6 files changed, 522 insertions, 0 deletions
diff --git a/puppet/modules/site_couchdb/files/couchdb b/puppet/modules/site_couchdb/files/couchdb
new file mode 100755
index 00000000..ccdfe716
--- /dev/null
+++ b/puppet/modules/site_couchdb/files/couchdb
@@ -0,0 +1,160 @@
+#!/bin/sh -e
+
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy of
+# the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations under
+# the License.
+
+### BEGIN INIT INFO
+# Provides:          couchdb
+# Required-Start:    $local_fs $remote_fs
+# Required-Stop:     $local_fs $remote_fs
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: Apache CouchDB init script
+# Description:       Apache CouchDB init script for the database server.
+### END INIT INFO
+
+SCRIPT_OK=0
+SCRIPT_ERROR=1
+
+DESCRIPTION="database server"
+NAME=couchdb
+SCRIPT_NAME=`basename $0`
+COUCHDB=/usr/bin/couchdb
+CONFIGURATION_FILE=/etc/default/couchdb
+RUN_DIR=/var/run/couchdb
+LSB_LIBRARY=/lib/lsb/init-functions
+
+if test ! -x $COUCHDB; then
+    exit $SCRIPT_ERROR
+fi
+
+if test -r $CONFIGURATION_FILE; then
+    . $CONFIGURATION_FILE
+fi
+
+log_daemon_msg () {
+    # Dummy function to be replaced by LSB library.
+
+    echo $@
+}
+
+log_end_msg () {
+    # Dummy function to be replaced by LSB library.
+
+    if test "$1" != "0"; then
+      echo "Error with $DESCRIPTION: $NAME"
+    fi
+    return $1
+}
+
+if test -r $LSB_LIBRARY; then
+    . $LSB_LIBRARY
+fi
+
+run_command () {
+    command="$1"
+    if test -n "$COUCHDB_OPTIONS"; then
+        command="$command $COUCHDB_OPTIONS"
+    fi
+    if test -n "$COUCHDB_USER"; then
+        if su $COUCHDB_USER -c "$command"; then
+            return $SCRIPT_OK
+        else
+            return $SCRIPT_ERROR
+        fi
+    else
+        if $command; then
+            return $SCRIPT_OK
+        else
+            return $SCRIPT_ERROR
+        fi
+    fi
+}
+
+start_couchdb () {
+    # Start Apache CouchDB as a background process.
+
+    mkdir -p "$RUN_DIR"
+    chown -R "$COUCHDB_USER" "$RUN_DIR"
+    command="$COUCHDB -b"
+    if test -n "$COUCHDB_STDOUT_FILE"; then
+        command="$command -o $COUCHDB_STDOUT_FILE"
+    fi
+    if test -n "$COUCHDB_STDERR_FILE"; then
+        command="$command -e $COUCHDB_STDERR_FILE"
+    fi
+    if test -n "$COUCHDB_RESPAWN_TIMEOUT"; then
+        command="$command -r $COUCHDB_RESPAWN_TIMEOUT"
+    fi
+    run_command "$command" > /dev/null
+}
+
+stop_couchdb () {
+    # Stop the running Apache CouchDB process.
+
+    run_command "$COUCHDB -d" > /dev/null
+    pkill -u couchdb
+    # always return true even if no remaining couchdb procs got killed
+    /bin/true
+}
+
+display_status () {
+    # Display the status of the running Apache CouchDB process.
+
+    run_command "$COUCHDB -s"
+}
+
+parse_script_option_list () {
+    # Parse arguments passed to the script and take appropriate action.
+
+    case "$1" in
+        start)
+            log_daemon_msg "Starting $DESCRIPTION" $NAME
+            if start_couchdb; then
+                log_end_msg $SCRIPT_OK
+            else
+                log_end_msg $SCRIPT_ERROR
+            fi
+            ;;
+        stop)
+            log_daemon_msg "Stopping $DESCRIPTION" $NAME
+            if stop_couchdb; then
+                log_end_msg $SCRIPT_OK
+            else
+                log_end_msg $SCRIPT_ERROR
+            fi
+            ;;
+        restart|force-reload)
+            log_daemon_msg "Restarting $DESCRIPTION" $NAME
+            if stop_couchdb; then
+                if start_couchdb; then
+                    log_end_msg $SCRIPT_OK
+                else
+                    log_end_msg $SCRIPT_ERROR
+                fi
+            else
+                log_end_msg $SCRIPT_ERROR
+            fi
+            ;;
+        status)
+            display_status
+            ;;
+        *)
+            cat << EOF >&2
+Usage: $SCRIPT_NAME {start|stop|restart|force-reload|status}
+EOF
+            exit $SCRIPT_ERROR
+            ;;
+    esac
+}
+
+parse_script_option_list $@
diff --git a/puppet/modules/site_couchdb/files/leap_ca_daemon b/puppet/modules/site_couchdb/files/leap_ca_daemon
new file mode 100755
index 00000000..9a1a0bc7
--- /dev/null
+++ b/puppet/modules/site_couchdb/files/leap_ca_daemon
@@ -0,0 +1,157 @@
+#! /bin/sh
+### BEGIN INIT INFO
+# Provides:          leap_ca_daemon
+# Required-Start:    $remote_fs $syslog
+# Required-Stop:     $remote_fs $syslog
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: leap_ca_daemon initscript 
+# Description:       Controls leap_ca_daemon (see https://github.com/leapcode/leap_ca
+#                    for more information.				 
