summaryrefslogtreecommitdiff
path: root/puppet/modules/site_webapp/manifests
diff options
context:
space:
mode:
Diffstat (limited to 'puppet/modules/site_webapp/manifests')
-rw-r--r--puppet/modules/site_webapp/manifests/apache.pp12
-rw-r--r--puppet/modules/site_webapp/manifests/common_vhost.pp18
-rw-r--r--puppet/modules/site_webapp/manifests/couchdb.pp25
-rw-r--r--puppet/modules/site_webapp/manifests/cron.pp9
-rw-r--r--puppet/modules/site_webapp/manifests/hidden_service.pp25
-rw-r--r--puppet/modules/site_webapp/manifests/init.pp14
6 files changed, 74 insertions, 29 deletions
diff --git a/puppet/modules/site_webapp/manifests/apache.pp b/puppet/modules/site_webapp/manifests/apache.pp
index 93e172a0..80c7b29b 100644
--- a/puppet/modules/site_webapp/manifests/apache.pp
+++ b/puppet/modules/site_webapp/manifests/apache.pp
@@ -1,3 +1,4 @@
+# configure apache and passenger to serve the webapp
class site_webapp::apache {
$web_api = hiera('api')
@@ -11,16 +12,17 @@ class site_webapp::apache {
$webapp_domain = $webapp['domain']
include site_apache::common
- include site_apache::module::headers
- include site_apache::module::alias
- include site_apache::module::expires
- include site_apache::module::removeip
+ include apache::module::headers
+ include apache::module::alias
+ include apache::module::expires
+ include apache::module::removeip
+ include site_webapp::common_vhost
class { 'passenger': use_munin => false }
apache::vhost::file {
'api':
- content => template('site_apache/vhosts.d/api.conf.erb')
+ content => template('site_apache/vhosts.d/api.conf.erb');
}
}
diff --git a/puppet/modules/site_webapp/manifests/common_vhost.pp b/puppet/modules/site_webapp/manifests/common_vhost.pp
new file mode 100644
index 00000000..c57aad57
--- /dev/null
+++ b/puppet/modules/site_webapp/manifests/common_vhost.pp
@@ -0,0 +1,18 @@
+class site_webapp::common_vhost {
+ # installs x509 cert + key and common config
+ # that both nagios + leap webapp use
+
+ include x509::variables
+ include site_config::x509::commercial::cert
+ include site_config::x509::commercial::key
+ include site_config::x509::commercial::ca
+
+ Class['Site_config::X509::Commercial::Key'] ~> Service[apache]
+ Class['Site_config::X509::Commercial::Cert'] ~> Service[apache]
+ Class['Site_config::X509::Commercial::Ca'] ~> Service[apache]
+
+ apache::vhost::file {
+ 'common':
+ content => template('site_apache/vhosts.d/common.conf.erb')
+ }
+}
diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp
index 1dbc745d..71450370 100644
--- a/puppet/modules/site_webapp/manifests/couchdb.pp
+++ b/puppet/modules/site_webapp/manifests/couchdb.pp
@@ -14,29 +14,36 @@ class site_webapp::couchdb {
file {
'/srv/leap/webapp/config/couchdb.yml':
content => template('site_webapp/couchdb.yml.erb'),
- owner => leap-webapp,
- group => leap-webapp,
+ owner => 'leap-webapp',
+ group => 'leap-webapp',
mode => '0600',
require => Vcsrepo['/srv/leap/webapp'];
+ # couchdb.admin.yml is a symlink to prevent the vcsrepo resource
+ # from changing its user permissions every time.
'/srv/leap/webapp/config/couchdb.admin.yml':
+ ensure => 'link',
+ target => '/etc/leap/couchdb.admin.yml',
+ require => Vcsrepo['/srv/leap/webapp'];
+
+ '/etc/leap/couchdb.admin.yml':
content => template('site_webapp/couchdb.admin.yml.erb'),
- owner => leap-webapp,
- group => leap-webapp,
+ owner => 'root',
+ group => 'root',
mode => '0600',
- require => Vcsrepo['/srv/leap/webapp'];
+ require => File['/etc/leap'];
'/srv/leap/webapp/log':
ensure => directory,
- owner => leap-webapp,
- group => leap-webapp,
+ owner => 'leap-webapp',
+ group => 'leap-webapp',
mode => '0755',
require => Vcsrepo['/srv/leap/webapp'];
'/srv/leap/webapp/log/production.log':
ensure => present,
- owner => leap-webapp,
- group => leap-webapp,
+ owner => 'leap-webapp',
+ group => 'leap-webapp',
mode => '0666',
require => Vcsrepo['/srv/leap/webapp'];
}
diff --git a/puppet/modules/site_webapp/manifests/cron.pp b/puppet/modules/site_webapp/manifests/cron.pp
index d26ee312..70b9da04 100644
--- a/puppet/modules/site_webapp/manifests/cron.pp
+++ b/puppet/modules/site_webapp/manifests/cron.pp
@@ -1,3 +1,4 @@
+# setup webapp cronjobs
class site_webapp::cron {
# cron tasks that need to be performed to cleanup the database
@@ -5,27 +6,31 @@ class site_webapp::cron {
'rotate_databases':
command => 'cd /srv/leap/webapp && bundle exec rake db:rotate',
environment => 'RAILS_ENV=production',
+ user => 'root',
hour => [0,6,12,18],
minute => 0;
'delete_tmp_databases':
command => 'cd /srv/leap/webapp && bundle exec rake db:deletetmp',
environment => 'RAILS_ENV=production',
+ user => 'root',
hour => 1,
minute => 1;
