summaryrefslogtreecommitdiff
path: root/puppet/modules/site_couchdb/manifests
diff options
context:
space:
mode:
Diffstat (limited to 'puppet/modules/site_couchdb/manifests')
-rw-r--r--puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp25
-rw-r--r--puppet/modules/site_couchdb/manifests/bigcouch/add_nodes.pp5
-rw-r--r--puppet/modules/site_couchdb/manifests/configure.pp27
-rw-r--r--puppet/modules/site_couchdb/manifests/init.pp71
-rw-r--r--puppet/modules/site_couchdb/manifests/stunnel.pp104
5 files changed, 154 insertions, 78 deletions
diff --git a/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp b/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp
deleted file mode 100644
index 7739473e..00000000
--- a/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp
+++ /dev/null
@@ -1,25 +0,0 @@
-define site_couchdb::apache_ssl_proxy ($key, $cert) {
-
- $apache_no_default_site = true
- include apache
- apache::module {
- 'proxy': ensure => present;
- 'proxy_http': ensure => present;
- 'rewrite': ensure => present;
- 'ssl': ensure => present;
- }
- apache::vhost::file { 'couchdb_proxy': }
-
- x509::key {
- 'leap_couchdb':
- content => $key,
- notify => Service[apache];
- }
-
- x509::cert {
- 'leap_couchdb':
- content => $cert,
- notify => Service[apache];
- }
-
-}
diff --git a/puppet/modules/site_couchdb/manifests/bigcouch/add_nodes.pp b/puppet/modules/site_couchdb/manifests/bigcouch/add_nodes.pp
new file mode 100644
index 00000000..241a4914
--- /dev/null
+++ b/puppet/modules/site_couchdb/manifests/bigcouch/add_nodes.pp
@@ -0,0 +1,5 @@
+class site_couchdb::bigcouch::add_nodes {
+ # loop through neighbors array and add nodes
+ $nodes = $::site_couchdb::bigcouch_config['neighbors']
+ couchdb::bigcouch::add_node { $nodes: }
+}
diff --git a/puppet/modules/site_couchdb/manifests/configure.pp b/puppet/modules/site_couchdb/manifests/configure.pp
deleted file mode 100644
index 333511b5..00000000
--- a/puppet/modules/site_couchdb/manifests/configure.pp
+++ /dev/null
@@ -1,27 +0,0 @@
-class site_couchdb::configure {
-
- file { '/etc/init.d/couchdb':
- source => 'puppet:///modules/site_couchdb/couchdb',
- mode => '0755',
- owner => 'root',
- group => 'root',
- }
-
- file { '/etc/couchdb/local.d/admin.ini':
- content => "[admins]
-admin = $site_couchdb::couchdb_admin_pw
-",
- mode => '0600',
- owner => 'couchdb',
- group => 'couchdb',
- notify => Service[couchdb]
- }
-
-
- exec { '/etc/init.d/couchdb restart; sleep 6':
- path => ['/bin', '/usr/bin',],
- subscribe => File['/etc/couchdb/local.d/admin.ini',
- '/etc/couchdb/local.ini'],
- refreshonly => true
- }
-}
diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp
index 9ecde5e6..802f3224 100644
--- a/puppet/modules/site_couchdb/manifests/init.pp
+++ b/puppet/modules/site_couchdb/manifests/init.pp
@@ -1,64 +1,83 @@
class site_couchdb {
tag 'leap_service'
- include couchdb
$x509 = hiera('x509')
$key = $x509['key']
$cert = $x509['cert']
+ $ca = $x509['ca_cert']
+
$couchdb_config = hiera('couch')
$couchdb_users = $couchdb_config['users']
$couchdb_admin = $couchdb_users['admin']
$couchdb_admin_user = $couchdb_admin['username']
