16 files changed, 231 insertions, 87 deletions

diff --git a/provider_base/common.json b/provider_base/common.json
index e674edb6..2313bd8b 100644
--- a/provider_base/common.json
+++ b/provider_base/common.json
@@ -1,5 +1,6 @@
 {
   "ip_address": null,
+  "environment": null,
   "services": [],
   "tags": [],
   "domain": {
@@ -13,9 +14,13 @@
     "public": "= service_type != 'internal_service'"
   },
   "ssh": {
-    "authorized_keys": "= file :authorized_keys",
+    "authorized_keys": "= authorized_keys",
     "known_hosts": "=> known_hosts_file",
-    "port": 22
+    "port": 22,
+    "mosh": {
+      "ports": "60000:61000",
+      "enabled": false
+    }
   },
   "hosts": "=> hosts_file",
   "x509": {
@@ -24,11 +29,11 @@
     "key": "= x509.use ? file(:node_x509_key, :missing => 'x509 key for node $node. Run `leap cert update`') : nil",
     "ca_cert": "= try_file :ca_cert"
   },
-  "local": false,
-  "production": false,
   "service_type": "internal_service",
   "development": {
     "site_config": true
   },
-  "name": "common"
+  "name": "common",
+  "location": null,
+  "enabled": true
 }
diff --git a/provider_base/files/service-definitions/eip-service.json.erb b/provider_base/files/service-definitions/eip-service.json.erb
deleted file mode 100644
index 8dc7211d..00000000
--- a/provider_base/files/service-definitions/eip-service.json.erb
+++ /dev/null
@@ -1,37 +0,0 @@
-<%=
-  def underscore(words)
-    words = words.to_s.dup
-    words.downcase!
-    words.gsub! /[^a-z]/, '_'
-    words
-  end
-
-  hsh = {}
-  hsh["serial"] = 1
-  hsh["version"] = 1
-  clusters = {}
-  gateways = []
-  global.services['openvpn'].node_list.each_node do |node|
-    next if node.vagrant?
-    gateway = {}
-    gateway["capabilities"] = node.openvpn.pick(
-      :ports, :protocols, :user_ips, :adblock, :filter_dns)
-    gateway["capabilities"]["transport"] = ["openvpn"]
-    gateway["ip_address"] = node.openvpn.gateway_address
-    gateway["host"] = node.domain.full
-    gateway["cluster"] = underscore(node.openvpn.location)
-    gateways << gateway
-    clusters[gateway["cluster"]] ||= {
-      "name" => gateway["cluster"],
-      "label" => {"en" => node.openvpn.location}
-    }
-  end
-  hsh["gateways"] = gateways
-  hsh["clusters"] = clusters.values
-  hsh["openvpn_configuration"] = {
-    "tls-cipher" => "DHE-RSA-AES128-SHA",
-    "auth" => "SHA1",
-    "cipher" => "AES-128-CBC"
-  }
-  generate_json hsh
-%>
\ No newline at end of file
diff --git a/provider_base/files/service-definitions/provider.json.erb b/provider_base/files/service-definitions/provider.json.erb
index f26f25a2..5d4c63a0 100644
--- a/provider_base/files/service-definitions/provider.json.erb
+++ b/provider_base/files/service-definitions/provider.json.erb
@@ -1,20 +1,21 @@
 <%=
-  hsh = {}
-
   # grab some fields from provider.json
   hsh = global.provider.pick(
     :languages, :description, :name,
-    :enrollment_policy, :default_language, :domain
+    :enrollment_policy, :default_language, :service
   )
+  hsh['domain'] = domain.full_suffix
 
-  # advertise services that are 'user services'
-  hsh['services'] = global.services[:service_type => :user_service].field(:name)
+  # advertise services that are 'user services' and for which there are actually nodes
+  hsh['services'] = global.services[:service_type => :user_service].field(:name).select do |service|
+    nodes_like_me[:services => service].any?
