth": "= provider.service.levels.select {|l| l['bandwidth'].nil?}.any?"
},
"ca": {
- "name": "= global.provider.ca.organization + ' Root CA'",
- "organization": "= global.provider.name[global.provider.default_language]",
- "organizational_unit": "= 'https://' + global.provider.domain",
+ "name": "= provider.ca.organization + ' Root CA'",
+ "organization": "= provider.name[provider.default_language]",
+ "organizational_unit": "= 'https://' + provider.domain",
"bit_size": 4096,
"digest": "SHA256",
"life_span": "10y",
"server_certificates": {
- "bit_size": 2024,
+ "bit_size": 2048,
"digest": "SHA256",
"life_span": "1y"
},
"client_certificates": {
- "bit_size": 2024,
+ "bit_size": 2048,
"digest": "SHA256",
"life_span": "2m",
"limited_prefix": "LIMITED",
"unlimited_prefix": "UNLIMITED"
}
},
- "hiera_sync_destination": "/etc/leap"
+ "hiera_sync_destination": "/etc/leap",
+ "client_version": {
+ "min": "0.5",
+ "max": null
+ }
}
diff --git a/provider_base/services/couchdb.json b/provider_base/services/couchdb.json
index a26579c8..5f1b5381 100644
--- a/provider_base/services/couchdb.json
+++ b/provider_base/services/couchdb.json
@@ -1,38 +1,56 @@
{
- "x509": {
- "use": true
- },
- "stunnel": {
- "couch_server": "= stunnel_server(couch.port)",
- "epmd_server": "= stunnel_server(couch.bigcouch.epmd_port)",
- "epmd_clients": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.bigcouch.epmd_port)",
- "ednp_server": "= stunnel_server(couch.bigcouch.ednp_port)",
- "ednp_clients": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.bigcouch.ednp_port)"
- },
- "couch": {
- "port": 5984,
- "bigcouch": {
- "epmd_port": 4369,
- "ednp_port": 9002,
- "cookie": "= secret :bigcouch_cookie",
- "neighbors": "= nodes_like_me[:services => :couchdb].exclude(self).field('domain.full')"
+ "x509": {
+ "use": true
},
- "users": {
- "admin": {
- "username": "admin",
- "password": "= secret :couch_admin_password",
- "salt": "= hex_secret :couch_admin_password_salt, 128"
- },
- "webapp": {
- "username": "webapp",
- "password": "= secret :couch_webapp_password",
- "salt": "= hex_secret :couch_webapp_password_salt, 128"
- },
- "soledad": {
- "username": "soledad",
- "password": "= secret :couch_soledad_password",
- "salt": "= hex_secret :couch_soledad_password_salt, 128"
- }
+ "stunnel": {
+ "couch_server": "= stunnel_server(couch.port)",
+ "epmd_server": "= stunnel_server(couch.bigcouch.epmd_port)",
+ "epmd_clients": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.bigcouch.epmd_port)",
+ "ednp_server": "= stunnel_server(couch.bigcouch.ednp_port)",
+ "ednp_clients": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.bigcouch.ednp_port)"
+ },
+ "couch": {
+ "port": 5984,
+ "bigcouch": {
+ "epmd_port": 4369,
+ "ednp_port": 9002,
+ "cookie": "= secret :bigcouch_cookie",
+ "neighbors": "= nodes_like_me[:services => :couchdb].exclude(self).field('domain.full')"
+ },
+ "users": {
+ "admin": {
+ "username": "admin",
+ "password": "= secret :couch_admin_password",
+ "salt": "= hex_secret :couch_admin_password_salt, 128"
+ },
+ "leap_mx": {
+ "username": "leap_mx",
+ "password": "= secret :couch_leap_mx_password",
+ "salt": "= hex_secret :couch_leap_mx_password_salt, 128"
+ },
+ "nickserver": {
+ "username": "nickserver",
+ "password": "= secret :couch_nickserver_password",
+ "salt": "= hex_secret :couch_nickserver_password_salt, 128"
+ },
+ "soledad": {
+ "username": "soledad",
+ "password": "= secret :couch_soledad_password",
+ "salt": "= hex_secret :couch_soledad_password_salt, 128"
+ },
+ "tapicero": {
+ "username": "tapicero",
+ "password": "= secret :couch_tapicero_password",
+ "salt": "= hex_secret :couch_tapicero_password_salt, 128"
+ },
+ "webapp": {
+ "username": "webapp",
+ "password": "= secret :couch_webapp_password",
+ "salt": "= hex_secret :couch_webapp_password_salt, 128"
+ }
+ },
+ "webapp": {
+ "nagios_test_pw": "= secret :nagios_test_password"
+ }
}
- }
}
diff --git a/provider_base/services/monitor.json b/provider_base/services/monitor.json
index f5e4d922..03f6c6d1 100644
--- a/provider_base/services/monitor.json
+++ b/provider_base/services/monitor.json
@@ -1,6 +1,22 @@
{
"nagios": {
"nagiosadmin_pw": "= secret :nagios_admin_password",
- "hosts": "= nodes_like_me.fields('domain.internal', 'ip_address', 'services', 'openvpn.gateway_address')"
