summaryrefslogtreecommitdiff
path: root/puppet/modules/site_webapp
diff options
context:
space:
mode:
Diffstat (limited to 'puppet/modules/site_webapp')
-rw-r--r--puppet/modules/site_webapp/files/migrate_design_documents16
-rw-r--r--puppet/modules/site_webapp/manifests/apache.pp55
-rw-r--r--puppet/modules/site_webapp/manifests/client_ca.pp25
-rw-r--r--puppet/modules/site_webapp/manifests/couchdb.pp53
-rw-r--r--puppet/modules/site_webapp/manifests/cron.pp17
-rw-r--r--puppet/modules/site_webapp/manifests/haproxy.pp1
-rw-r--r--puppet/modules/site_webapp/manifests/init.pp99
-rw-r--r--puppet/modules/site_webapp/templates/config.yml.erb8
-rw-r--r--puppet/modules/site_webapp/templates/couchdb.yml.admin.erb9
-rw-r--r--puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb25
10 files changed, 116 insertions, 192 deletions
diff --git a/puppet/modules/site_webapp/files/migrate_design_documents b/puppet/modules/site_webapp/files/migrate_design_documents
deleted file mode 100644
index 6e24aa5b..00000000
--- a/puppet/modules/site_webapp/files/migrate_design_documents
+++ /dev/null
@@ -1,16 +0,0 @@
-#!/bin/sh
-
-cd /srv/leap/webapp
-
-# use admin credentials
-cp config/couchdb.yml.admin config/couchdb.yml
-chown leap-webapp:leap-webapp config/couchdb.yml
-
-# needs to be run twice
-RAILS_ENV=production /usr/bin/bundle exec rake couchrest:migrate
-RAILS_ENV=production /usr/bin/bundle exec rake couchrest:migrate
-
-# use user credentials and remove admin credentials
-cp config/couchdb.yml.webapp config/couchdb.yml
-chown leap-webapp:leap-webapp config/couchdb.yml
-
diff --git a/puppet/modules/site_webapp/manifests/apache.pp b/puppet/modules/site_webapp/manifests/apache.pp
index 8b340160..21243d34 100644
--- a/puppet/modules/site_webapp/manifests/apache.pp
+++ b/puppet/modules/site_webapp/manifests/apache.pp
@@ -4,61 +4,20 @@ class site_webapp::apache {
$api_domain = $web_api['domain']
$api_port = $web_api['port']
- $x509 = hiera('x509')
- $commercial_key = $x509['commercial_key']
- $commercial_cert = $x509['commercial_cert']
- $commercial_root = $x509['commercial_ca_cert']
- $api_key = $x509['key']
- $api_cert = $x509['cert']
- $api_root = $x509['ca_cert']
+ $web_domain = hiera('domain')
+ $domain_name = $web_domain['name']
- class { '::apache': no_default_site => true, ssl => true }
-
- apache::module {
- 'alias': ensure => present;
- 'rewrite': ensure => present;
- 'headers': ensure => present;
- }
+ include site_apache::common
+ include site_apache::module::headers
+ include site_apache::module::alias
+ include site_apache::module::expires
+ include site_apache::module::removeip
class { 'passenger': use_munin => false }
apache::vhost::file {
- 'leap_webapp':
- content => template('site_apache/vhosts.d/leap_webapp.conf.erb')
- }
-
- apache::vhost::file {
'api':
content => template('site_apache/vhosts.d/api.conf.erb')
}
- x509::key {
- 'leap_webapp':
- content => $commercial_key,
- notify => Service[apache];
-
- 'leap_api':
- content => $api_key,
- notify => Service[apache];
- }
-
- x509::cert {
- 'leap_webapp':
- content => $commercial_cert,
- notify => Service[apache];
-
- 'leap_api':
- content => $api_cert,
- notify => Service[apache];
- }
-
- x509::ca {
- 'leap_webapp':
- content => $commercial_root,
- notify => Service[apache];
-
- 'leap_api':
- content => $api_root,
- notify => Service[apache];
- }
}
diff --git a/puppet/modules/site_webapp/manifests/client_ca.pp b/puppet/modules/site_webapp/manifests/client_ca.pp
deleted file mode 100644
index 0d9b15d6..00000000
--- a/puppet/modules/site_webapp/manifests/client_ca.pp
+++ /dev/null
@@ -1,25 +0,0 @@
-##
-## This is for the special CA that is used exclusively for generating
-## client certificates by the webapp.
