8 files changed, 136 insertions, 57 deletions

diff --git a/puppet/modules/site_webapp/files/server-status.conf b/puppet/modules/site_webapp/files/server-status.conf
new file mode 100644
index 00000000..10b2d4ed
--- /dev/null
+++ b/puppet/modules/site_webapp/files/server-status.conf
@@ -0,0 +1,26 @@
+# Keep track of extended status information for each request
+ExtendedStatus On
+
+# Determine if mod_status displays the first 63 characters of a request or
+# the last 63, assuming the request itself is greater than 63 chars.
+# Default: Off
+#SeeRequestTail On
+
+Listen 127.0.0.1:8162
+
+<VirtualHost 127.0.0.1:8162>
+
+<Location /server-status>
+    SetHandler server-status
+    Require all granted
+    Allow from 127.0.0.1
+</Location>
+
+</VirtualHost>
+
+
+<IfModule mod_proxy.c>
+    # Show Proxy LoadBalancer status in mod_status
+    ProxyStatus On
+</IfModule>
+
diff --git a/puppet/modules/site_webapp/manifests/apache.pp b/puppet/modules/site_webapp/manifests/apache.pp
index 93e172a0..80c7b29b 100644
--- a/puppet/modules/site_webapp/manifests/apache.pp
+++ b/puppet/modules/site_webapp/manifests/apache.pp
@@ -1,3 +1,4 @@
+# configure apache and passenger to serve the webapp
 class site_webapp::apache {
 
   $web_api          = hiera('api')
@@ -11,16 +12,17 @@ class site_webapp::apache {
   $webapp_domain    = $webapp['domain']
 
   include site_apache::common
-  include site_apache::module::headers
-  include site_apache::module::alias
-  include site_apache::module::expires
-  include site_apache::module::removeip
+  include apache::module::headers
+  include apache::module::alias
+  include apache::module::expires
+  include apache::module::removeip
+  include site_webapp::common_vhost
 
   class { 'passenger': use_munin => false }
 
   apache::vhost::file {
     'api':
-      content => template('site_apache/vhosts.d/api.conf.erb')
+      content => template('site_apache/vhosts.d/api.conf.erb');
   }
 
 }
diff --git a/puppet/modules/site_webapp/manifests/common_vhost.pp b/puppet/modules/site_webapp/manifests/common_vhost.pp
new file mode 100644
index 00000000..c57aad57
--- /dev/null
+++ b/puppet/modules/site_webapp/manifests/common_vhost.pp
@@ -0,0 +1,18 @@
+class site_webapp::common_vhost {
+  # installs x509 cert + key and common config
+  # that both nagios + leap webapp use
+
+  include x509::variables
+  include site_config::x509::commercial::cert
+  include site_config::x509::commercial::key
+  include site_config::x509::commercial::ca
+
+  Class['Site_config::X509::Commercial::Key'] ~> Service[apache]
+  Class['Site_config::X509::Commercial::Cert'] ~> Service[apache]
+  Class['Site_config::X509::Commercial::Ca'] ~> Service[apache]
+
+  apache::vhost::file {
+  'common':
+    content => template('site_apache/vhosts.d/common.conf.erb')
+  }
+}
diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp
index 1dbc745d..71450370 100644
--- a/puppet/modules/site_webapp/manifests/couchdb.pp
+++ b/puppet/modules/site_webapp/manifests/couchdb.pp
@@ -14,29 +14,36 @@ class site_webapp::couchdb {
   file {
     '/srv/leap/webapp/config/couchdb.yml':
       content => template('site_webapp/couchdb.yml.erb'),
-      owner   => leap-webapp,
-      group   => leap-webapp,
+      owner   => 'leap-webapp',
+      group   => 'leap-webapp',
       mode    => '0600',
       require => Vcsrepo['/srv/leap/webapp'];
 
+    # couchdb.admin.yml is a symlink to prevent the vcsrepo resource
+    # from changing its user permissions every time.
     '/srv/leap/webapp/config/couchdb.admin.yml':
+      ensure => 'link',
+      target => '/etc/leap/couchdb.admin.yml',
+      require => Vcsrepo['/srv/leap/webapp'];
+
+    '/etc/leap/couchdb.admin.yml':
       content => template('site_webapp/couchdb.admin.yml.erb'),
-      owner   => leap-webapp,
-      group   => leap-webapp,
+      owner   => 'root',
+      group   => 'root',
       mode    => '0600',
-      require => Vcsrepo['/srv/leap/webapp'];
+      require => File['/etc/leap'];
 
     '/srv/leap/webapp/log':
       ensure  => directory,
-      owner   => leap-webapp,
-      group   => leap-webapp,
+      owner   => 'leap-webapp',
+      group   => 'leap-webapp',
       mode    => '0755',
       require => Vcsrepo['/srv/leap/webapp'];
 