+  end
 
   hsh['api_version'] = "1"
-  hsh['api_uri'] = "https://" + api.domain + ':' + api.port
+  hsh['api_uri'] = ["https://", api.domain, ':', api.port].join
 
-  hsh['ca_cert_uri'] = 'https://' + global.provider.domain + '/ca.crt'
+  hsh['ca_cert_uri'] = 'https://' + domain.full_suffix + '/ca.crt'
   hsh['ca_cert_fingerprint'] = fingerprint(:ca_cert)
 
-  generate_json hsh
+  hsh.dump_json
 %>
\ No newline at end of file
diff --git a/provider_base/files/service-definitions/v1/eip-service.json.erb b/provider_base/files/service-definitions/v1/eip-service.json.erb
new file mode 100644
index 00000000..feaea25b
--- /dev/null
+++ b/provider_base/files/service-definitions/v1/eip-service.json.erb
@@ -0,0 +1,48 @@
+<%=
+  def underscore(words)
+    words = words.to_s.dup
+    words.downcase!
+    words.gsub! /[^a-z]/, '_'
+    words
+  end
+
+  def add_gateway(node, locations, options={})
+    return nil if options[:ip] == 'REQUIRED'
+    gateway = {}
+    gateway["capabilities"] = node.openvpn.pick(:ports, :protocols, :user_ips, :adblock, :filter_dns)
+    gateway["capabilities"]["transport"] = ["openvpn"]
+    gateway["host"] = node.domain.full
+    gateway["ip_address"] = options[:ip]
+    gateway["capabilities"]["limited"] = options[:limited]
+    if node['location']
+      location_name = underscore(node.location.name)
+      gateway["location"] = location_name
+      locations[location_name] ||= node.location
+    end
+    gateway
+  end
+
+  hsh = {}
+  hsh["serial"] = 1
+  hsh["version"] = 1
+  locations = {}
+  gateways = []
+  nodes_like_me[:services => 'openvpn'].each_node do |node|
+    if node.openvpn.allow_limited && node.openvpn.allow_unlimited
+      gateways << add_gateway(node, locations, :ip => node.openvpn.gateway_address, :limited => false)
+      gateways << add_gateway(node, locations, :ip => node.openvpn.second_gateway_address, :limited => true)
+    elsif node.openvpn.allow_unlimited
+      gateways << add_gateway(node, locations, :ip => node.openvpn.gateway_address, :limited => false)
+    elsif node.openvpn.allow_limited
+      gateways << add_gateway(node, locations, :ip => node.openvpn.gateway_address, :limited => true)
+    end
+  end
+  hsh["gateways"] = gateways.compact
+  hsh["locations"] = locations
+  hsh["openvpn_configuration"] = {
+    "tls-cipher" => "DHE-RSA-AES128-SHA",
+    "auth" => "SHA1",
+    "cipher" => "AES-128-CBC"
+  }
+  JSON.sorted_generate hsh
+%>
\ No newline at end of file
diff --git a/provider_base/files/service-definitions/v1/smtp-service.json.erb b/provider_base/files/service-definitions/v1/smtp-service.json.erb
new file mode 100644
index 00000000..60129f5f
--- /dev/null
+++ b/provider_base/files/service-definitions/v1/smtp-service.json.erb
@@ -0,0 +1,29 @@
+<%=
+  def underscore(words)
+    words = words.to_s.dup
+    words.downcase!
+    words.gsub! /[^a-z]/, '_'
+    words
+  end
+
+  hsh = {}
+  hsh["serial"] = 1
+  hsh["version"] = 1
+  locations = {}
+  hosts = {}
+  nodes_like_me[:services => 'mx'].each_node do |node|
+    host = {}
+    host["hostname"] = node.domain.full
+    host["ip_address"] = node.ip_address
+    host["port"] = 25 # hard coded for now, later node.smtp.port
+    if node['location']
+      location_name = underscore(node.location.name)
+      host["location"] = location_name
+      locations[location_name] ||= node.location
+    end
+    hosts[node.name] = host
+  end
+  hsh["hosts"] = hosts
+  hsh["locations"] = locations
+  JSON.sorted_generate hsh
+%>
\ No newline at end of file
diff --git a/provider_base/files/service-definitions/v1/soledad-service.json.erb b/provider_base/files/service-definitions/v1/soledad-service.json.erb
new file mode 100644
index 00000000..0cd1c927
--- /dev/null
+++ b/provider_base/files/service-definitions/v1/soledad-service.json.erb
@@ -0,0 +1,29 @@
+<%=
+  def underscore(words)
+    words = words.to_s.dup
+    words.downcase!
