11 files changed, 98 insertions, 60 deletions

diff --git a/puppet/modules/site_couchdb/manifests/add_users.pp b/puppet/modules/site_couchdb/manifests/add_users.pp
index 2f734ed4..c905316b 100644
--- a/puppet/modules/site_couchdb/manifests/add_users.pp
+++ b/puppet/modules/site_couchdb/manifests/add_users.pp
@@ -1,3 +1,4 @@
+# add couchdb users for all services
 class site_couchdb::add_users {
 
   Class['site_couchdb::create_dbs']
@@ -35,16 +36,6 @@ class site_couchdb::add_users {
     require => Couchdb::Query::Setup['localhost']
   }
 
-  ### tapicero couchdb user
-  ### admin: needs to be able to create user-<uuid> databases
-  ### read: users
-  couchdb::add_user { $site_couchdb::couchdb_tapicero_user:
-    roles   => '["users"]',
-    pw      => $site_couchdb::couchdb_tapicero_pw,
-    salt    => $site_couchdb::couchdb_tapicero_salt,
-    require => Couchdb::Query::Setup['localhost']
-  }
-
   ## webapp couchdb user
   ## read/write: users, tokens, sessions, tickets, identities, customer
   couchdb::add_user { $site_couchdb::couchdb_webapp_user:
diff --git a/puppet/modules/site_couchdb/manifests/bigcouch.pp b/puppet/modules/site_couchdb/manifests/bigcouch.pp
index 469a2783..2de3d4d0 100644
--- a/puppet/modules/site_couchdb/manifests/bigcouch.pp
+++ b/puppet/modules/site_couchdb/manifests/bigcouch.pp
@@ -44,4 +44,7 @@ class site_couchdb::bigcouch {
     require => Package['couchdb'],
     notify  => Service['couchdb']
   }
+
+  include site_check_mk::agent::couchdb::bigcouch
+
 }
diff --git a/puppet/modules/site_couchdb/manifests/create_dbs.pp b/puppet/modules/site_couchdb/manifests/create_dbs.pp
index eea4bbf5..a2d1c655 100644
--- a/puppet/modules/site_couchdb/manifests/create_dbs.pp
+++ b/puppet/modules/site_couchdb/manifests/create_dbs.pp
@@ -90,4 +90,13 @@ class site_couchdb::create_dbs {
     members => "{ \"names\": [\"${site_couchdb::couchdb_webapp_user}\"], \"roles\": [\"replication\"] }",
     require => Couchdb::Query::Setup['localhost']
   }
+
+  ## invite_codes db
+  ## store invite codes for new signups
+  ## r/w: webapp
+  couchdb::create_db { 'invite_codes':
+    members => "{ \"names\": [\"${site_couchdb::couchdb_webapp_user}\"], \"roles\": [\"replication\"] }",
+    require => Couchdb::Query::Setup['localhost']
+  }
+
 }
diff --git a/puppet/modules/site_couchdb/manifests/designs.pp b/puppet/modules/site_couchdb/manifests/designs.pp
index 1ab1c6a1..e5fd94c6 100644
--- a/puppet/modules/site_couchdb/manifests/designs.pp
+++ b/puppet/modules/site_couchdb/manifests/designs.pp
@@ -12,12 +12,13 @@ class site_couchdb::designs {
   }
 
   site_couchdb::upload_design {
-    'customers':   design => 'customers/Customer.json';
-    'identities':  design => 'identities/Identity.json';
-    'tickets':     design => 'tickets/Ticket.json';
-    'messages':    design => 'messages/Message.json';
-    'users':       design => 'users/User.json';
-    'tmp_users':   design => 'users/User.json';
+    'customers':    design => 'customers/Customer.json';
+    'identities':   design => 'identities/Identity.json';
+    'tickets':      design => 'tickets/Ticket.json';
+    'messages':     design => 'messages/Message.json';
+    'users':        design => 'users/User.json';
+    'tmp_users':    design => 'users/User.json';
+    'invite_codes': design => 'invite_codes/InviteCode.json';
     'shared_docs':
       db => 'shared',
       design => 'shared/docs.json';
diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp
index 6b6ddd3a..c4fe6277 100644
--- a/puppet/modules/site_couchdb/manifests/init.pp
+++ b/puppet/modules/site_couchdb/manifests/init.pp
@@ -26,11 +26,6 @@ class site_couchdb {
   $couchdb_soledad_pw       = $couchdb_soledad['password']
   $couchdb_soledad_salt     = $couchdb_soledad['salt']
 
-  $couchdb_tapicero         = $couchdb_users['tapicero']
-  $couchdb_tapicero_user    = $couchdb_tapicero['username']
-  $couchdb_tapicero_pw      = $couchdb_tapicero['password']
-  $couchdb_tapicero_salt    = $couchdb_tapicero['salt']
-
   $couchdb_webapp           = $couchdb_users['webapp']
   $couchdb_webapp_user      = $couchdb_webapp['username']
   $couchdb_webapp_pw        = $couchdb_webapp['password']
@@ -43,11 +38,14 @@ class site_couchdb {
 