     '/srv/leap/webapp/log/production.log':
       ensure  => present,
-      owner   => leap-webapp,
-      group   => leap-webapp,
+      owner   => 'leap-webapp',
+      group   => 'leap-webapp',
       mode    => '0666',
       require => Vcsrepo['/srv/leap/webapp'];
   }
diff --git a/puppet/modules/site_webapp/manifests/cron.pp b/puppet/modules/site_webapp/manifests/cron.pp
index d26ee312..70b9da04 100644
--- a/puppet/modules/site_webapp/manifests/cron.pp
+++ b/puppet/modules/site_webapp/manifests/cron.pp
@@ -1,3 +1,4 @@
+# setup webapp cronjobs
 class site_webapp::cron {
 
   # cron tasks that need to be performed to cleanup the database
@@ -5,27 +6,31 @@ class site_webapp::cron {
     'rotate_databases':
       command     => 'cd /srv/leap/webapp && bundle exec rake db:rotate',
       environment => 'RAILS_ENV=production',
+      user        => 'root',
       hour        => [0,6,12,18],
       minute      => 0;
 
     'delete_tmp_databases':
       command     => 'cd /srv/leap/webapp && bundle exec rake db:deletetmp',
       environment => 'RAILS_ENV=production',
+      user        => 'root',
       hour        => 1,
       minute      => 1;
 
     # there is no longer a need to remove expired sessions, since the database
     # will get destroyed.
     'remove_expired_sessions':
+      ensure      => absent,
       command     => 'cd /srv/leap/webapp && bundle exec rake cleanup:sessions',
       environment => 'RAILS_ENV=production',
+      user        => 'leap-webapp',
       hour        => 2,
-      minute      => 30,
-      ensure      => absent;
+      minute      => 30;
 
     'remove_expired_tokens':
       command     => 'cd /srv/leap/webapp && bundle exec rake cleanup:tokens',
       environment => 'RAILS_ENV=production',
+      user        => 'leap-webapp',
       hour        => 3,
       minute      => 0;
   }
diff --git a/puppet/modules/site_webapp/manifests/hidden_service.pp b/puppet/modules/site_webapp/manifests/hidden_service.pp
index 16b6e2e7..72a2ce95 100644
--- a/puppet/modules/site_webapp/manifests/hidden_service.pp
+++ b/puppet/modules/site_webapp/manifests/hidden_service.pp
@@ -4,13 +4,13 @@ class site_webapp::hidden_service {
   $tor_domain       = "${hidden_service['address']}.onion"
 
   include site_apache::common
-  include site_apache::module::headers
-  include site_apache::module::alias
-  include site_apache::module::expires
-  include site_apache::module::removeip
-
+  include apache::module::headers
+  include apache::module::alias
+  include apache::module::expires
+  include apache::module::removeip
+  
   include tor::daemon
-  tor::daemon::hidden_service { 'webapp': ports => '80 127.0.0.1:80' }
+  tor::daemon::hidden_service { 'webapp': ports => [ '80 127.0.0.1:80'] }
 
   file {
     '/var/lib/tor/webapp/':
@@ -34,10 +34,19 @@ class site_webapp::hidden_service {
       mode    => '0600';
   }
 
+  # it is necessary to zero out the config of the status module
+  # because we are configuring our own version that is unavailable
+  # over the hidden service (see: #7456 and #7776)
+  apache::module { 'status': ensure => present, conf_content => ' ' }
+  # the access_compat module is required to enable Allow directives
+  apache::module { 'access_compat': ensure => present }
+  
   apache::vhost::file {
     'hidden_service':
-      content => template('site_apache/vhosts.d/hidden_service.conf.erb')
+      content => template('site_apache/vhosts.d/hidden_service.conf.erb');
+    'server_status':
+      vhost_source => 'modules/site_webapp/server-status.conf';
   }
 
   include site_shorewall::tor
-}
\ No newline at end of file
+}
diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp
index ec94c090..15925aba 100644
--- a/puppet/modules/site_webapp/manifests/init.pp
+++ b/puppet/modules/site_webapp/manifests/init.pp
@@ -1,3 +1,4 @@
+# configure webapp service
 class site_webapp {
   tag 'leap_service'
   $definition_files = hiera('definition_files')
@@ -20,11 +21,16 @@ class site_webapp {
   include site_webapp::couchdb
   include site_haproxy
   include site_webapp::cron
+  include site_config::default
   include site_config::x509::cert
   include site_config::x509::key
   include site_config::x509::ca
   include site_config::x509::client_ca::ca
   include site_config::x509::client_ca::key
+  include site_nickserver
+
+  # remove leftovers from previous installations on webapp nodes
+  include site_config::remove::webapp
 
   group { 'leap-webapp':
     ensure    => present,
@@ -54,7 +60,7 @@ class site_webapp {
 
   exec { 'bundler_update':
     cwd     => '/srv/leap/webapp',
-    command => '/bin/bash -c "/usr/bin/bundle check --path vendor/bundle || /usr/bin/bundle install --path vendor/bundle --without test development"',
+    command => '/bin/bash -c "/usr/bin/bundle check --path vendor/bundle || /usr/bin/bundle install --path vendor/bundle --without test development debug"',
     unless  => '/usr/bin/bundle check --path vendor/bundle',
     user    => 'leap-webapp',
     timeout => 600,
@@ -163,10 +169,8 @@ class site_webapp {
 