+### END INIT INFO
+
+# Author: varac <varac@leap.se>
+#
+
+# Do NOT "set -e"
+
+# PATH should only include /usr/* if it runs after the mountnfs.sh script
+PATH=/sbin:/usr/sbin:/bin:/usr/bin
+DESC="leap_ca_daemon initscript"
+NAME=leap_ca_daemon
+DAEMON=/usr/local/bin/$NAME
+DAEMON_ARGS="run "
+PIDFILE=/var/run/$NAME.pid
+SCRIPTNAME=/etc/init.d/$NAME
+
+# Exit if the package is not installed
+[ -x "$DAEMON" ] || exit 0
+
+# Read configuration variable file if it is present
+[ -r /etc/default/$NAME ] && . /etc/default/$NAME
+
+# Load the VERBOSE setting and other rcS variables
+. /lib/init/vars.sh
+
+# Define LSB log_* functions.
+# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
+# and status_of_proc is working.
+. /lib/lsb/init-functions
+
+#
+# Function that starts the daemon/service
+#
+do_start()
+{
+	# Return
+	#   0 if daemon has been started
+	#   1 if daemon was already running
+	#   2 if daemon could not be started
+	start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
+		|| return 1
+	start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \
+		$DAEMON_ARGS \
+		|| return 2
+	# Add code here, if necessary, that waits for the process to be ready
+	# to handle requests from services started subsequently which depend
+	# on this one.  As a last resort, sleep for some time.
+}
+
+#
+# Function that stops the daemon/service
+#
+do_stop()
+{
+	# Return
+	#   0 if daemon has been stopped
+	#   1 if daemon was already stopped
+	#   2 if daemon could not be stopped
+	#   other if a failure occurred
+	start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
+	RETVAL="$?"
+	[ "$RETVAL" = 2 ] && return 2
+	# Wait for children to finish too if this is a daemon that forks
+	# and if the daemon is only ever run from this initscript.
+	# If the above conditions are not satisfied then add some other code
+	# that waits for the process to drop all resources that could be
+	# needed by services started subsequently.  A last resort is to
+	# sleep for some time.
+	start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
+	[ "$?" = 2 ] && return 2
+	# Many daemons don't delete their pidfiles when they exit.
+	rm -f $PIDFILE
+	return "$RETVAL"
+}
+
+#
+# Function that sends a SIGHUP to the daemon/service
+#
+do_reload() {
+	#
+	# If the daemon can reload its configuration without
+	# restarting (for example, when it is sent a SIGHUP),
+	# then implement that here.
+	#
+	start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
+	return 0
+}
+
+case "$1" in
+  start)
+	[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
+	do_start
+	case "$?" in
+		0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+		2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+	esac
+	;;
+  stop)
+	[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
+	do_stop
+	case "$?" in
+		0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+		2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+	esac
+	;;
+  status)
+	status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
+	;;
+  #reload|force-reload)
+	#
+	# If do_reload() is not implemented then leave this commented out
+	# and leave 'force-reload' as an alias for 'restart'.
+	#
+	#log_daemon_msg "Reloading $DESC" "$NAME"
+	#do_reload
+	#log_end_msg $?