+ "hosts": "= (self.environment == 'local' ? nodes_like_me : nodes[:environment => '!local']).pick_fields('domain.internal', 'domain.full_suffix', 'ip_address', 'services', 'openvpn.gateway_address', 'ssh.port')"
+ },
+ "hosts": "= self.environment == 'local' ? hosts_file(nodes_like_me) : hosts_file(nodes[:environment => '!local'])",
+ "ssh": {
+ "monitor": {
+ "username": "= Leap::Platform.monitor_username",
+ "private_key": "= file(:monitor_priv_key)"
+ }
+ },
+ "x509": {
+ "use": true,
+ "ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap cert ca`'",
+ "client_ca_cert": "= file :client_ca_cert, :missing => 'Certificate Authority. Run `leap cert ca`'",
+ "client_ca_key": "= file :client_ca_key, :missing => 'Certificate Authority. Run `leap cert ca`'",
+ "commercial_cert": "= file [:commercial_cert, domain.full_suffix]",
+ "commercial_key": "= file [:commercial_key, domain.full_suffix]",
+ "commercial_ca_cert": "= try_file :commercial_ca_cert"
}
}
diff --git a/provider_base/services/mx.json b/provider_base/services/mx.json
new file mode 100644
index 00000000..731dee9a
--- /dev/null
+++ b/provider_base/services/mx.json
@@ -0,0 +1,24 @@
+{
+ "stunnel": {
+ "couch_client": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.port)"
+ },
+ "haproxy": {
+ "servers": "= haproxy_servers(nodes_like_me[:services => :couchdb], stunnel.couch_client)"
+ },
+ "couchdb_leap_mx_user": {
+ "username": "= global.services[:couchdb].couch.users[:leap_mx].username",
+ "password": "= secret :couch_leap_mx_password",
+ "salt": "= hex_secret :couch_leap_mx_password_salt, 128"
+ },
+ "mynetworks": "= nodes['environment' => '!local'].map{|name, n| [n.ip_address, (global.facts[name]||{})['ec2_public_ipv4']]}.flatten.compact.uniq",
+ "x509": {
+ "use": true,
+ "ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap cert ca`'",
+ "client_ca_cert": "= file :client_ca_cert, :missing => 'Certificate Authority. Run `leap cert ca`'",
+ "client_ca_key": "= file :client_ca_key, :missing => 'Certificate Authority. Run `leap cert ca`'",
+ "commercial_cert": "= file [:commercial_cert, domain.full_suffix]",
+ "commercial_key": "= file [:commercial_key, domain.full_suffix]",
+ "commercial_ca_cert": "= try_file :commercial_ca_cert"
+ },
+ "service_type": "user_service"
+}
diff --git a/provider_base/services/openvpn.json b/provider_base/services/openvpn.json
index 5d77f946..04e19aa2 100644
--- a/provider_base/services/openvpn.json
+++ b/provider_base/services/openvpn.json
@@ -14,10 +14,16 @@
"filter_dns": false,
"adblock": false,
"user_ips": false,
- "allow_limited": "= global.provider.service.allow_limited_bandwidth",
- "allow_unlimited": "= global.provider.service.allow_unlimited_bandwidth",
- "limited_prefix": "= global.provider.ca.client_certificates.limited_prefix",
- "unlimited_prefix": "= global.provider.ca.client_certificates.unlimited_prefix",
- "rate_limit": "= openvpn.allow_limited ? global.provider.service.bandwidth_limit : nil"
+ "allow_limited": "= provider.service.allow_limited_bandwidth",
+ "allow_unlimited": "= provider.service.allow_unlimited_bandwidth",
+ "limited_prefix": "= provider.ca.client_certificates.limited_prefix",
+ "unlimited_prefix": "= provider.ca.client_certificates.unlimited_prefix",
+ "rate_limit": "= openvpn.allow_limited ? provider.service.bandwidth_limit : nil",
+ "configuration": {
+ "tls-cipher": "DHE-RSA-AES128-SHA",
+ "auth": "SHA1",
+ "cipher": "AES-128-CBC",
+ "keepalive": "10 30"
+ }
}
}
diff --git a/provider_base/services/soledad.json b/provider_base/services/soledad.json
index 10657563..ed6fbc9f 100644
--- a/provider_base/services/soledad.json
+++ b/provider_base/services/soledad.json
@@ -1,6 +1,12 @@
{
- "service_type": "public_service",
"soledad": {
- "port": 1111
- }
-} \ No newline at end of file
+ "port": 2323,
+ "require_couchdb": "=> assert %(services.include? 'couchdb')",
+ "couchdb_soledad_user": {
+ "username": "= global.services[:couchdb].couch.users[:soledad].username",
+ "password": "= secret :couch_soledad_password",
+ "salt": "= hex_secret :couch_soledad_password_salt, 128"
+ }
+ },
+ "service_type": "public_service"
+}
diff --git a/provider_base/services/static.json b/provider_base/services/static.json
new file mode 100644
index 00000000..d9155a84
--- /dev/null
+++ b/provider_base/services/static.json
@@ -0,0 +1,6 @@
+{
+ "static": {
+ "formats": "=> (self.static.domains||{}).values.collect{|d| (d.locations||{}).values.collect{|l|l['format']}}.flatten.uniq"