$couchdb_admin_pw = $couchdb_admin['password']
+ $couchdb_admin_salt = $couchdb_admin['salt']
$couchdb_webapp = $couchdb_users['webapp']
$couchdb_webapp_user = $couchdb_webapp['username']
$couchdb_webapp_pw = $couchdb_webapp['password']
- $couchdb_ca_daemon = $couchdb_users['ca_daemon']
- $couchdb_ca_daemon_user = $couchdb_ca_daemon['username']
- $couchdb_ca_daemon_pw = $couchdb_ca_daemon['password']
+ $couchdb_webapp_salt = $couchdb_webapp['salt']
+ $couchdb_soledad = $couchdb_users['soledad']
+ $couchdb_soledad_user = $couchdb_soledad['username']
+ $couchdb_soledad_pw = $couchdb_soledad['password']
+ $couchdb_soledad_salt = $couchdb_soledad['salt']
+
+ $bigcouch_config = $couchdb_config['bigcouch']
+ $bigcouch_cookie = $bigcouch_config['cookie']
+
+ $ednp_port = $bigcouch_config['ednp_port']
+
+ class { 'couchdb':
+ bigcouch => true,
+ admin_pw => $couchdb_admin_pw,
+ admin_salt => $couchdb_admin_salt,
+ bigcouch_cookie => $bigcouch_cookie,
+ ednp_port => $ednp_port
+ }
+
+ class { 'couchdb::bigcouch::package::cloudant': }
- Package ['couchdb']
- -> File['/etc/init.d/couchdb']
- -> File['/etc/couchdb/local.ini']
- -> File['/etc/couchdb/local.d/admin.ini']
- -> File['/etc/couchdb/couchdb.netrc']
+ Class ['couchdb::bigcouch::package::cloudant']
+ -> Service ['couchdb']
+ -> Class ['site_couchdb::bigcouch::add_nodes']
-> Couchdb::Create_db['users']
- -> Couchdb::Create_db['client_certificates']
+ -> Couchdb::Create_db['tokens']
-> Couchdb::Add_user[$couchdb_webapp_user]
- -> Couchdb::Add_user[$couchdb_ca_daemon_user]
- -> Site_couchdb::Apache_ssl_proxy['apache_ssl_proxy']
+ -> Couchdb::Add_user[$couchdb_soledad_user]
- include site_couchdb::configure
- include couchdb::deploy_config
-
- site_couchdb::apache_ssl_proxy { 'apache_ssl_proxy':
- key => $key,
- cert => $cert
+ class { 'site_couchdb::stunnel':
+ key => $key,
+ cert => $cert,
+ ca => $ca
}
+ class { 'site_couchdb::bigcouch::add_nodes': }
+
couchdb::query::setup { 'localhost':
user => $couchdb_admin_user,
- pw => $couchdb_admin_pw
+ pw => $couchdb_admin_pw,
}
# Populate couchdb
couchdb::add_user { $couchdb_webapp_user:
- roles => '["certs"]',
- pw => $couchdb_webapp_pw
+ roles => '["auth"]',
+ pw => $couchdb_webapp_pw,
+ salt => $couchdb_webapp_salt
}
- couchdb::add_user { $couchdb_ca_daemon_user:
- roles => '["certs"]',
- pw => $couchdb_ca_daemon_pw
+ couchdb::add_user { $couchdb_soledad_user:
+ roles => '["auth"]',
+ pw => $couchdb_soledad_pw,
+ salt => $couchdb_soledad_salt
}
couchdb::create_db { 'users':
readers => "{ \"names\": [\"$couchdb_webapp_user\"], \"roles\": [] }"
}
- couchdb::create_db { 'client_certificates':
- readers => "{ \"names\": [], \"roles\": [\"certs\"] }"
+ couchdb::create_db { 'tokens':
+ readers => "{ \"names\": [], \"roles\": [\"auth\"] }"
}
include site_shorewall::couchdb
+ include site_shorewall::couchdb::bigcouch
}
diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp
new file mode 100644
index 00000000..d982013e
--- /dev/null
+++ b/puppet/modules/site_couchdb/manifests/stunnel.pp
@@ -0,0 +1,104 @@
+class site_couchdb::stunnel ($key, $cert, $ca) {