# there is no longer a need to remove expired sessions, since the database
# will get destroyed.
'remove_expired_sessions':
+ ensure => absent,
command => 'cd /srv/leap/webapp && bundle exec rake cleanup:sessions',
environment => 'RAILS_ENV=production',
+ user => 'leap-webapp',
hour => 2,
- minute => 30,
- ensure => absent;
+ minute => 30;
'remove_expired_tokens':
command => 'cd /srv/leap/webapp && bundle exec rake cleanup:tokens',
environment => 'RAILS_ENV=production',
+ user => 'leap-webapp',
hour => 3,
minute => 0;
}
diff --git a/puppet/modules/site_webapp/manifests/hidden_service.pp b/puppet/modules/site_webapp/manifests/hidden_service.pp
index 16b6e2e7..72a2ce95 100644
--- a/puppet/modules/site_webapp/manifests/hidden_service.pp
+++ b/puppet/modules/site_webapp/manifests/hidden_service.pp
@@ -4,13 +4,13 @@ class site_webapp::hidden_service {
$tor_domain = "${hidden_service['address']}.onion"
include site_apache::common
- include site_apache::module::headers
- include site_apache::module::alias
- include site_apache::module::expires
- include site_apache::module::removeip
-
+ include apache::module::headers
+ include apache::module::alias
+ include apache::module::expires
+ include apache::module::removeip
+
include tor::daemon
- tor::daemon::hidden_service { 'webapp': ports => '80 127.0.0.1:80' }
+ tor::daemon::hidden_service { 'webapp': ports => [ '80 127.0.0.1:80'] }
file {
'/var/lib/tor/webapp/':
@@ -34,10 +34,19 @@ class site_webapp::hidden_service {
mode => '0600';
}
+ # it is necessary to zero out the config of the status module
+ # because we are configuring our own version that is unavailable
+ # over the hidden service (see: #7456 and #7776)
+ apache::module { 'status': ensure => present, conf_content => ' ' }
+ # the access_compat module is required to enable Allow directives
+ apache::module { 'access_compat': ensure => present }
+
apache::vhost::file {
'hidden_service':
- content => template('site_apache/vhosts.d/hidden_service.conf.erb')
+ content => template('site_apache/vhosts.d/hidden_service.conf.erb');
+ 'server_status':
+ vhost_source => 'modules/site_webapp/server-status.conf';
}
include site_shorewall::tor
-} \ No newline at end of file
+}
diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp
index ec94c090..15925aba 100644
--- a/puppet/modules/site_webapp/manifests/init.pp
+++ b/puppet/modules/site_webapp/manifests/init.pp
@@ -1,3 +1,4 @@
+# configure webapp service
class site_webapp {
tag 'leap_service'
$definition_files = hiera('definition_files')
@@ -20,11 +21,16 @@ class site_webapp {
include site_webapp::couchdb
include site_haproxy
include site_webapp::cron
+ include site_config::default
include site_config::x509::cert
include site_config::x509::key
include site_config::x509::ca
include site_config::x509::client_ca::ca
include site_config::x509::client_ca::key
+ include site_nickserver
+
+ # remove leftovers from previous installations on webapp nodes
+ include site_config::remove::webapp
group { 'leap-webapp':
ensure => present,
@@ -54,7 +60,7 @@ class site_webapp {
exec { 'bundler_update':
cwd => '/srv/leap/webapp',
- command => '/bin/bash -c "/usr/bin/bundle check --path vendor/bundle || /usr/bin/bundle install --path vendor/bundle --without test development"',
+ command => '/bin/bash -c "/usr/bin/bundle check --path vendor/bundle || /usr/bin/bundle install --path vendor/bundle --without test development debug"',
unless => '/usr/bin/bundle check --path vendor/bundle',
user => 'leap-webapp',
timeout => 600,
@@ -163,10 +169,8 @@ class site_webapp {
# needed for the soledad-sync check which is run on the
- # webapp node (#6520)
- package { 'python-u1db':
- ensure => latest,
- }
+ # webapp node
+ include soledad::client
leap::logfile { 'webapp': }