 
   # needed for the soledad-sync check which is run on the
-  # webapp node (#6520)
-  package { 'python-u1db':
-    ensure => latest,
-  }
+  # webapp node
+  include soledad::client
 
   leap::logfile { 'webapp': }
 
diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb
index ccde2d2e..dd55d3e9 100644
--- a/puppet/modules/site_webapp/templates/config.yml.erb
+++ b/puppet/modules/site_webapp/templates/config.yml.erb
@@ -1,28 +1,36 @@
-<%- require 'json' -%>
-<%- cert_options = @webapp['client_certificates'] -%>
-production:
-  admins: <%= @webapp['admins'].inspect %>
-  domain: <%= @provider_domain %>
-  force_ssl: <%= @webapp['secure'] %>
-  client_ca_key: <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::client_ca_name') %>.key
-  client_ca_cert: <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::client_ca_name') %>.crt
-  secret_token: "<%= @secret_token %>"
-  client_cert_lifespan: <%= cert_options['life_span'] %>
-  client_cert_bit_size: <%= cert_options['bit_size'].to_i %>
-  client_cert_hash: <%= cert_options['digest'] %>
-  allow_limited_certs: <%= @webapp['allow_limited_certs'].inspect %>
-  allow_unlimited_certs: <%= @webapp['allow_unlimited_certs'].inspect %>
-  allow_anonymous_certs: <%= @webapp['allow_anonymous_certs'].inspect %>
-  limited_cert_prefix: "<%= cert_options['limited_prefix'] %>"
-  unlimited_cert_prefix: "<%= cert_options['unlimited_prefix'] %>"
-  minimum_client_version: "<%= @webapp['client_version']['min'] %>"
-  default_service_level: "<%= @webapp['default_service_level'] %>"
-  service_levels: <%= scope.function_sorted_json([@webapp['service_levels']]) %>
-  allow_registration: <%= @webapp['allow_registration'].inspect %>
-  handle_blacklist: <%= @webapp['forbidden_usernames'].inspect %>
-<%- if @webapp['engines'] && @webapp['engines'].any? -%>
-  engines:
-<%-   @webapp['engines'].each do |engine| -%>
-    - <%= engine %>
-<%-   end -%>
-<%- end -%>
+<%
+cert_options = @webapp['client_certificates']
+production = {
+  "admins" => @webapp['admins'],
+  "default_locale" => @webapp['default_locale'],
+  "available_locales" => @webapp['locales'],
+  "domain" => @provider_domain,
+  "force_ssl" => @webapp['secure'],
+  "client_ca_key" => "%s/%s.key" % [scope.lookupvar('x509::variables::keys'), scope.lookupvar('site_config::params::client_ca_name')],
+  "client_ca_cert" => "%s/%s.crt" % [scope.lookupvar('x509::variables::local_CAs'), scope.lookupvar('site_config::params::client_ca_name')],
+  "secret_token" => @secret_token,
+  "client_cert_lifespan" => cert_options['life_span'],
+  "client_cert_bit_size" => cert_options['bit_size'].to_i,
+  "client_cert_hash" => cert_options['digest'],
+  "allow_limited_certs" => @webapp['allow_limited_certs'],
+  "allow_unlimited_certs" => @webapp['allow_unlimited_certs'],
+  "allow_anonymous_certs" => @webapp['allow_anonymous_certs'],
+  "limited_cert_prefix" => cert_options['limited_prefix'],
+  "unlimited_cert_prefix" => cert_options['unlimited_prefix'],
+  "minimum_client_version" => @webapp['client_version']['min'],
+  "default_service_level" => @webapp['default_service_level'],
+  "service_levels" => @webapp['service_levels'],
+  "allow_registration" => @webapp['allow_registration'],
+  "handle_blacklist" => @webapp['forbidden_usernames'],
+  "invite_required" => @webapp['invite_required'],
+  "api_tokens" => @webapp['api_tokens']
+}
+
+if @webapp['engines'] && @webapp['engines'].any?
+  production["engines"] = @webapp['engines']
+end
+-%>
+#
+# This file is generated by puppet. This file inherits from defaults.yml.
+#
+<%= scope.function_sorted_yaml([{"production" => production}]) %>