summaryrefslogtreecommitdiff
path: root/puppet/modules/site_couchdb
diff options
context:
space:
mode:
Diffstat (limited to 'puppet/modules/site_couchdb')
-rwxr-xr-xpuppet/modules/site_couchdb/files/couchdb160
-rw-r--r--puppet/modules/site_couchdb/files/local.ini4
-rw-r--r--puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp25
-rw-r--r--puppet/modules/site_couchdb/manifests/bigcouch/add_nodes.pp5
-rw-r--r--puppet/modules/site_couchdb/manifests/configure.pp27
-rw-r--r--puppet/modules/site_couchdb/manifests/init.pp71
-rw-r--r--puppet/modules/site_couchdb/manifests/stunnel.pp104
7 files changed, 157 insertions, 239 deletions
diff --git a/puppet/modules/site_couchdb/files/couchdb b/puppet/modules/site_couchdb/files/couchdb
deleted file mode 100755
index ccdfe716..00000000
--- a/puppet/modules/site_couchdb/files/couchdb
+++ /dev/null
@@ -1,160 +0,0 @@
-#!/bin/sh -e
-
-# Licensed under the Apache License, Version 2.0 (the "License"); you may not
-# use this file except in compliance with the License. You may obtain a copy of
-# the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-# License for the specific language governing permissions and limitations under
-# the License.
-
-### BEGIN INIT INFO
-# Provides: couchdb
-# Required-Start: $local_fs $remote_fs
-# Required-Stop: $local_fs $remote_fs
-# Default-Start: 2 3 4 5
-# Default-Stop: 0 1 6
-# Short-Description: Apache CouchDB init script
-# Description: Apache CouchDB init script for the database server.
-### END INIT INFO
-
-SCRIPT_OK=0
-SCRIPT_ERROR=1
-
-DESCRIPTION="database server"
-NAME=couchdb
-SCRIPT_NAME=`basename $0`
-COUCHDB=/usr/bin/couchdb
-CONFIGURATION_FILE=/etc/default/couchdb
-RUN_DIR=/var/run/couchdb
-LSB_LIBRARY=/lib/lsb/init-functions
-
-if test ! -x $COUCHDB; then
- exit $SCRIPT_ERROR
-fi
-
-if test -r $CONFIGURATION_FILE; then
- . $CONFIGURATION_FILE
-fi
-
-log_daemon_msg () {
- # Dummy function to be replaced by LSB library.
-
- echo $@
-}
-
-log_end_msg () {
- # Dummy function to be replaced by LSB library.
-
- if test "$1" != "0"; then
- echo "Error with $DESCRIPTION: $NAME"
- fi
- return $1
-}
-
-if test -r $LSB_LIBRARY; then
- . $LSB_LIBRARY
-fi
-
-run_command () {
- command="$1"
- if test -n "$COUCHDB_OPTIONS"; then
- command="$command $COUCHDB_OPTIONS"
- fi
- if test -n "$COUCHDB_USER"; then
- if su $COUCHDB_USER -c "$command"; then
- return $SCRIPT_OK
- else
- return $SCRIPT_ERROR
- fi
- else
- if $command; then
- return $SCRIPT_OK
- else
- return $SCRIPT_ERROR
- fi
- fi
-}
-
-start_couchdb () {
- # Start Apache CouchDB as a background process.
-
- mkdir -p "$RUN_DIR"
- chown -R "$COUCHDB_USER" "$RUN_DIR"
- command="$COUCHDB -b"
- if test -n "$COUCHDB_STDOUT_FILE"; then
- command="$command -o $COUCHDB_STDOUT_FILE"
- fi
- if test -n "$COUCHDB_STDERR_FILE"; then
- command="$command -e $COUCHDB_STDERR_FILE"
- fi
- if test -n "$COUCHDB_RESPAWN_TIMEOUT"; then
- command="$command -r $COUCHDB_RESPAWN_TIMEOUT"
- fi
- run_command "$command" > /dev/null
-}
-
-stop_couchdb () {
- # Stop the running Apache CouchDB process.
-
- run_command "$COUCHDB -d" > /dev/null
- pkill -u couchdb
- # always return true even if no remaining couchdb procs got killed
- /bin/true
-}
-
-display_status () {
- # Display the status of the running Apache CouchDB process.
-
- run_command "$COUCHDB -s"
-}
-
-parse_script_option_list () {
- # Parse arguments passed to the script and take appropriate action.