-##
-
-class site_webapp::client_ca {
- include x509::variables
-
- $x509 = hiera('x509')
- $cert_path = "${x509::variables::certs}/leap_client_ca.crt"
- $key_path = "${x509::variables::keys}/leap_client_ca.key"
-
- x509::key {
- 'leap_client_ca':
- source => $x509['client_ca_key'],
- group => 'leap-webapp',
- notify => Service[apache];
- }
-
- x509::cert {
- 'leap_client_ca':
- source => $x509['client_ca_cert'],
- notify => Service[apache];
- }
-}
diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp
index b4ef0980..ff743fba 100644
--- a/puppet/modules/site_webapp/manifests/couchdb.pp
+++ b/puppet/modules/site_webapp/manifests/couchdb.pp
@@ -4,8 +4,6 @@ class site_webapp::couchdb {
# haproxy listener on port localhost:4096, see site_webapp::haproxy
$couchdb_host = 'localhost'
$couchdb_port = '4096'
- $couchdb_admin_user = $webapp['couchdb_admin_user']['username']
- $couchdb_admin_password = $webapp['couchdb_admin_user']['password']
$couchdb_webapp_user = $webapp['couchdb_webapp_user']['username']
$couchdb_webapp_password = $webapp['couchdb_webapp_user']['password']
@@ -14,65 +12,38 @@ class site_webapp::couchdb {
$couch_client_connect = $couch_client['connect']
include x509::variables
- $x509 = hiera('x509')
- $key = $x509['key']
- $cert = $x509['cert']
- $ca = $x509['ca_cert']
- $cert_name = 'leap_couchdb'
- $ca_name = 'leap_ca'
- $ca_path = "${x509::variables::local_CAs}/${ca_name}.crt"
- $cert_path = "${x509::variables::certs}/${cert_name}.crt"
- $key_path = "${x509::variables::keys}/${cert_name}.key"
file {
- '/srv/leap/webapp/config/couchdb.yml.admin':
- content => template('site_webapp/couchdb.yml.admin.erb'),
+ '/srv/leap/webapp/config/couchdb.yml':
+ content => template('site_webapp/couchdb.yml.erb'),
owner => leap-webapp,
group => leap-webapp,
mode => '0600',
require => Vcsrepo['/srv/leap/webapp'];
- '/srv/leap/webapp/config/couchdb.yml.webapp':
- content => template('site_webapp/couchdb.yml.erb'),
+ '/srv/leap/webapp/log':
+ ensure => directory,
owner => leap-webapp,
group => leap-webapp,
- mode => '0600',
+ mode => '0755',
require => Vcsrepo['/srv/leap/webapp'];
- '/srv/leap/webapp/logs/production.log':
+ '/srv/leap/webapp/log/production.log':
+ ensure => present,
owner => leap-webapp,
group => leap-webapp,
mode => '0666',
require => Vcsrepo['/srv/leap/webapp'];
-
- '/usr/local/sbin/migrate_design_documents':
- source => 'puppet:///modules/site_webapp/migrate_design_documents',
- owner => root,
- group => root,
- mode => '0744';
}
- class { 'site_stunnel::setup':
- cert_name => $cert_name,
- key => $key,
- cert => $cert,
- ca_name => $ca_name,
- ca => $ca
- }
-
- exec { 'migrate_design_documents':
- cwd => '/srv/leap/webapp',
- command => '/usr/local/sbin/migrate_design_documents',
- require => Exec['bundler_update'],
- notify => Service['apache'];
- }
+ include site_stunnel
$couchdb_stunnel_client_defaults = {
'connect_port' => $couch_client_connect,
- 'client' => true,
- 'cafile' => $ca_path,
- 'key' => $key_path,
- 'cert' => $cert_path,
+ 'client' => true,
+ 'cafile' => "${x509::variables::local_CAs}/${site_config::params::ca_name}.crt",
+ 'key' => "${x509::variables::keys}/${site_config::params::cert_name}.key",
+ 'cert' => "${x509::variables::certs}/${site_config::params::cert_name}.crt",
}
create_resources(site_stunnel::clients, $couch_client, $couchdb_stunnel_client_defaults)
diff --git a/puppet/modules/site_webapp/manifests/cron.pp b/puppet/modules/site_webapp/manifests/cron.pp
new file mode 100644
index 00000000..811ad11d
--- /dev/null
+++ b/puppet/modules/site_webapp/manifests/cron.pp
@@ -0,0 +1,17 @@
+class site_webapp::cron {
+
+ # cron tasks that need to be performed to cleanup the database
+ cron {