+    words.gsub! /[^a-z]/, '_'
+    words
+  end
+
+  hsh = {}
+  hsh["serial"] = 1
+  hsh["version"] = 1
+  locations = {}
+  hosts = {}
+  nodes_like_me[:services => 'soledad'].each_node do |node|
+    host = {}
+    host["hostname"] = node.domain.full
+    host["ip_address"] = node.ip_address
+    host["port"] = node.soledad.port
+    if node['location']
+      location_name = underscore(node.location.name)
+      host["location"] = location_name
+      locations[location_name] ||= node.location
+    end
+    hosts[node.name] = host
+  end
+  hsh["hosts"] = hosts
+  hsh["locations"] = locations
+  JSON.sorted_generate hsh
+%>
\ No newline at end of file
diff --git a/provider_base/provider.json b/provider_base/provider.json
index 8ce848f3..b6a7af21 100644
--- a/provider_base/provider.json
+++ b/provider_base/provider.json
@@ -8,22 +8,46 @@
     "en": "REQUIRED"
   },
   "contacts": {
-    "default": "REQUIRED"
+    "default": "REQUIRED",
+    "english": "= contacts.default.split('@').join(' at the domain ')"
   },
   "languages": ["en"],
   "default_language": "en",
   "enrollment_policy": "open",
+  "service": {
+    "levels": [
+      // bandwidth limit is in Bytes, storage limit is in MB.
+      {"id": 1, "name": "free", "storage":50},
+      {"id": 2, "name": "basic", "storage":1000, "rate": ["US$10", "€10"]},
+      {"id": 3, "name": "pro", "storage":10000, "rate": ["US$20", "€20"]}
+    ],
+    "default_service_level": 1,
+    "bandwidth_limit": 102400,
+    "allow_free": "= global.provider.service.levels.select {|l| l['rate'].nil?}.any?",
+    "allow_paid": "= global.provider.service.levels.select {|l| !l['rate'].nil?}.any?",
+    "allow_anonymous": "= global.provider.service.levels.select {|l| l['name'] == 'anonymous'}.any?",
+    "allow_registration": "= global.provider.service.levels.select {|l| l['name'] != 'anonymous'}.any?",
+    "allow_limited_bandwidth": "= global.provider.service.levels.select {|l| l['bandwidth'] == 'limited'}.any?",
+    "allow_unlimited_bandwidth": "= global.provider.service.levels.select {|l| l['bandwidth'].nil?}.any?"
+  },
   "ca": {
     "name": "= global.provider.ca.organization + ' Root CA'",
     "organization": "= global.provider.name[global.provider.default_language]",
-    "organizational_unit": "= 'https://' + global.common.domain.full_suffix",
+    "organizational_unit": "= 'https://' + global.provider.domain",
     "bit_size": 4096,
     "digest": "SHA256",
     "life_span": "10y",
     "server_certificates": {
-      "bit_size": 3248,
+      "bit_size": 2024,
       "digest": "SHA256",
       "life_span": "1y"
+    },
+    "client_certificates": {
+      "bit_size": 2024,
+      "digest": "SHA256",
+      "life_span": "2m",
+      "limited_prefix": "LIMITED",
+      "unlimited_prefix": "UNLIMITED"
     }
   },
   "hiera_sync_destination": "/etc/leap"
diff --git a/provider_base/services/ca.json b/provider_base/services/ca.json
deleted file mode 100644
index 3fb8bf6c..00000000
--- a/provider_base/services/ca.json
+++ /dev/null
@@ -1,11 +0,0 @@
-{
-  "ca_daemon": {
-    "couchdb_hosts": "= hostnames nodes[:services => :couchdb][:local => local]",
-    "couchdb_user": "= global.services[:couchdb].couch.users[:ca_daemon]"
-  },
-  "service_type": "internal_service",
-  "x509": {
-    "use": true,
-    "ca_key": "= file(:ca_key, :missing => 'CA key. Run `leap cert ca` to create the Certificate Authority.')"