-
- case "$1" in
- start)
- log_daemon_msg "Starting $DESCRIPTION" $NAME
- if start_couchdb; then
- log_end_msg $SCRIPT_OK
- else
- log_end_msg $SCRIPT_ERROR
- fi
- ;;
- stop)
- log_daemon_msg "Stopping $DESCRIPTION" $NAME
- if stop_couchdb; then
- log_end_msg $SCRIPT_OK
- else
- log_end_msg $SCRIPT_ERROR
- fi
- ;;
- restart|force-reload)
- log_daemon_msg "Restarting $DESCRIPTION" $NAME
- if stop_couchdb; then
- if start_couchdb; then
- log_end_msg $SCRIPT_OK
- else
- log_end_msg $SCRIPT_ERROR
- fi
- else
- log_end_msg $SCRIPT_ERROR
- fi
- ;;
- status)
- display_status
- ;;
- *)
- cat << EOF >&2
-Usage: $SCRIPT_NAME {start|stop|restart|force-reload|status}
-EOF
- exit $SCRIPT_ERROR
- ;;
- esac
-}
-
-parse_script_option_list $@
diff --git a/puppet/modules/site_couchdb/files/local.ini b/puppet/modules/site_couchdb/files/local.ini
index b3376cbb..22aa0177 100644
--- a/puppet/modules/site_couchdb/files/local.ini
+++ b/puppet/modules/site_couchdb/files/local.ini
@@ -28,8 +28,10 @@
[httpd_global_handlers]
;_google = {couch_httpd_proxy, handle_proxy_req, <<"http://www.google.com">>}
+# futon is enabled by default on bigcouch in default.ini
+# we need to find another way to disable futon, it won't work disabling it here
# enable futon
-_utils = {couch_httpd_misc_handlers, handle_utils_dir_req, "/usr/share/couchdb/www"}
+#_utils = {couch_httpd_misc_handlers, handle_utils_dir_req, "/usr/share/couchdb/www"}
# disable futon
#_utils = {couch_httpd_misc_handlers, handle_welcome_req, <<"Welcome, Futon is disabled!">>}
diff --git a/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp b/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp
deleted file mode 100644
index 7739473e..00000000
--- a/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp
+++ /dev/null
@@ -1,25 +0,0 @@
-define site_couchdb::apache_ssl_proxy ($key, $cert) {
-
- $apache_no_default_site = true
- include apache
- apache::module {
- 'proxy': ensure => present;
- 'proxy_http': ensure => present;
- 'rewrite': ensure => present;
- 'ssl': ensure => present;
- }
- apache::vhost::file { 'couchdb_proxy': }
-
- x509::key {
- 'leap_couchdb':
- content => $key,
- notify => Service[apache];
- }
-
- x509::cert {
- 'leap_couchdb':
- content => $cert,
- notify => Service[apache];
- }
-
-}
diff --git a/puppet/modules/site_couchdb/manifests/bigcouch/add_nodes.pp b/puppet/modules/site_couchdb/manifests/bigcouch/add_nodes.pp
new file mode 100644
index 00000000..241a4914
--- /dev/null
+++ b/puppet/modules/site_couchdb/manifests/bigcouch/add_nodes.pp
@@ -0,0 +1,5 @@
+class site_couchdb::bigcouch::add_nodes {
+ # loop through neighbors array and add nodes
+ $nodes = $::site_couchdb::bigcouch_config['neighbors']
+ couchdb::bigcouch::add_node { $nodes: }
+}
diff --git a/puppet/modules/site_couchdb/manifests/configure.pp b/puppet/modules/site_couchdb/manifests/configure.pp
deleted file mode 100644
index 333511b5..00000000
--- a/puppet/modules/site_couchdb/manifests/configure.pp
+++ /dev/null
@@ -1,27 +0,0 @@
-class site_couchdb::configure {
-
- file { '/etc/init.d/couchdb':
- source => 'puppet:///modules/site_couchdb/couchdb',
- mode => '0755',
- owner => 'root',
- group => 'root',
- }
-
- file { '/etc/couchdb/local.d/admin.ini':
- content => "[admins]
-admin = $site_couchdb::couchdb_admin_pw
-",
- mode => '0600',
- owner => 'couchdb',
- group => 'couchdb',
- notify => Service[couchdb]
- }
-
-
- exec { '/etc/init.d/couchdb restart; sleep 6':