+ },
+ "service_type": "public_service"
+} \ No newline at end of file
diff --git a/provider_base/services/tor.json b/provider_base/services/tor.json
index 9173b8d4..ae4da46d 100644
--- a/provider_base/services/tor.json
+++ b/provider_base/services/tor.json
@@ -1,6 +1,6 @@
{
"tor": {
"bandwidth_rate": 6550,
- "contacts": "= global.provider.contacts['tor'] || global.provider.contacts.default"
+ "contacts": "= [provider.contacts['tor'] || provider.contacts.default].flatten"
}
}
diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json
index 93396ec7..29c0cbf9 100644
--- a/provider_base/services/webapp.json
+++ b/provider_base/services/webapp.json
@@ -1,25 +1,35 @@
{
"webapp": {
+ "admins": [],
"modules": ["user", "billing", "help"],
- "couchdb_admin_user": "= global.services[:couchdb].couch.users[:admin]",
-// "couchdb_webapp_user": "= global.services[:couchdb].couch.users[:webapp]",
- "couchdb_webapp_user": "= global.services[:couchdb].couch.users[:admin]",
- "favicon": "= file_path 'branding/favicon.ico'",
- "tail_scss": "= file_path 'branding/tail.scss'",
- "head_scss": "= file_path 'branding/head.scss'",
- "img_dir": "= file_path 'branding/img'",
- "client_certificates": "= global.provider.ca.client_certificates",
- "allow_limited_certs": "= global.provider.service.allow_limited_bandwidth",
- "allow_unlimited_certs": "= global.provider.service.allow_unlimited_bandwidth",
- "allow_anonymous_certs": "= global.provider.service.allow_anonymous",
+ "couchdb_webapp_user": {
+ "username": "= global.services[:couchdb].couch.users[:webapp].username",
+ "password": "= secret :couch_webapp_password",
+ "salt": "= hex_secret :couch_webapp_password_salt, 128"
+ },
+ "customization_dir": "= file_path 'webapp'",
+ "client_certificates": "= provider.ca.client_certificates",
+ "allow_limited_certs": "= provider.service.allow_limited_bandwidth",
+ "allow_unlimited_certs": "= provider.service.allow_unlimited_bandwidth",
+ "allow_anonymous_certs": "= provider.service.allow_anonymous",
"secret_token": "= secret :webapp_secret_token",
- "api_version": 1
+ "api_version": 1,
+ "secure": false,
+ "git": {
+ "source": "https://leap.se/git/leap_web",
+ "revision": "origin/master"
+ },
+ "client_version": "= provider.client_version",
+ "nagios_test_user": {
+ "username": "nagios_test",
+ "password": "= secret :nagios_test_password"
+ }
},
"stunnel": {
"couch_client": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.port)"
},
"haproxy": {
- "local_ports": "= stunnel.couch_client.field(:accept_port)"
+ "servers": "= haproxy_servers(nodes_like_me[:services => :couchdb], stunnel.couch_client, global.services[:couchdb].couch.port)"
},
"definition_files": {
"provider": "= file :provider_json_template",
@@ -34,8 +44,12 @@
},
"nickserver": {
"domain": "= 'nicknym.' + domain.full_suffix",
- "port": 6425,
- "couchdb_user": "= global.services[:couchdb].couch.users[:admin]"
+ "couchdb_nickserver_user": {
+ "username": "= global.services[:couchdb].couch.users[:nickserver].username",
+ "password": "= secret :couch_nickserver_password",
+ "salt": "= hex_secret :couch_nickserver_password_salt, 128"
+ },
+ "port": 6425
},
"dns": {
"aliases": "= [domain.full_suffix, domain.full, api.domain, nickserver.domain]"
@@ -43,8 +57,8 @@
"x509": {
"use": true,
"ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap cert ca`'",
- "client_ca_cert": "= file_path :client_ca_cert",
- "client_ca_key": "= file_path :client_ca_key",
+ "client_ca_cert": "= file :client_ca_cert, :missing => 'Certificate Authority. Run `leap cert ca`'",
+ "client_ca_key": "= file :client_ca_key, :missing => 'Certificate Authority. Run `leap cert ca`'",
"commercial_cert": "= file [:commercial_cert, domain.full_suffix]",
"commercial_key": "= file [:commercial_key, domain.full_suffix]",
"commercial_ca_cert": "= try_file :commercial_ca_cert"
diff --git a/provider_base/tags/development.json b/provider_base/tags/development.json
index 6d4f9e25..d9c2c007 100644
--- a/provider_base/tags/development.json
+++ b/provider_base/tags/development.json
@@ -1,7 +1,7 @@
{
"environment": "development",
"domain": {
- "full_suffix": "= 'dev.' + global.provider.domain",
- "internal_suffix": "= 'dev.' + global.provider.domain_internal"
+ "full_suffix": "= 'dev.' + provider.domain",
+ "internal_suffix": "= 'dev.' + provider.domain_internal"
}
} \ No newline at end of file