+ 'remove_expired_sessions':
+ command => 'cd /srv/leap/webapp && bundle exec rake cleanup:sessions',
+ environment => 'RAILS_ENV=production',
+ hour => 2,
+ minute => 30;
+
+ 'remove_expired_tokens':
+ command => 'cd /srv/leap/webapp && bundle exec rake cleanup:tokens',
+ environment => 'RAILS_ENV=production',
+ hour => 3,
+ minute => 0;
+ }
+}
diff --git a/puppet/modules/site_webapp/manifests/haproxy.pp b/puppet/modules/site_webapp/manifests/haproxy.pp
index 4a7e3c25..b69c69da 100644
--- a/puppet/modules/site_webapp/manifests/haproxy.pp
+++ b/puppet/modules/site_webapp/manifests/haproxy.pp
@@ -3,7 +3,6 @@ class site_webapp::haproxy {
include site_haproxy
$haproxy = hiera('haproxy')
- $local_ports = $haproxy['local_ports']
# Template uses $global_options, $defaults_options
concat::fragment { 'leap_haproxy_webapp_couchdb':
diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp
index e743dc07..d02a7261 100644
--- a/puppet/modules/site_webapp/manifests/init.pp
+++ b/puppet/modules/site_webapp/manifests/init.pp
@@ -11,11 +11,18 @@ class site_webapp {
$api_version = $webapp['api_version']
$secret_token = $webapp['secret_token']
- include site_config::ruby
+ Class['site_config::default'] -> Class['site_webapp']
+
+ include site_config::ruby::dev
include site_webapp::apache
include site_webapp::couchdb
- include site_webapp::client_ca
include site_webapp::haproxy
+ include site_webapp::cron
+ include site_config::x509::cert
+ include site_config::x509::key
+ include site_config::x509::ca
+ include site_config::x509::client_ca::ca
+ include site_config::x509::client_ca::key
group { 'leap-webapp':
ensure => present,
@@ -31,19 +38,12 @@ class site_webapp {
require => [ Group['leap-webapp'] ];
}
- file { '/srv/leap/webapp':
- ensure => directory,
- owner => 'leap-webapp',
- group => 'leap-webapp',
- require => User['leap-webapp'];
- }
-
vcsrepo { '/srv/leap/webapp':
ensure => present,
force => true,
- revision => 'origin/master',
+ revision => $webapp['git']['revision'],
provider => git,
- source => 'git://code.leap.se/leap_web',
+ source => $webapp['git']['source'],
owner => 'leap-webapp',
group => 'leap-webapp',
require => [ User['leap-webapp'], Group['leap-webapp'] ],
@@ -56,38 +56,58 @@ class site_webapp {
unless => '/usr/bin/bundle check',
user => 'leap-webapp',
timeout => 600,
- require => [ Class['bundler::install'], Vcsrepo['/srv/leap/webapp'] ],
+ require => [
+ Class['bundler::install'],
+ Vcsrepo['/srv/leap/webapp'],
+ Class['site_config::ruby::dev'],
+ Service['shorewall'] ],
notify => Service['apache'];
}
+ #
+ # NOTE: in order to support a webapp that is running on a subpath and not the
+ # root of the domain assets:precompile needs to be run with
+ # RAILS_RELATIVE_URL_ROOT=/application-root
+ #
+
exec { 'compile_assets':
- cwd => '/srv/leap/webapp',
- command => '/bin/bash -c "/usr/bin/bundle exec rake assets:precompile"',
- user => 'leap-webapp',
- require => Exec['bundler_update'],
- notify => Service['apache'];
+ cwd => '/srv/leap/webapp',
+ command => '/bin/bash -c "RAILS_ENV=production /usr/bin/bundle exec rake assets:precompile"',
+ user => 'leap-webapp',
+ logoutput => on_failure,
+ require => Exec['bundler_update'],
+ notify => Service['apache'];
}
file {
- '/srv/leap/webapp/public/provider.json':
+ '/srv/leap/webapp/config/provider':
+ ensure => directory,
+ require => Vcsrepo['/srv/leap/webapp'],
+ owner => leap-webapp, group => leap-webapp, mode => '0755';
+
+ '/srv/leap/webapp/config/provider/provider.json':
content => $provider,
require => Vcsrepo['/srv/leap/webapp'],
owner => leap-webapp, group => leap-webapp, mode => '0644';
+ # old provider.json location. this can be removed after everyone upgrades.