   $couchdb_backup           = $couchdb_config['backup']
   $couchdb_mode             = $couchdb_config['mode']
-  $couchdb_pwhash_alg       = $couchdb_config['pwhash_alg']
 
-  if $couchdb_mode == 'multimaster' { include site_couchdb::bigcouch }
-  if $couchdb_mode == 'master'      { include site_couchdb::master }
-  if $couchdb_mode == 'mirror'      { include site_couchdb::mirror }
+  # ensure bigcouch has been purged from the system:
+  # TODO: remove this check in 0.9 release
+  if file('/opt/bigcouch/bin/bigcouch', '/dev/null') != '' {
+    fail 'ERROR: BigCouch appears to be installed. Make sure you have migrated to CouchDB before proceeding. See https://leap.se/upgrade-0-8'
+  }
+
+  include site_couchdb::plain
 
   Class['site_config::default']
     -> Service['shorewall']
@@ -55,6 +53,7 @@ class site_couchdb {
     -> Class['couchdb']
     -> Class['site_couchdb::setup']
 
+  include ::site_config::default
   include site_stunnel
 
   include site_couchdb::setup
@@ -66,6 +65,17 @@ class site_couchdb {
   if $couchdb_backup   { include site_couchdb::backup }
 
   include site_check_mk::agent::couchdb
-  include site_check_mk::agent::tapicero
+
+  # remove tapicero leftovers on couchdb nodes
+  include site_config::remove::tapicero
+
+  # Destroy every per-user storage database
+  # where the corresponding user record does not exist.
+  cron { 'cleanup_stale_userdbs':
+    command => '(/bin/date; /srv/leap/couchdb/scripts/cleanup-user-dbs) >> /var/log/leap/couchdb-cleanup.log',
+    user    => 'root',
+    hour    => 4,
+    minute  => 7;
+  }
 
 }
diff --git a/puppet/modules/site_couchdb/manifests/logrotate.pp b/puppet/modules/site_couchdb/manifests/logrotate.pp
index e1039d49..bb8843bb 100644
--- a/puppet/modules/site_couchdb/manifests/logrotate.pp
+++ b/puppet/modules/site_couchdb/manifests/logrotate.pp
@@ -1,12 +1,14 @@
+# configure couchdb logrotation
 class site_couchdb::logrotate {
 
   augeas {
     'logrotate_bigcouch':
       context => '/files/etc/logrotate.d/bigcouch/rule',
-      changes => [ 'set file /opt/bigcouch/var/log/*.log', 'set rotate 7',
-                   'set schedule daily', 'set compress compress',
-                   'set missingok missingok', 'set ifempty notifempty',
-                   'set copytruncate copytruncate' ]
+      changes => [
+        'set file /opt/bigcouch/var/log/*.log', 'set rotate 7',
+        'set schedule daily', 'set compress compress',
+        'set missingok missingok', 'set ifempty notifempty',
+        'set copytruncate copytruncate' ]
   }
 
 }
diff --git a/puppet/modules/site_couchdb/manifests/master.pp b/puppet/modules/site_couchdb/manifests/master.pp
deleted file mode 100644
index c28eee7d..00000000
--- a/puppet/modules/site_couchdb/manifests/master.pp
+++ /dev/null
@@ -1,9 +0,0 @@
-# this class sets up a single, plain couchdb node
-class site_couchdb::master {
-  class { 'couchdb':
-    admin_pw            => $site_couchdb::couchdb_admin_pw,
-    admin_salt          => $site_couchdb::couchdb_admin_salt,
-    chttpd_bind_address => '127.0.0.1',
-    pwhash_alg          => $site_couchdb::couchdb_pwhash_alg
-  }
-}
diff --git a/puppet/modules/site_couchdb/manifests/mirror.pp b/puppet/modules/site_couchdb/manifests/mirror.pp
index abe35c4c..fb82b897 100644
--- a/puppet/modules/site_couchdb/manifests/mirror.pp
+++ b/puppet/modules/site_couchdb/manifests/mirror.pp
@@ -1,3 +1,4 @@
+# configure mirroring of couch nodes
 class site_couchdb::mirror {
 
   Class['site_couchdb::add_users']
@@ -22,55 +23,55 @@ class site_couchdb::mirror {
 
   ### customer database
   couchdb::mirror_db { 'customers':
-    from => $from,
+    from    => $from,
     require => Couchdb::Query::Setup['localhost']
   }
 
   ## identities database
   couchdb::mirror_db { 'identities':
-    from => $from,
+    from    => $from,
     require => Couchdb::Query::Setup['localhost']
   }
 
   ## keycache database
   couchdb::mirror_db { 'keycache':
-    from => $from,
+    from    => $from,
     require => Couchdb::Query::Setup['localhost']
   }
 
   ## sessions database
   couchdb::mirror_db { 'sessions':
-    from => $from,
+    from    => $from,
     require => Couchdb::Query::Setup['localhost']
   }
 