- path => ['/bin', '/usr/bin',],
- subscribe => File['/etc/couchdb/local.d/admin.ini',
- '/etc/couchdb/local.ini'],
- refreshonly => true
- }
-}
diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp
index 9ecde5e6..802f3224 100644
--- a/puppet/modules/site_couchdb/manifests/init.pp
+++ b/puppet/modules/site_couchdb/manifests/init.pp
@@ -1,64 +1,83 @@
class site_couchdb {
tag 'leap_service'
- include couchdb
$x509 = hiera('x509')
$key = $x509['key']
$cert = $x509['cert']
+ $ca = $x509['ca_cert']
+
$couchdb_config = hiera('couch')
$couchdb_users = $couchdb_config['users']
$couchdb_admin = $couchdb_users['admin']
$couchdb_admin_user = $couchdb_admin['username']
$couchdb_admin_pw = $couchdb_admin['password']
+ $couchdb_admin_salt = $couchdb_admin['salt']
$couchdb_webapp = $couchdb_users['webapp']
$couchdb_webapp_user = $couchdb_webapp['username']
$couchdb_webapp_pw = $couchdb_webapp['password']
- $couchdb_ca_daemon = $couchdb_users['ca_daemon']
- $couchdb_ca_daemon_user = $couchdb_ca_daemon['username']
- $couchdb_ca_daemon_pw = $couchdb_ca_daemon['password']
+ $couchdb_webapp_salt = $couchdb_webapp['salt']
+ $couchdb_soledad = $couchdb_users['soledad']
+ $couchdb_soledad_user = $couchdb_soledad['username']
+ $couchdb_soledad_pw = $couchdb_soledad['password']
+ $couchdb_soledad_salt = $couchdb_soledad['salt']
+
+ $bigcouch_config = $couchdb_config['bigcouch']
+ $bigcouch_cookie = $bigcouch_config['cookie']
+
+ $ednp_port = $bigcouch_config['ednp_port']
+
+ class { 'couchdb':
+ bigcouch => true,
+ admin_pw => $couchdb_admin_pw,
+ admin_salt => $couchdb_admin_salt,
+ bigcouch_cookie => $bigcouch_cookie,
+ ednp_port => $ednp_port
+ }
+
+ class { 'couchdb::bigcouch::package::cloudant': }
- Package ['couchdb']
- -> File['/etc/init.d/couchdb']
- -> File['/etc/couchdb/local.ini']
- -> File['/etc/couchdb/local.d/admin.ini']
- -> File['/etc/couchdb/couchdb.netrc']
+ Class ['couchdb::bigcouch::package::cloudant']
+ -> Service ['couchdb']
+ -> Class ['site_couchdb::bigcouch::add_nodes']
-> Couchdb::Create_db['users']
- -> Couchdb::Create_db['client_certificates']
+ -> Couchdb::Create_db['tokens']
-> Couchdb::Add_user[$couchdb_webapp_user]
- -> Couchdb::Add_user[$couchdb_ca_daemon_user]
- -> Site_couchdb::Apache_ssl_proxy['apache_ssl_proxy']
+ -> Couchdb::Add_user[$couchdb_soledad_user]
- include site_couchdb::configure
- include couchdb::deploy_config
-
- site_couchdb::apache_ssl_proxy { 'apache_ssl_proxy':
- key => $key,
- cert => $cert
+ class { 'site_couchdb::stunnel':
+ key => $key,
+ cert => $cert,
+ ca => $ca
}
+ class { 'site_couchdb::bigcouch::add_nodes': }
+
couchdb::query::setup { 'localhost':
user => $couchdb_admin_user,
- pw => $couchdb_admin_pw
+ pw => $couchdb_admin_pw,
}
# Populate couchdb
couchdb::add_user { $couchdb_webapp_user:
- roles => '["certs"]',
- pw => $couchdb_webapp_pw
+ roles => '["auth"]',
+ pw => $couchdb_webapp_pw,
+ salt => $couchdb_webapp_salt
}
- couchdb::add_user { $couchdb_ca_daemon_user:
- roles => '["certs"]',
- pw => $couchdb_ca_daemon_pw
+ couchdb::add_user { $couchdb_soledad_user:
+ roles => '["auth"]',
+ pw => $couchdb_soledad_pw,
+ salt => $couchdb_soledad_salt
}
couchdb::create_db { 'users':
readers => "{ \"names\": [\"$couchdb_webapp_user\"], \"roles\": [] }"
}
- couchdb::create_db { 'client_certificates':
- readers => "{ \"names\": [], \"roles\": [\"certs\"] }"
+ couchdb::create_db { 'tokens':
+ readers => "{ \"names\": [], \"roles\": [\"auth\"] }"