+	#;;
+  restart|force-reload)
+	#
+	# If the "reload" option is implemented then remove the
+	# 'force-reload' alias
+	#
+	log_daemon_msg "Restarting $DESC" "$NAME"
+	do_stop
+	case "$?" in
+	  0|1)
+		do_start
+		case "$?" in
+			0) log_end_msg 0 ;;
+			1) log_end_msg 1 ;; # Old process is still running
+			*) log_end_msg 1 ;; # Failed to start
+		esac
+		;;
+	  *)
+		# Failed to stop
+		log_end_msg 1
+		;;
+	esac
+	;;
+  *)
+	#echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
+	echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
+	exit 3
+	;;
+esac
+
+:
diff --git a/puppet/modules/site_couchdb/files/local.ini b/puppet/modules/site_couchdb/files/local.ini
new file mode 100644
index 00000000..b3376cbb
--- /dev/null
+++ b/puppet/modules/site_couchdb/files/local.ini
@@ -0,0 +1,89 @@
+; CouchDB Configuration Settings
+
+; Custom settings should be made in this file. They will override settings
+; in default.ini, but unlike changes made to default.ini, this file won't be
+; overwritten on server upgrade.
+
+[couchdb]
+;max_document_size = 4294967296 ; bytes
+
+[httpd]
+;port = 5984
+;bind_address = 127.0.0.1
+; Options for the MochiWeb HTTP server.
+;server_options = [{backlog, 128}, {acceptor_pool_size, 16}]
+; For more socket options, consult Erlang's module 'inet' man page.
+;socket_options = [{recbuf, 262144}, {sndbuf, 262144}, {nodelay, true}]
+
+; Uncomment next line to trigger basic-auth popup on unauthorized requests.
+;WWW-Authenticate = Basic realm="administrator"
+
+; Uncomment next line to set the configuration modification whitelist. Only
+; whitelisted values may be changed via the /_config URLs. To allow the admin
+; to change this value over HTTP, remember to include {httpd,config_whitelist}
+; itself. Excluding it from the list would require editing this file to update
+; the whitelist.
+;config_whitelist = [{httpd,config_whitelist}, {log,level}, {etc,etc}]
+
+[httpd_global_handlers]
+;_google = {couch_httpd_proxy, handle_proxy_req, <<"http://www.google.com">>}
+
+# enable futon
+_utils = {couch_httpd_misc_handlers, handle_utils_dir_req, "/usr/share/couchdb/www"}
+# disable futon
+#_utils =  {couch_httpd_misc_handlers, handle_welcome_req, <<"Welcome, Futon is disabled!">>}
+
+[couch_httpd_auth]
+; If you set this to true, you should also uncomment the WWW-Authenticate line
+; above. If you don't configure a WWW-Authenticate header, CouchDB will send
+; Basic realm="server" in order to prevent you getting logged out.
+; require_valid_user = false
+
+[log]
+;level = debug
+
+[os_daemons]
+; For any commands listed here, CouchDB will attempt to ensure that
+; the process remains alive while CouchDB runs as well as shut them
+; down when CouchDB exits.
+;foo = /path/to/command -with args
+
+[daemons]
+; enable SSL support by uncommenting the following line and supply the PEM's below.
+; the default ssl port CouchDB listens on is 6984
+;httpsd = {couch_httpd, start_link, [https]}
+
+[ssl]
+;cert_file = /etc/couchdb/server_cert.pem
+;key_file  = /etc/couchdb/server_key.pem
+;password = somepassword
+; set to true to validate peer certificates
+;verify_ssl_certificates = false
+; Path to file containing PEM encoded CA certificates (trusted
+; certificates used for verifying a peer certificate). May be omitted if
+; you do not want to verify the peer.
+;cacert_file = /full/path/to/cacertf
+; The verification fun (optionnal) if not specidied, the default
+; verification fun will be used.
+;verify_fun = {Module, VerifyFun}
+;ssl_certificate_max_depth = 1
+; To enable Virtual Hosts in CouchDB, add a vhost = path directive. All requests to
+; the Virual Host will be redirected to the path. In the example below all requests
+; to http://example.com/ are redirected to /database.
+; If you run CouchDB on a specific port, include the port number in the vhost:
+; example.com:5984 = /database
+
+[vhosts]
+;example.com = /database/
+
+[update_notification]
+;unique notifier name=/full/path/to/exe -with "cmd line arg"
+
+; To create an admin account uncomment the '[admins]' section below and add a
+; line in the format 'username = password'. When you next start CouchDB, it
+; will change the password to a hash (so that your passwords don't linger
+; around in plain-text files). You can add more admin accounts with more
+; 'username = password' lines. Don't forget to restart CouchDB after
+; changing this.
