summaryrefslogtreecommitdiff
path: root/puppet/modules/site_nickserver
diff options
context:
space:
mode:
Diffstat (limited to 'puppet/modules/site_nickserver')
-rw-r--r--puppet/modules/site_nickserver/manifests/init.pp89
-rw-r--r--puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb6
-rw-r--r--puppet/modules/site_nickserver/templates/nickserver.yml.erb2
3 files changed, 52 insertions, 45 deletions
diff --git a/puppet/modules/site_nickserver/manifests/init.pp b/puppet/modules/site_nickserver/manifests/init.pp
index 7dfa2603..eaf90d55 100644
--- a/puppet/modules/site_nickserver/manifests/init.pp
+++ b/puppet/modules/site_nickserver/manifests/init.pp
@@ -1,37 +1,47 @@
#
-# TODO: currently, this is dependent on some things that are set up in site_webapp
+# TODO: currently, this is dependent on some things that are set up in
+# site_webapp
#
# (1) HAProxy -> couchdb
# (2) Apache
#
-# It would be good in the future to make nickserver installable independently of site_webapp.
+# It would be good in the future to make nickserver installable independently of
+# site_webapp.
#
class site_nickserver {
tag 'leap_service'
- include site_config::ruby
+ Class['site_config::default'] -> Class['site_nickserver']
+
+ include site_config::ruby::dev
#
# VARIABLES
#
$nickserver = hiera('nickserver')
- $nickserver_port = $nickserver['port'] # the port that public connects to (should be 6425)
- $nickserver_local_port = '64250' # the port that nickserver is actually running on
$nickserver_domain = $nickserver['domain']
+ $couchdb_user = $nickserver['couchdb_nickserver_user']['username']
+ $couchdb_password = $nickserver['couchdb_nickserver_user']['password']
+
+ # the port that public connects to (should be 6425)
+ $nickserver_port = $nickserver['port']
+ # the port that nickserver is actually running on
+ $nickserver_local_port = '64250'
- $couchdb_user = $nickserver['couchdb_user']['username']
- $couchdb_password = $nickserver['couchdb_user']['password']
- $couchdb_host = 'localhost' # couchdb is available on localhost via haproxy, which is bound to 4096.
- $couchdb_port = '4096' # See site_webapp/templates/haproxy_couchdb.cfg.erg
+ # couchdb is available on localhost via haproxy, which is bound to 4096.
+ $couchdb_host = 'localhost'
+ # See site_webapp/templates/haproxy_couchdb.cfg.erg
+ $couchdb_port = '4096'
# temporarily for now:
$domain = hiera('domain')
$address_domain = $domain['full_suffix']
- $x509 = hiera('x509')
- $x509_key = $x509['key']
- $x509_cert = $x509['cert']
- $x509_ca = $x509['ca_cert']
+
+
+ include site_config::x509::cert
+ include site_config::x509::key
+ include site_config::x509::ca
#
# USER AND GROUP
@@ -41,6 +51,7 @@ class site_nickserver {
ensure => present,
allowdupe => false;
}
+
user { 'nickserver':
ensure => present,
allowdupe => false,
@@ -50,31 +61,33 @@ class site_nickserver {
}
#
- # NICKSERVER CODE
- # NOTE: in order to support TLS, libssl-dev must be installed before EventMachine gem
- # is built/installed.
+ # NICKSERVER CODE NOTE: in order to support TLS, libssl-dev must be installed
+ # before EventMachine gem is built/installed.