-  }
-}
diff --git a/provider_base/services/couchdb.json b/provider_base/services/couchdb.json
index 1c8005c2..a26579c8 100644
--- a/provider_base/services/couchdb.json
+++ b/provider_base/services/couchdb.json
@@ -1,21 +1,37 @@
 {
-  "service_type": "internal_service",
   "x509": {
     "use": true
   },
+  "stunnel": {
+    "couch_server": "= stunnel_server(couch.port)",
+    "epmd_server": "= stunnel_server(couch.bigcouch.epmd_port)",
+    "epmd_clients": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.bigcouch.epmd_port)",
+    "ednp_server": "= stunnel_server(couch.bigcouch.ednp_port)",
+    "ednp_clients": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.bigcouch.ednp_port)"
+  },
   "couch": {
+    "port": 5984,
+    "bigcouch": {
+      "epmd_port": 4369,
+      "ednp_port": 9002,
+      "cookie": "= secret :bigcouch_cookie",
+      "neighbors": "= nodes_like_me[:services => :couchdb].exclude(self).field('domain.full')"
+    },
     "users": {
       "admin": {
         "username": "admin",
-        "password": "= secret :couch_admin_password"
+        "password": "= secret :couch_admin_password",
+        "salt": "= hex_secret :couch_admin_password_salt, 128"
       },
       "webapp": {
         "username": "webapp",
-        "password": "= secret :couch_webapp_password"
+        "password": "= secret :couch_webapp_password",
+        "salt": "= hex_secret :couch_webapp_password_salt, 128"
       },
-      "ca_daemon": {
-        "username": "ca_daemon",
-        "password": "= secret :couch_ca_daemon_password"
+      "soledad": {
+        "username": "soledad",
+        "password": "= secret :couch_soledad_password",
+        "salt": "= hex_secret :couch_soledad_password_salt, 128"
       }
     }
   }
diff --git a/provider_base/services/openvpn.json b/provider_base/services/openvpn.json
index 7b67ccb3..5d77f946 100644
--- a/provider_base/services/openvpn.json
+++ b/provider_base/services/openvpn.json
@@ -5,12 +5,19 @@
     "client_ca_cert": "= file :client_ca_cert, :missing => 'Certificate Authority. Run `leap cert ca`'",
     "dh": "= file :dh_params, :missing => 'Diffie-Hellman parameters. Run `leap cert dh`'"
   },
+  "location": null,
   "openvpn": {
-    "location": "Location Unknown",
+    "gateway_address": "REQUIRED",
+    "second_gateway_address": "= openvpn.allow_limited && openvpn.allow_unlimited ? 'REQUIRED' : nil",
     "ports": ["80", "443", "53", "1194"],
     "protocols": ["tcp", "udp"],
     "filter_dns": false,
     "adblock": false,
-    "user_ips": false
+    "user_ips": false,
+    "allow_limited": "= global.provider.service.allow_limited_bandwidth",
+    "allow_unlimited": "= global.provider.service.allow_unlimited_bandwidth",
+    "limited_prefix": "= global.provider.ca.client_certificates.limited_prefix",
+    "unlimited_prefix": "= global.provider.ca.client_certificates.unlimited_prefix",
+    "rate_limit": "= openvpn.allow_limited ? global.provider.service.bandwidth_limit : nil"
   }
 }
diff --git a/provider_base/services/soledad.json b/provider_base/services/soledad.json
new file mode 100644
index 00000000..10657563
--- /dev/null
+++ b/provider_base/services/soledad.json
@@ -0,0 +1,6 @@
+{
+  "service_type": "public_service",
+  "soledad": {
+    "port": 1111
+  }
+}
\ No newline at end of file
diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json
index 8ccd3e3e..93396ec7 100644
--- a/provider_base/services/webapp.json
+++ b/provider_base/services/webapp.json
@@ -1,34 +1,52 @@
 {
   "webapp": {
     "modules": ["user", "billing", "help"],
-    "couchdb_hosts": "= hostnames nodes[:services => :couchdb][:local => local]",
-    // NOTE: this is bad, but pending a fix to https://leap.se/code/issues/1163
-    // before we can use user "webapp"
-    "couchdb_user": "= global.services[:couchdb].couch.users[:admin]",
+    "couchdb_admin_user": "= global.services[:couchdb].couch.users[:admin]",
+//    "couchdb_webapp_user": "= global.services[:couchdb].couch.users[:webapp]",