+;[admins]
+;admin = mysecretpassword
diff --git a/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp b/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp
new file mode 100644
index 00000000..7739473e
--- /dev/null
+++ b/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp
@@ -0,0 +1,25 @@
+define site_couchdb::apache_ssl_proxy ($key, $cert) {
+
+  $apache_no_default_site = true
+  include apache
+  apache::module {
+    'proxy':        ensure => present;
+    'proxy_http':   ensure => present;
+    'rewrite':      ensure => present;
+    'ssl':          ensure => present;
+  }
+  apache::vhost::file { 'couchdb_proxy': }
+
+  x509::key {
+    'leap_couchdb':
+      content => $key,
+      notify  => Service[apache];
+  }
+
+  x509::cert {
+    'leap_couchdb':
+      content => $cert,
+      notify  => Service[apache];
+  }
+
+}
diff --git a/puppet/modules/site_couchdb/manifests/configure.pp b/puppet/modules/site_couchdb/manifests/configure.pp
new file mode 100644
index 00000000..333511b5
--- /dev/null
+++ b/puppet/modules/site_couchdb/manifests/configure.pp
@@ -0,0 +1,27 @@
+class site_couchdb::configure {
+
+  file { '/etc/init.d/couchdb':
+    source => 'puppet:///modules/site_couchdb/couchdb',
+    mode   => '0755',
+    owner  => 'root',
+    group  => 'root',
+  }
+
+  file { '/etc/couchdb/local.d/admin.ini':
+    content => "[admins]
+admin = $site_couchdb::couchdb_admin_pw
+",
+    mode    => '0600',
+    owner   => 'couchdb',
+    group   => 'couchdb',
+    notify  => Service[couchdb]
+  }
+
+
+  exec { '/etc/init.d/couchdb restart; sleep 6':
+    path        => ['/bin', '/usr/bin',],
+    subscribe   => File['/etc/couchdb/local.d/admin.ini',
+      '/etc/couchdb/local.ini'],
+    refreshonly => true
+  }
+}
diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp
new file mode 100644
index 00000000..9ecde5e6
--- /dev/null
+++ b/puppet/modules/site_couchdb/manifests/init.pp
@@ -0,0 +1,64 @@
+class site_couchdb {
+  tag 'leap_service'
+  include couchdb
+
+  $x509                   = hiera('x509')
+  $key                    = $x509['key']
+  $cert                   = $x509['cert']
+  $couchdb_config         = hiera('couch')
+  $couchdb_users          = $couchdb_config['users']
+  $couchdb_admin          = $couchdb_users['admin']
+  $couchdb_admin_user     = $couchdb_admin['username']
+  $couchdb_admin_pw       = $couchdb_admin['password']
+  $couchdb_webapp         = $couchdb_users['webapp']
+  $couchdb_webapp_user    = $couchdb_webapp['username']
+  $couchdb_webapp_pw      = $couchdb_webapp['password']
+  $couchdb_ca_daemon      = $couchdb_users['ca_daemon']
+  $couchdb_ca_daemon_user = $couchdb_ca_daemon['username']
+  $couchdb_ca_daemon_pw   = $couchdb_ca_daemon['password']
+
+  Package ['couchdb']
+    -> File['/etc/init.d/couchdb']
+    -> File['/etc/couchdb/local.ini']
+    -> File['/etc/couchdb/local.d/admin.ini']
+    -> File['/etc/couchdb/couchdb.netrc']
+    -> Couchdb::Create_db['users']
+    -> Couchdb::Create_db['client_certificates']
+    -> Couchdb::Add_user[$couchdb_webapp_user]
+    -> Couchdb::Add_user[$couchdb_ca_daemon_user]
+    -> Site_couchdb::Apache_ssl_proxy['apache_ssl_proxy']
+
+  include site_couchdb::configure
+  include couchdb::deploy_config
+
+  site_couchdb::apache_ssl_proxy { 'apache_ssl_proxy':
+    key   => $key,
+    cert  => $cert
+  }
+
+  couchdb::query::setup { 'localhost':
+    user  => $couchdb_admin_user,
+    pw    => $couchdb_admin_pw
+  }
+
+  # Populate couchdb
+  couchdb::add_user { $couchdb_webapp_user:
+    roles => '["certs"]',
+    pw    => $couchdb_webapp_pw
+  }
+
+  couchdb::add_user { $couchdb_ca_daemon_user:
+    roles => '["certs"]',
+    pw    => $couchdb_ca_daemon_pw
+  }
+
+  couchdb::create_db { 'users':
+    readers => "{ \"names\": [\"$couchdb_webapp_user\"], \"roles\": [] }"
+  }
+
+  couchdb::create_db { 'client_certificates':
+    readers => "{ \"names\": [], \"roles\": [\"certs\"] }"
+  }
+
+  include site_shorewall::couchdb
+}