diff options
Diffstat (limited to 'puppet/modules/site_webapp')
-rw-r--r-- | puppet/modules/site_webapp/files/migrate_design_documents | 16 | ||||
-rw-r--r-- | puppet/modules/site_webapp/manifests/apache.pp | 55 | ||||
-rw-r--r-- | puppet/modules/site_webapp/manifests/client_ca.pp | 25 | ||||
-rw-r--r-- | puppet/modules/site_webapp/manifests/couchdb.pp | 53 | ||||
-rw-r--r-- | puppet/modules/site_webapp/manifests/cron.pp | 17 | ||||
-rw-r--r-- | puppet/modules/site_webapp/manifests/haproxy.pp | 1 | ||||
-rw-r--r-- | puppet/modules/site_webapp/manifests/init.pp | 99 | ||||
-rw-r--r-- | puppet/modules/site_webapp/templates/config.yml.erb | 8 | ||||
-rw-r--r-- | puppet/modules/site_webapp/templates/couchdb.yml.admin.erb | 9 | ||||
-rw-r--r-- | puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb | 25 |
10 files changed, 116 insertions, 192 deletions
diff --git a/puppet/modules/site_webapp/files/migrate_design_documents b/puppet/modules/site_webapp/files/migrate_design_documents deleted file mode 100644 index 6e24aa5b..00000000 --- a/puppet/modules/site_webapp/files/migrate_design_documents +++ /dev/null @@ -1,16 +0,0 @@ -#!/bin/sh - -cd /srv/leap/webapp - -# use admin credentials -cp config/couchdb.yml.admin config/couchdb.yml -chown leap-webapp:leap-webapp config/couchdb.yml - -# needs to be run twice -RAILS_ENV=production /usr/bin/bundle exec rake couchrest:migrate -RAILS_ENV=production /usr/bin/bundle exec rake couchrest:migrate - -# use user credentials and remove admin credentials -cp config/couchdb.yml.webapp config/couchdb.yml -chown leap-webapp:leap-webapp config/couchdb.yml - diff --git a/puppet/modules/site_webapp/manifests/apache.pp b/puppet/modules/site_webapp/manifests/apache.pp index 8b340160..21243d34 100644 --- a/puppet/modules/site_webapp/manifests/apache.pp +++ b/puppet/modules/site_webapp/manifests/apache.pp @@ -4,61 +4,20 @@ class site_webapp::apache { $api_domain = $web_api['domain'] $api_port = $web_api['port'] - $x509 = hiera('x509') - $commercial_key = $x509['commercial_key'] - $commercial_cert = $x509['commercial_cert'] - $commercial_root = $x509['commercial_ca_cert'] - $api_key = $x509['key'] - $api_cert = $x509['cert'] - $api_root = $x509['ca_cert'] + $web_domain = hiera('domain') + $domain_name = $web_domain['name'] - class { '::apache': no_default_site => true, ssl => true } - - apache::module { - 'alias': ensure => present; - 'rewrite': ensure => present; - 'headers': ensure => present; - } + include site_apache::common + include site_apache::module::headers + include site_apache::module::alias + include site_apache::module::expires + include site_apache::module::removeip class { 'passenger': use_munin => false } apache::vhost::file { - 'leap_webapp': - content => template('site_apache/vhosts.d/leap_webapp.conf.erb') - } - - apache::vhost::file { 'api': content => template('site_apache/vhosts.d/api.conf.erb') } - x509::key { - 'leap_webapp': - content => $commercial_key, - notify => Service[apache]; - - 'leap_api': - content => $api_key, - notify => Service[apache]; - } - - x509::cert { - 'leap_webapp': - content => $commercial_cert, - notify => Service[apache]; - - 'leap_api': - content => $api_cert, - notify => Service[apache]; - } - - x509::ca { - 'leap_webapp': - content => $commercial_root, - notify => Service[apache]; - - 'leap_api': - content => $api_root, - notify => Service[apache]; - } } diff --git a/puppet/modules/site_webapp/manifests/client_ca.pp b/puppet/modules/site_webapp/manifests/client_ca.pp deleted file mode 100644 index 0d9b15d6..00000000 --- a/puppet/modules/site_webapp/manifests/client_ca.pp +++ /dev/null @@ -1,25 +0,0 @@ -## -## This is for the special CA that is used exclusively for generating -## client certificates by the webapp. -## - -class site_webapp::client_ca { - include x509::variables - - $x509 = hiera('x509') - $cert_path = "${x509::variables::certs}/leap_client_ca.crt" - $key_path = "${x509::variables::keys}/leap_client_ca.key" - - x509::key { - 'leap_client_ca': - source => $x509['client_ca_key'], - group => 'leap-webapp', - notify => Service[apache]; - } - - x509::cert { - 'leap_client_ca': - source => $x509['client_ca_cert'], - notify => Service[apache]; - } -} diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index b4ef0980..ff743fba 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -4,8 +4,6 @@ class site_webapp::couchdb { # haproxy listener on port localhost:4096, see site_webapp::haproxy $couchdb_host = 'localhost' $couchdb_port = '4096' - $couchdb_admin_user = $webapp['couchdb_admin_user']['username'] - $couchdb_admin_password = $webapp['couchdb_admin_user']['password'] $couchdb_webapp_user = $webapp['couchdb_webapp_user']['username'] $couchdb_webapp_password = $webapp['couchdb_webapp_user']['password'] @@ -14,65 +12,38 @@ class site_webapp::couchdb { $couch_client_connect = $couch_client['connect'] include x509::variables - $x509 = hiera('x509') - $key = $x509['key'] - $cert = $x509['cert'] - $ca = $x509['ca_cert'] - $cert_name = 'leap_couchdb' - $ca_name = 'leap_ca' - $ca_path = "${x509::variables::local_CAs}/${ca_name}.crt" - $cert_path = "${x509::variables::certs}/${cert_name}.crt" - $key_path = "${x509::variables::keys}/${cert_name}.key" file { - '/srv/leap/webapp/config/couchdb.yml.admin': - content => template('site_webapp/couchdb.yml.admin.erb'), + '/srv/leap/webapp/config/couchdb.yml': + content => template('site_webapp/couchdb.yml.erb'), owner => leap-webapp, group => leap-webapp, mode => '0600', require => Vcsrepo['/srv/leap/webapp']; - '/srv/leap/webapp/config/couchdb.yml.webapp': - content => template('site_webapp/couchdb.yml.erb'), + '/srv/leap/webapp/log': + ensure => directory, owner => leap-webapp, group => leap-webapp, - mode => '0600', + mode => '0755', require => Vcsrepo['/srv/leap/webapp']; - '/srv/leap/webapp/logs/production.log': + '/srv/leap/webapp/log/production.log': + ensure => present, owner => leap-webapp, group => leap-webapp, mode => '0666', require => Vcsrepo['/srv/leap/webapp']; - - '/usr/local/sbin/migrate_design_documents': - source => 'puppet:///modules/site_webapp/migrate_design_documents', - owner => root, - group => root, - mode => '0744'; } - class { 'site_stunnel::setup': - cert_name => $cert_name, - key => $key, - cert => $cert, - ca_name => $ca_name, - ca => $ca - } - - exec { 'migrate_design_documents': - cwd => '/srv/leap/webapp', - command => '/usr/local/sbin/migrate_design_documents', - require => Exec['bundler_update'], - notify => Service['apache']; - } + include site_stunnel $couchdb_stunnel_client_defaults = { 'connect_port' => $couch_client_connect, - 'client' => true, - 'cafile' => $ca_path, - 'key' => $key_path, - 'cert' => $cert_path, + 'client' => true, + 'cafile' => "${x509::variables::local_CAs}/${site_config::params::ca_name}.crt", + 'key' => "${x509::variables::keys}/${site_config::params::cert_name}.key", + 'cert' => "${x509::variables::certs}/${site_config::params::cert_name}.crt", } create_resources(site_stunnel::clients, $couch_client, $couchdb_stunnel_client_defaults) diff --git a/puppet/modules/site_webapp/manifests/cron.pp b/puppet/modules/site_webapp/manifests/cron.pp new file mode 100644 index 00000000..811ad11d --- /dev/null +++ b/puppet/modules/site_webapp/manifests/cron.pp @@ -0,0 +1,17 @@ +class site_webapp::cron { + + # cron tasks that need to be performed to cleanup the database + cron { + 'remove_expired_sessions': + command => 'cd /srv/leap/webapp && bundle exec rake cleanup:sessions', + environment => 'RAILS_ENV=production', + hour => 2, + minute => 30; + + 'remove_expired_tokens': + command => 'cd /srv/leap/webapp && bundle exec rake cleanup:tokens', + environment => 'RAILS_ENV=production', + hour => 3, + minute => 0; + } +} diff --git a/puppet/modules/site_webapp/manifests/haproxy.pp b/puppet/modules/site_webapp/manifests/haproxy.pp index 4a7e3c25..b69c69da 100644 --- a/puppet/modules/site_webapp/manifests/haproxy.pp +++ b/puppet/modules/site_webapp/manifests/haproxy.pp @@ -3,7 +3,6 @@ class site_webapp::haproxy { include site_haproxy $haproxy = hiera('haproxy') - $local_ports = $haproxy['local_ports'] # Template uses $global_options, $defaults_options concat::fragment { 'leap_haproxy_webapp_couchdb': diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index e743dc07..d02a7261 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -11,11 +11,18 @@ class site_webapp { $api_version = $webapp['api_version'] $secret_token = $webapp['secret_token'] - include site_config::ruby + Class['site_config::default'] -> Class['site_webapp'] + + include site_config::ruby::dev include site_webapp::apache include site_webapp::couchdb - include site_webapp::client_ca include site_webapp::haproxy + include site_webapp::cron + include site_config::x509::cert + include site_config::x509::key + include site_config::x509::ca + include site_config::x509::client_ca::ca + include site_config::x509::client_ca::key group { 'leap-webapp': ensure => present, @@ -31,19 +38,12 @@ class site_webapp { require => [ Group['leap-webapp'] ]; } - file { '/srv/leap/webapp': - ensure => directory, - owner => 'leap-webapp', - group => 'leap-webapp', - require => User['leap-webapp']; - } - vcsrepo { '/srv/leap/webapp': ensure => present, force => true, - revision => 'origin/master', + revision => $webapp['git']['revision'], provider => git, - source => 'git://code.leap.se/leap_web', + source => $webapp['git']['source'], owner => 'leap-webapp', group => 'leap-webapp', require => [ User['leap-webapp'], Group['leap-webapp'] ], @@ -56,38 +56,58 @@ class site_webapp { unless => '/usr/bin/bundle check', user => 'leap-webapp', timeout => 600, - require => [ Class['bundler::install'], Vcsrepo['/srv/leap/webapp'] ], + require => [ + Class['bundler::install'], + Vcsrepo['/srv/leap/webapp'], + Class['site_config::ruby::dev'], + Service['shorewall'] ], notify => Service['apache']; } + # + # NOTE: in order to support a webapp that is running on a subpath and not the + # root of the domain assets:precompile needs to be run with + # RAILS_RELATIVE_URL_ROOT=/application-root + # + exec { 'compile_assets': - cwd => '/srv/leap/webapp', - command => '/bin/bash -c "/usr/bin/bundle exec rake assets:precompile"', - user => 'leap-webapp', - require => Exec['bundler_update'], - notify => Service['apache']; + cwd => '/srv/leap/webapp', + command => '/bin/bash -c "RAILS_ENV=production /usr/bin/bundle exec rake assets:precompile"', + user => 'leap-webapp', + logoutput => on_failure, + require => Exec['bundler_update'], + notify => Service['apache']; } file { - '/srv/leap/webapp/public/provider.json': + '/srv/leap/webapp/config/provider': + ensure => directory, + require => Vcsrepo['/srv/leap/webapp'], + owner => leap-webapp, group => leap-webapp, mode => '0755'; + + '/srv/leap/webapp/config/provider/provider.json': content => $provider, require => Vcsrepo['/srv/leap/webapp'], owner => leap-webapp, group => leap-webapp, mode => '0644'; + # old provider.json location. this can be removed after everyone upgrades. + '/srv/leap/webapp/public/provider.json': + ensure => absent; + '/srv/leap/webapp/public/ca.crt': ensure => link, require => Vcsrepo['/srv/leap/webapp'], - target => '/usr/local/share/ca-certificates/leap_api.crt'; + target => "${x509::variables::local_CAs}/${site_config::params::ca_name}.crt"; "/srv/leap/webapp/public/${api_version}": - ensure => directory, + ensure => directory, require => Vcsrepo['/srv/leap/webapp'], - owner => leap-webapp, group => leap-webapp, mode => '0755'; + owner => leap-webapp, group => leap-webapp, mode => '0755'; "/srv/leap/webapp/public/${api_version}/config/": - ensure => directory, + ensure => directory, require => Vcsrepo['/srv/leap/webapp'], - owner => leap-webapp, group => leap-webapp, mode => '0755'; + owner => leap-webapp, group => leap-webapp, mode => '0755'; "/srv/leap/webapp/public/${api_version}/config/eip-service.json": content => $eip_service, @@ -106,25 +126,24 @@ class site_webapp { } try::file { - '/srv/leap/webapp/public/favicon.ico': - ensure => 'link', - require => Vcsrepo['/srv/leap/webapp'], - target => $webapp['favicon']; - - '/srv/leap/webapp/app/assets/stylesheets/tail.scss': - ensure => 'link', - require => Vcsrepo['/srv/leap/webapp'], - target => $webapp['tail_scss']; - - '/srv/leap/webapp/app/assets/stylesheets/head.scss': - ensure => 'link', + '/srv/leap/webapp/config/customization': + ensure => directory, + recurse => true, + purge => true, + force => true, + owner => leap-webapp, + group => leap-webapp, + mode => 'u=rwX,go=rX', require => Vcsrepo['/srv/leap/webapp'], - target => $webapp['head_scss']; + notify => Exec['compile_assets'], + source => $webapp['customization_dir']; + } - '/srv/leap/webapp/public/img': - ensure => 'link', + git::changes { + 'public/favicon.ico': + cwd => '/srv/leap/webapp', require => Vcsrepo['/srv/leap/webapp'], - target => $webapp['img_dir']; + user => 'leap-webapp'; } file { @@ -138,5 +157,5 @@ class site_webapp { } include site_shorewall::webapp - + include site_check_mk::agent::webapp } diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb index df562cd9..98f8564e 100644 --- a/puppet/modules/site_webapp/templates/config.yml.erb +++ b/puppet/modules/site_webapp/templates/config.yml.erb @@ -1,9 +1,10 @@ <%- cert_options = @webapp['client_certificates'] -%> production: - admins: [admin] + admins: <%= @webapp['admins'].inspect %> domain: <%= @provider_domain %> - client_ca_key: <%= scope.lookupvar('site_webapp::client_ca::key_path') %> - client_ca_cert: <%= scope.lookupvar('site_webapp::client_ca::cert_path') %> + force_ssl: <%= @webapp['secure'] %> + client_ca_key: <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::client_ca_name') %>.key + client_ca_cert: <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::client_ca_name') %>.crt secret_token: "<%= @secret_token %>" client_cert_lifespan: <%= cert_options['life_span'].to_i %> client_cert_bit_size: <%= cert_options['bit_size'].to_i %> @@ -13,3 +14,4 @@ production: allow_anonymous_certs: <%= @webapp['allow_anonymous_certs'].inspect %> limited_cert_prefix: "<%= cert_options['limited_prefix'] %>" unlimited_cert_prefix: "<%= cert_options['unlimited_prefix'] %>" + minimum_client_version: "<%= @webapp['client_version']['min'] %>" diff --git a/puppet/modules/site_webapp/templates/couchdb.yml.admin.erb b/puppet/modules/site_webapp/templates/couchdb.yml.admin.erb deleted file mode 100644 index a0921add..00000000 --- a/puppet/modules/site_webapp/templates/couchdb.yml.admin.erb +++ /dev/null @@ -1,9 +0,0 @@ -production: - prefix: "" - protocol: 'http' - host: <%= @couchdb_host %> - port: <%= @couchdb_port %> - auto_update_design_doc: false - username: <%= @couchdb_admin_user %> - password: <%= @couchdb_admin_password %> - diff --git a/puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb b/puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb index f08161ee..1fa01b96 100644 --- a/puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb +++ b/puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb @@ -1,16 +1,23 @@ listen bigcouch-in - mode http + mode http balance roundrobin - option httplog - option dontlognull - option httpchk GET / - option http-server-close - + option httplog + option dontlognull + option httpchk GET / # health check using simple get to root + option http-server-close # use client keep-alive, but close server connection. + option allbackups # balance among all backups, not just one. + bind localhost:4096 -<% for port in @local_ports -%> - server couchdb_<%=port%> localhost:<%=port%> check inter 3000 fastinter 1000 downinter 1000 rise 2 fall 1 -<% end -%> + default-server inter 3000 fastinter 1000 downinter 1000 rise 2 fall 1 + +<%- if @haproxy['servers'] -%> +<%- @haproxy['servers'].sort.each do |name,server| -%> +<%- backup = server['backup'] ? 'backup' : '' -%> + # <%=name%> + server couchdb_<%=server['port']%> <%=server['host']%>:<%=server['port']%> <%=backup%> weight <%=server['weight']%> check +<%- end -%> +<%- end -%> |