}
include site_shorewall::couchdb
+ include site_shorewall::couchdb::bigcouch
}
diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp
new file mode 100644
index 00000000..d982013e
--- /dev/null
+++ b/puppet/modules/site_couchdb/manifests/stunnel.pp
@@ -0,0 +1,104 @@
+class site_couchdb::stunnel ($key, $cert, $ca) {
+
+ $stunnel = hiera('stunnel')
+
+ $couch_server = $stunnel['couch_server']
+ $couch_server_accept = $couch_server['accept']
+ $couch_server_connect = $couch_server['connect']
+
+ # Erlang Port Mapper Daemon (epmd) stunnel server/clients
+ $epmd_server = $stunnel['epmd_server']
+ $epmd_server_accept = $epmd_server['accept']
+ $epmd_server_connect = $epmd_server['connect']
+ $epmd_clients = $stunnel['epmd_clients']
+
+ # Erlang Distributed Node Protocol (ednp) stunnel server/clients
+ $ednp_server = $stunnel['ednp_server']
+ $ednp_server_accept = $ednp_server['accept']
+ $ednp_server_connect = $ednp_server['connect']
+ $ednp_clients = $stunnel['ednp_clients']
+
+ include x509::variables
+ $cert_name = 'leap_couchdb'
+ $ca_name = 'leap_ca'
+ $ca_path = "${x509::variables::local_CAs}/${ca_name}.crt"
+ $cert_path = "${x509::variables::certs}/${cert_name}.crt"
+ $key_path = "${x509::variables::keys}/${cert_name}.key"
+
+ # basic setup: ensure cert, key, ca files are in place, and some generic
+ # stunnel things are done
+ class { 'site_stunnel::setup':
+ cert_name => $cert_name,
+ key => $key,
+ cert => $cert,
+ ca_name => $ca_name,
+ ca => $ca
+ }
+
+ # setup a stunnel server for the webapp to connect to couchdb
+ stunnel::service { 'couch_server':
+ accept => $couch_server_accept,
+ connect => $couch_server_connect,
+ client => false,
+ cafile => $ca_path,
+ key => $key_path,
+ cert => $cert_path,
+ verify => '2',
+ pid => '/var/run/stunnel4/couchserver.pid',
+ rndfile => '/var/lib/stunnel4/.rnd',
+ debuglevel => '4'
+ }
+
+
+ # setup stunnel server for Erlang Port Mapper Daemon (epmd), necessary for
+ # bigcouch clustering between each bigcouchdb node
+ stunnel::service { 'epmd_server':
+ accept => $epmd_server_accept,
+ connect => $epmd_server_connect,
+ client => false,
+ cafile => $ca_path,
+ key => $key_path,
+ cert => $cert_path,
+ verify => '2',
+ pid => '/var/run/stunnel4/epmd_server.pid',
+ rndfile => '/var/lib/stunnel4/.rnd',
+ debuglevel => '4'
+ }
+
+ # setup stunnel clients for Erlang Port Mapper Daemon (epmd) to connect
+ # to the above epmd stunnel server.
+ $epmd_client_defaults = {
+ 'client' => true,
+ 'cafile' => $ca_path,
+ 'key' => $key_path,
+ 'cert' => $cert_path,
+ }
+
+ create_resources(site_stunnel::clients, $epmd_clients, $epmd_client_defaults)
+
+ # setup stunnel server for Erlang Distributed Node Protocol (ednp), necessary
+ # for bigcouch clustering between each bigcouchdb node
+ stunnel::service { 'ednp_server':
+ accept => $ednp_server_accept,
+ connect => $ednp_server_connect,
+ client => false,
+ cafile => $ca_path,
+ key => $key_path,
+ cert => $cert_path,
+ verify => '2',
+ pid => '/var/run/stunnel4/ednp_server.pid',
+ rndfile => '/var/lib/stunnel4/.rnd',
+ debuglevel => '4'
+ }
+
+ # setup stunnel clients for Erlang Distributed Node Protocol (ednp) to connect
+ # to the above ednp stunnel server.
+ $ednp_client_defaults = {
+ 'client' => true,
+ 'cafile' => $ca_path,
+ 'key' => $key_path,
+ 'cert' => $cert_path,
+ }
+
+ create_resources(site_stunnel::clients, $ednp_clients, $ednp_client_defaults)
+}