   ## shared database
   couchdb::mirror_db { 'shared':
-    from => $from,
+    from    => $from,
     require => Couchdb::Query::Setup['localhost']
   }
 
   ## tickets database
   couchdb::mirror_db { 'tickets':
-    from => $from,
+    from    => $from,
     require => Couchdb::Query::Setup['localhost']
   }
 
   ## tokens database
   couchdb::mirror_db { 'tokens':
-    from => $from,
+    from    => $from,
     require => Couchdb::Query::Setup['localhost']
   }
 
   ## users database
   couchdb::mirror_db { 'users':
-    from => $from,
+    from    => $from,
     require => Couchdb::Query::Setup['localhost']
   }
 
   ## messages db
   couchdb::mirror_db { 'messages':
-    from => $from,
+    from    => $from,
     require => Couchdb::Query::Setup['localhost']
   }
 
diff --git a/puppet/modules/site_couchdb/manifests/plain.pp b/puppet/modules/site_couchdb/manifests/plain.pp
new file mode 100644
index 00000000..b40fc100
--- /dev/null
+++ b/puppet/modules/site_couchdb/manifests/plain.pp
@@ -0,0 +1,14 @@
+# this class sets up a single, plain couchdb node
+class site_couchdb::plain {
+  class { 'couchdb':
+    admin_pw            => $site_couchdb::couchdb_admin_pw,
+    admin_salt          => $site_couchdb::couchdb_admin_salt,
+    chttpd_bind_address => '127.0.0.1'
+  }
+
+  include site_check_mk::agent::couchdb::plain
+
+  # remove bigcouch leftovers from previous installations
+  include ::site_config::remove::bigcouch
+
+}
diff --git a/puppet/modules/site_couchdb/manifests/setup.pp b/puppet/modules/site_couchdb/manifests/setup.pp
index 69bd1c6a..710d3c1c 100644
--- a/puppet/modules/site_couchdb/manifests/setup.pp
+++ b/puppet/modules/site_couchdb/manifests/setup.pp
@@ -12,27 +12,42 @@ class site_couchdb::setup {
 
   $user = $site_couchdb::couchdb_admin_user
 
-  # /etc/couchdb/couchdb-admin.netrc is deployed by couchdb::query::setup
-  # we symlink to couchdb.netrc for puppet commands.
-  # we symlink this to /root/.netrc for couchdb_scripts (eg. backup)
-  # and makes life easier for the admin (i.e. using curl/wget without
-  # passing credentials)
+  # setup /etc/couchdb/couchdb-admin.netrc for couchdb admin access
+  couchdb::query::setup { 'localhost':
+    user => $user,
+    pw   => $site_couchdb::couchdb_admin_pw
+  }
+
+  # We symlink /etc/couchdb/couchdb-admin.netrc to /etc/couchdb/couchdb.netrc
+  # for puppet commands, and to to /root/.netrc for couchdb_scripts
+  # (eg. backup) and to makes life easier for the admin on the command line
+  # (i.e. using curl/wget without passing credentials)
   file {
     '/etc/couchdb/couchdb.netrc':
       ensure  => link,
       target  => "/etc/couchdb/couchdb-${user}.netrc";
-
     '/root/.netrc':
       ensure  => link,
       target  => '/etc/couchdb/couchdb.netrc';
+  }
 
-    '/srv/leap/couchdb':
-      ensure => directory
+  # setup /etc/couchdb/couchdb-soledad-admin.netrc file for couchdb admin
+  # access, accessible only for the soledad-admin user to create soledad
+  # userdbs
+  if member(hiera('services', []), 'soledad') {
+    file { '/etc/couchdb/couchdb-soledad-admin.netrc':
+      content => "machine localhost login ${user} password ${site_couchdb::couchdb_admin_pw}",
+      mode    => '0400',
+      owner   => 'soledad-admin',
+      group   => 'root',
+      require => [ Package['couchdb'], User['soledad-admin'] ];
+    }
   }
 
-  couchdb::query::setup { 'localhost':
-    user  => $user,
-    pw    => $site_couchdb::couchdb_admin_pw,
+  # Checkout couchdb_scripts repo
+  file {
+    '/srv/leap/couchdb':
+      ensure => directory
   }
 
   vcsrepo { '/srv/leap/couchdb/scripts':
diff --git a/puppet/modules/site_couchdb/manifests/upload_design.pp b/puppet/modules/site_couchdb/manifests/upload_design.pp
index 7b0cabd7..bd73ebf2 100644
--- a/puppet/modules/site_couchdb/manifests/upload_design.pp
+++ b/puppet/modules/site_couchdb/manifests/upload_design.pp
@@ -1,4 +1,5 @@
-define site_couchdb::upload_design($db = $title, $design) {
+# upload a design doc to a db
+define site_couchdb::upload_design($design, $db = $title) {
   $design_name = regsubst($design, '^.*\/(.*)\.json$', '\1')
   $id = "_design/${design_name}"
   $file = "/srv/leap/couchdb/designs/${design}"