+ '/srv/leap/webapp/public/provider.json':
+ ensure => absent;
+
'/srv/leap/webapp/public/ca.crt':
ensure => link,
require => Vcsrepo['/srv/leap/webapp'],
- target => '/usr/local/share/ca-certificates/leap_api.crt';
+ target => "${x509::variables::local_CAs}/${site_config::params::ca_name}.crt";
"/srv/leap/webapp/public/${api_version}":
- ensure => directory,
+ ensure => directory,
require => Vcsrepo['/srv/leap/webapp'],
- owner => leap-webapp, group => leap-webapp, mode => '0755';
+ owner => leap-webapp, group => leap-webapp, mode => '0755';
"/srv/leap/webapp/public/${api_version}/config/":
- ensure => directory,
+ ensure => directory,
require => Vcsrepo['/srv/leap/webapp'],
- owner => leap-webapp, group => leap-webapp, mode => '0755';
+ owner => leap-webapp, group => leap-webapp, mode => '0755';
"/srv/leap/webapp/public/${api_version}/config/eip-service.json":
content => $eip_service,
@@ -106,25 +126,24 @@ class site_webapp {
}
try::file {
- '/srv/leap/webapp/public/favicon.ico':
- ensure => 'link',
- require => Vcsrepo['/srv/leap/webapp'],
- target => $webapp['favicon'];
-
- '/srv/leap/webapp/app/assets/stylesheets/tail.scss':
- ensure => 'link',
- require => Vcsrepo['/srv/leap/webapp'],
- target => $webapp['tail_scss'];
-
- '/srv/leap/webapp/app/assets/stylesheets/head.scss':
- ensure => 'link',
+ '/srv/leap/webapp/config/customization':
+ ensure => directory,
+ recurse => true,
+ purge => true,
+ force => true,
+ owner => leap-webapp,
+ group => leap-webapp,
+ mode => 'u=rwX,go=rX',
require => Vcsrepo['/srv/leap/webapp'],
- target => $webapp['head_scss'];
+ notify => Exec['compile_assets'],
+ source => $webapp['customization_dir'];
+ }
- '/srv/leap/webapp/public/img':
- ensure => 'link',
+ git::changes {
+ 'public/favicon.ico':
+ cwd => '/srv/leap/webapp',
require => Vcsrepo['/srv/leap/webapp'],
- target => $webapp['img_dir'];
+ user => 'leap-webapp';
}
file {
@@ -138,5 +157,5 @@ class site_webapp {
}
include site_shorewall::webapp
-
+ include site_check_mk::agent::webapp
}
diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb
index df562cd9..98f8564e 100644
--- a/puppet/modules/site_webapp/templates/config.yml.erb
+++ b/puppet/modules/site_webapp/templates/config.yml.erb
@@ -1,9 +1,10 @@
<%- cert_options = @webapp['client_certificates'] -%>
production:
- admins: [admin]
+ admins: <%= @webapp['admins'].inspect %>
domain: <%= @provider_domain %>
- client_ca_key: <%= scope.lookupvar('site_webapp::client_ca::key_path') %>
- client_ca_cert: <%= scope.lookupvar('site_webapp::client_ca::cert_path') %>
+ force_ssl: <%= @webapp['secure'] %>
+ client_ca_key: <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::client_ca_name') %>.key
+ client_ca_cert: <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::client_ca_name') %>.crt
secret_token: "<%= @secret_token %>"
client_cert_lifespan: <%= cert_options['life_span'].to_i %>
client_cert_bit_size: <%= cert_options['bit_size'].to_i %>
@@ -13,3 +14,4 @@ production:
allow_anonymous_certs: <%= @webapp['allow_anonymous_certs'].inspect %>
limited_cert_prefix: "<%= cert_options['limited_prefix'] %>"
unlimited_cert_prefix: "<%= cert_options['unlimited_prefix'] %>"
+ minimum_client_version: "<%= @webapp['client_version']['min'] %>"
diff --git a/puppet/modules/site_webapp/templates/couchdb.yml.admin.erb b/puppet/modules/site_webapp/templates/couchdb.yml.admin.erb
deleted file mode 100644
index a0921add..00000000
--- a/puppet/modules/site_webapp/templates/couchdb.yml.admin.erb
+++ /dev/null
@@ -1,9 +0,0 @@
-production:
- prefix: ""
- protocol: 'http'
- host: <%= @couchdb_host %>
- port: <%= @couchdb_port %>
- auto_update_design_doc: false
- username: <%= @couchdb_admin_user %>
- password: <%= @couchdb_admin_password %>
-
diff --git a/puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb b/puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb
index f08161ee..1fa01b96 100644
--- a/puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb
+++ b/puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb
@@ -1,16 +1,23 @@
listen bigcouch-in
- mode http
+ mode http
balance roundrobin
- option httplog
- option dontlognull
- option httpchk GET /
- option http-server-close
-
+ option httplog
+ option dontlognull
+ option httpchk GET / # health check using simple get to root
+ option http-server-close # use client keep-alive, but close server connection.
+ option allbackups # balance among all backups, not just one.
+
bind localhost:4096
-<% for port in @local_ports -%>
- server couchdb_<%=port%> localhost:<%=port%> check inter 3000 fastinter 1000 downinter 1000 rise 2 fall 1
-<% end -%>
+ default-server inter 3000 fastinter 1000 downinter 1000 rise 2 fall 1
+
+<%- if @haproxy['servers'] -%>
+<%- @haproxy['servers'].sort.each do |name,server| -%>
+<%- backup = server['backup'] ? 'backup' : '' -%>
+ # <%=name%>
+ server couchdb_<%=server['port']%> <%=server['host']%>:<%=server['port']%> <%=backup%> weight <%=server['weight']%> check
+<%- end -%>
+<%- end -%>