+
+ $stunnel = hiera('stunnel')
+
+ $couch_server = $stunnel['couch_server']
+ $couch_server_accept = $couch_server['accept']
+ $couch_server_connect = $couch_server['connect']
+
+ # Erlang Port Mapper Daemon (epmd) stunnel server/clients
+ $epmd_server = $stunnel['epmd_server']
+ $epmd_server_accept = $epmd_server['accept']
+ $epmd_server_connect = $epmd_server['connect']
+ $epmd_clients = $stunnel['epmd_clients']
+
+ # Erlang Distributed Node Protocol (ednp) stunnel server/clients
+ $ednp_server = $stunnel['ednp_server']
+ $ednp_server_accept = $ednp_server['accept']
+ $ednp_server_connect = $ednp_server['connect']
+ $ednp_clients = $stunnel['ednp_clients']
+
+ include x509::variables
+ $cert_name = 'leap_couchdb'
+ $ca_name = 'leap_ca'
+ $ca_path = "${x509::variables::local_CAs}/${ca_name}.crt"
+ $cert_path = "${x509::variables::certs}/${cert_name}.crt"
+ $key_path = "${x509::variables::keys}/${cert_name}.key"
+
+ # basic setup: ensure cert, key, ca files are in place, and some generic
+ # stunnel things are done
+ class { 'site_stunnel::setup':
+ cert_name => $cert_name,
+ key => $key,
+ cert => $cert,
+ ca_name => $ca_name,
+ ca => $ca
+ }
+
+ # setup a stunnel server for the webapp to connect to couchdb
+ stunnel::service { 'couch_server':
+ accept => $couch_server_accept,
+ connect => $couch_server_connect,
+ client => false,
+ cafile => $ca_path,
+ key => $key_path,
+ cert => $cert_path,
+ verify => '2',
+ pid => '/var/run/stunnel4/couchserver.pid',
+ rndfile => '/var/lib/stunnel4/.rnd',
+ debuglevel => '4'
+ }
+
+
+ # setup stunnel server for Erlang Port Mapper Daemon (epmd), necessary for
+ # bigcouch clustering between each bigcouchdb node
+ stunnel::service { 'epmd_server':
+ accept => $epmd_server_accept,
+ connect => $epmd_server_connect,
+ client => false,
+ cafile => $ca_path,
+ key => $key_path,
+ cert => $cert_path,
+ verify => '2',
+ pid => '/var/run/stunnel4/epmd_server.pid',
+ rndfile => '/var/lib/stunnel4/.rnd',
+ debuglevel => '4'
+ }
+
+ # setup stunnel clients for Erlang Port Mapper Daemon (epmd) to connect
+ # to the above epmd stunnel server.
+ $epmd_client_defaults = {
+ 'client' => true,
+ 'cafile' => $ca_path,
+ 'key' => $key_path,
+ 'cert' => $cert_path,
+ }
+
+ create_resources(site_stunnel::clients, $epmd_clients, $epmd_client_defaults)
+
+ # setup stunnel server for Erlang Distributed Node Protocol (ednp), necessary
+ # for bigcouch clustering between each bigcouchdb node
+ stunnel::service { 'ednp_server':
+ accept => $ednp_server_accept,
+ connect => $ednp_server_connect,
+ client => false,
+ cafile => $ca_path,
+ key => $key_path,
+ cert => $cert_path,
+ verify => '2',
+ pid => '/var/run/stunnel4/ednp_server.pid',
+ rndfile => '/var/lib/stunnel4/.rnd',
+ debuglevel => '4'
+ }
+
+ # setup stunnel clients for Erlang Distributed Node Protocol (ednp) to connect
+ # to the above ednp stunnel server.
+ $ednp_client_defaults = {
+ 'client' => true,
+ 'cafile' => $ca_path,
+ 'key' => $key_path,
+ 'cert' => $cert_path,
+ }
+
+ create_resources(site_stunnel::clients, $ednp_clients, $ednp_client_defaults)
+}