+    "couchdb_webapp_user": "= global.services[:couchdb].couch.users[:admin]",
     "favicon": "= file_path 'branding/favicon.ico'",
     "tail_scss": "= file_path 'branding/tail.scss'",
     "head_scss": "= file_path 'branding/head.scss'",
-    "img_dir": "= file_path 'branding/img'"
+    "img_dir": "= file_path 'branding/img'",
+    "client_certificates": "= global.provider.ca.client_certificates",
+    "allow_limited_certs": "= global.provider.service.allow_limited_bandwidth",
+    "allow_unlimited_certs": "= global.provider.service.allow_unlimited_bandwidth",
+    "allow_anonymous_certs": "= global.provider.service.allow_anonymous",
+    "secret_token": "= secret :webapp_secret_token",
+    "api_version": 1
+  },
+  "stunnel": {
+    "couch_client": "= stunnel_client(nodes_like_me[:services => :couchdb], global.services[:couchdb].couch.port)"
+  },
+  "haproxy": {
+    "local_ports": "= stunnel.couch_client.field(:accept_port)"
   },
   "definition_files": {
     "provider": "= file :provider_json_template",
-    "eip_service": "= file :eip_service_json_template"
+    "eip_service": "= file [:eip_service_json_template, 'v'+webapp.api_version.to_s]",
+    "soledad_service": "= file [:soledad_service_json_template, 'v'+webapp.api_version.to_s]",
+    "smtp_service": "= file [:smtp_service_json_template, 'v'+webapp.api_version.to_s]"
   },
   "service_type": "public_service",
   "api": {
     "domain": "= 'api.' + domain.full_suffix",
-    "port": "4430"
+    "port": 4430
+  },
+  "nickserver": {
+    "domain": "= 'nicknym.' + domain.full_suffix",
+    "port": 6425,
+    "couchdb_user": "= global.services[:couchdb].couch.users[:admin]"
   },
   "dns": {
-    "aliases": "= [domain.full, api.domain]"
+    "aliases": "= [domain.full_suffix, domain.full, api.domain, nickserver.domain]"
   },
   "x509": {
     "use": true,
     "ca_cert": "= file :ca_cert, :missing => 'provider CA. Run `leap cert ca`'",
     "client_ca_cert": "= file_path :client_ca_cert",
     "client_ca_key": "= file_path :client_ca_key",
-    "commercial_cert": "= file [:commercial_cert, global.provider.domain]",
-    "commercial_key": "= file [:commercial_key, global.provider.domain]",
+    "commercial_cert": "= file [:commercial_cert, domain.full_suffix]",
+    "commercial_key": "= file [:commercial_key, domain.full_suffix]",
     "commercial_ca_cert": "= try_file :commercial_ca_cert"
   }
-}
\ No newline at end of file
+}
diff --git a/provider_base/tags/development.json b/provider_base/tags/development.json
new file mode 100644
index 00000000..6d4f9e25
--- /dev/null
+++ b/provider_base/tags/development.json
@@ -0,0 +1,7 @@
+{
+  "environment": "development",
+  "domain": {
+     "full_suffix": "= 'dev.' + global.provider.domain",
+     "internal_suffix": "= 'dev.' + global.provider.domain_internal"
+  }
+}
\ No newline at end of file
diff --git a/provider_base/tags/local.json b/provider_base/tags/local.json
index 9cb16602..48312b33 100644
--- a/provider_base/tags/local.json
+++ b/provider_base/tags/local.json
@@ -1,3 +1,3 @@
 {
-  "local": true
+  "environment": "local"
 }
\ No newline at end of file
diff --git a/provider_base/tags/production.json b/provider_base/tags/production.json
index b35c0650..ea17498f 100644
--- a/provider_base/tags/production.json
+++ b/provider_base/tags/production.json
@@ -1,3 +1,3 @@
 {
-  "production": true
+  "environment": "production"
 }
\ No newline at end of file
diff --git a/provider_base/test/openvpn/client.ovpn.erb b/provider_base/test/openvpn/client.ovpn.erb
index a0bdd307..af183ef4 100644
--- a/provider_base/test/openvpn/client.ovpn.erb
+++ b/provider_base/test/openvpn/client.ovpn.erb
@@ -18,9 +18,11 @@ tls-cipher DHE-RSA-AES128-SHA
 </ca>
 
 <cert>
-<%= read_file! :test_client_cert -%>
+<%# read_file! :test_client_cert -%>
+<%= cert -%>
 </cert>
 
 <key>
-<%= read_file! :test_client_key -%>
+<%# read_file! :test_client_key -%>
+<%= key -%>
 </key>