#
- package {
- 'libssl-dev': ensure => installed;
- }
+ package { 'libssl-dev': ensure => installed }
+
vcsrepo { '/srv/leap/nickserver':
ensure => present,
revision => 'origin/master',
provider => git,
- source => 'git://code.leap.se/nickserver',
+ source => 'https://leap.se/git/nickserver',
owner => 'nickserver',
group => 'nickserver',
require => [ User['nickserver'], Group['nickserver'] ],
notify => Exec['nickserver_bundler_update'];
}
+
exec { 'nickserver_bundler_update':
cwd => '/srv/leap/nickserver',
command => '/bin/bash -c "/usr/bin/bundle check || /usr/bin/bundle install --path vendor/bundle"',
unless => '/usr/bin/bundle check',
user => 'nickserver',
timeout => 600,
- require => [ Class['bundler::install'], Vcsrepo['/srv/leap/nickserver'], Package['libssl-dev'] ],
+ require => [
+ Class['bundler::install'], Vcsrepo['/srv/leap/nickserver'],
+ Package['libssl-dev'], Class['site_config::ruby::dev'] ],
+
notify => Service['nickserver'];
}
@@ -82,7 +95,7 @@ class site_nickserver {
# NICKSERVER CONFIG
#
- file { '/etc/leap/nickserver.yml':
+ file { '/etc/nickserver.yml':
content => template('site_nickserver/nickserver.yml.erb'),
owner => nickserver,
group => nickserver,
@@ -99,8 +112,11 @@ class site_nickserver {
ensure => link,
target => '/srv/leap/nickserver/bin/nickserver',
require => Vcsrepo['/srv/leap/nickserver'];
+
'/etc/init.d/nickserver':
- owner => root, group => 0, mode => '0755',
+ owner => root,
+ group => 0,
+ mode => '0755',
source => '/srv/leap/nickserver/dist/debian-init-script',
require => Vcsrepo['/srv/leap/nickserver'];
}
@@ -110,7 +126,11 @@ class site_nickserver {
enable => true,
hasrestart => true,
hasstatus => true,
- require => File['/etc/init.d/nickserver'];
+ require => [
+ File['/etc/init.d/nickserver'],
+ Class['Site_config::X509::Key'],
+ Class['Site_config::X509::Cert'],
+ Class['Site_config::X509::Ca'] ];
}
#
@@ -119,7 +139,7 @@ class site_nickserver {
#
file { '/etc/shorewall/macro.nickserver':
- content => "PARAM - - tcp $nickserver_port",
+ content => "PARAM - - tcp ${nickserver_port}",
notify => Service['shorewall'],
require => Package['shorewall'];
}
@@ -142,21 +162,8 @@ class site_nickserver {
}
apache::vhost::file {
- 'nickserver': content => template('site_nickserver/nickserver-proxy.conf.erb')
- }
-
- x509::key { 'nickserver':
- content => $x509_key,
- notify => Service[apache];
+ 'nickserver':
+ content => template('site_nickserver/nickserver-proxy.conf.erb')
}
- x509::cert { 'nickserver':
- content => $x509_cert,
- notify => Service[apache];
- }
-
- x509::ca { 'nickserver':
- content => $x509_ca,
- notify => Service[apache];
- }
-} \ No newline at end of file
+}
diff --git a/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb b/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb
index 67896cd3..ae06410e 100644
--- a/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb
+++ b/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb
@@ -14,9 +14,9 @@ Listen 0.0.0.0:<%= @nickserver_port -%>
SSLHonorCipherOrder on
SSLCACertificatePath /etc/ssl/certs
- SSLCertificateChainFile /etc/ssl/certs/nickserver.pem
- SSLCertificateKeyFile /etc/x509/keys/nickserver.key
- SSLCertificateFile /etc/x509/certs/nickserver.crt
+ SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::ca_name') %>.crt
+ SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.key
+ SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.crt
ProxyPass / http://localhost:<%= @nickserver_local_port %>/
ProxyPreserveHost On # preserve Host header in HTTP request
diff --git a/puppet/modules/site_nickserver/templates/nickserver.yml.erb b/puppet/modules/site_nickserver/templates/nickserver.yml.erb
index 7aab5605..e717cbaa 100644
--- a/puppet/modules/site_nickserver/templates/nickserver.yml.erb
+++ b/puppet/modules/site_nickserver/templates/nickserver.yml.erb
@@ -6,7 +6,7 @@ domain: "<%= @address_domain %>"
couch_host: "<%= @couchdb_host %>"
couch_port: <%= @couchdb_port %>
-couch_database: "users"
+couch_database: "identities"
couch_user: "<%= @couchdb_user %>"
couch_password: "<%= @couchdb_password %>"