6 files changed, 236 insertions, 0 deletions

diff --git a/puppet/modules/site_webapp/manifests/apache.pp b/puppet/modules/site_webapp/manifests/apache.pp
new file mode 100644
index 00000000..554b9147
--- /dev/null
+++ b/puppet/modules/site_webapp/manifests/apache.pp
@@ -0,0 +1,65 @@
+class site_webapp::apache {
+
+  $web_api          = hiera('api')
+  $api_domain       = $web_api['domain']
+  $api_port         = $web_api['port']
+
+  $x509             = hiera('x509')
+  $commercial_key   = $x509['commercial_key']
+  $commercial_cert  = $x509['commercial_cert']
+  $commercial_root  = $x509['commercial_ca_cert']
+  $api_key          = $x509['key']
+  $api_cert         = $x509['cert']
+  $api_root         = $x509['ca_cert']
+
+  $apache_no_default_site = true
+  include apache::ssl
+
+  apache::module {
+    'alias':   ensure => present;
+    'rewrite': ensure => present;
+    'headers': ensure => present;
+  }
+
+  class { 'passenger': use_munin => false }
+
+  apache::vhost::file {
+    'leap_webapp':
+      content => template('site_apache/vhosts.d/leap_webapp.conf.erb')
+  }
+
+  apache::vhost::file {
+    'api':
+      content => template('site_apache/vhosts.d/api.conf.erb')
+  }
+
+  x509::key {
+    'leap_webapp':
+      content => $commercial_key,
+      notify  => Service[apache];
+
+    'leap_api':
+      content => $api_key,
+      notify  => Service[apache];
+  }
+
+  x509::cert {
+    'leap_webapp':
+      content => $commercial_cert,
+      notify  => Service[apache];
+
+    'leap_api':
+      content => $api_cert,
+      notify  => Service[apache];
+  }
+
+  x509::ca {
+    'leap_webapp':
+      content => $commercial_root,
+      notify  => Service[apache];
+
+    'leap_api':
+      content => $api_root,
+      notify  => Service[apache];
+  }
+}
diff --git a/puppet/modules/site_webapp/manifests/client_ca.pp b/puppet/modules/site_webapp/manifests/client_ca.pp
new file mode 100644
index 00000000..0d9b15d6
--- /dev/null
+++ b/puppet/modules/site_webapp/manifests/client_ca.pp
@@ -0,0 +1,25 @@
+##
+## This is for the special CA that is used exclusively for generating
+## client certificates by the webapp.
+##
+
+class site_webapp::client_ca {
+  include x509::variables
+
+  $x509 = hiera('x509')
+  $cert_path = "${x509::variables::certs}/leap_client_ca.crt"
+  $key_path = "${x509::variables::keys}/leap_client_ca.key"
+
+  x509::key {
+    'leap_client_ca':
+      source => $x509['client_ca_key'],
+      group  => 'leap-webapp',
+      notify  => Service[apache];
+  }
+
+  x509::cert {
+    'leap_client_ca':
+      source => $x509['client_ca_cert'],
+      notify  => Service[apache];
+  }
+}
diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp
new file mode 100644
index 00000000..6cac666f
--- /dev/null
+++ b/puppet/modules/site_webapp/manifests/couchdb.pp
@@ -0,0 +1,16 @@
+class site_webapp::couchdb {
+
+  $webapp           = hiera('webapp')
+  $couchdb_host     = $webapp['couchdb_hosts']
+  $couchdb_user     = $webapp['couchdb_user']['username']
+  $couchdb_password = $webapp['couchdb_user']['password']
+
+  file {
+    '/srv/leap-webapp/config/couchdb.yml':
+      content => template('site_webapp/couchdb.yml.erb'),
+      owner   => leap-webapp,
+      group   => leap-webapp,
+      mode    => '0600';
+  }
+
+}
diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp
new file mode 100644
index 00000000..e8134521
--- /dev/null
+++ b/puppet/modules/site_webapp/manifests/init.pp
@@ -0,0 +1,117 @@
+class site_webapp {
+  tag 'leap_service'
+  $definition_files = hiera('definition_files')
+  $provider         = $definition_files['provider']
+  $eip_service      = $definition_files['eip_service']
+  $node_domain      = hiera('domain')
+  $provider_domain  = $node_domain['full_suffix']
+  $webapp           = hiera('webapp')
+
+  Class[Ruby] -> Class[rubygems] -> Class[bundler::install]
+
+  class { 'ruby': ruby_version => '1.9.3' }
+
+  class { 'bundler::install': install_method => 'package' }
+
+  include rubygems
+  include site_webapp::apache
+  include site_webapp::couchdb
+  include site_webapp::client_ca
+
+  group { 'leap-webapp':
+    ensure    => present,
+    allowdupe => false;
+  }
+
+  user { 'leap-webapp':
+    ensure    => present,
+    allowdupe => false,
+    gid       => 'leap-webapp',
+    groups    => 'ssl-cert',
+    home      => '/srv/leap-webapp',
+    require   => [ Group['leap-webapp'] ];
+  }
+
+  file { '/srv/leap-webapp':
+    ensure  => directory,
+    owner   => 'leap-webapp',
+    group   => 'leap-webapp',
+    require => User['leap-webapp'];
+  }
+
+  vcsrepo { '/srv/leap-webapp':
+    ensure   => present,
+    revision => 'origin/master',
+    provider => git,
+    source   => 'git://code.leap.se/leap_web',
+    owner    => 'leap-webapp',
+    group    => 'leap-webapp',
+    require  => [ User['leap-webapp'], Group['leap-webapp'] ],
+    notify   => Exec['bundler_update']
+  }
+
+  exec { 'bundler_update':
+    cwd     => '/srv/leap-webapp',
+    command => '/bin/bash -c "/usr/bin/bundle check || /usr/bin/bundle install --path vendor/bundle"',
+    unless  => '/usr/bin/bundle check',
+    user    => 'leap-webapp',
+    timeout => 600,
+    require => [ Class['bundler::install'], Vcsrepo['/srv/leap-webapp'] ],
+    notify  => Service['apache'];
+  }
+
+  exec { 'compile_assets':
+    cwd     => '/srv/leap-webapp',
+    command => '/bin/bash -c "/usr/bin/bundle exec rake assets:precompile"',
+    user    => 'leap-webapp',
+    require => Exec['bundler_update'],
+    notify  => Service['apache'];
+  }
+
+  file {
+    '/srv/leap-webapp/public/provider.json':
+      content => $provider,
+      owner   => leap-webapp, group => leap-webapp, mode => '0644';
+
+    '/srv/leap-webapp/public/ca.crt':
+      ensure  => link,
+      target  => '/usr/local/share/ca-certificates/leap_api.crt';
+
+    '/srv/leap-webapp/public/config':
+      ensure => directory,
+      owner  => leap-webapp, group => leap-webapp, mode => '0755';
+
+    '/srv/leap-webapp/public/config/eip-service.json':
+      content => $eip_service,
+      owner   => leap-webapp, group => leap-webapp, mode => '0644';
+  }
+
+  try::file {
+    '/srv/leap-webapp/public/favicon.ico':
+      ensure => 'link',
+      target => $webapp['favicon'];
+
+    '/srv/leap-webapp/app/assets/stylesheets/tail.scss':
+      ensure => 'link',
+      target => $webapp['tail_scss'];
+
+    '/srv/leap-webapp/app/assets/stylesheets/head.scss':
+      ensure => 'link',
+      target => $webapp['head_scss'];
+
+    '/srv/leap-webapp/public/img':
+      ensure => 'link',
+      target => $webapp['img_dir'];
+  }
+
+  file {
+    '/srv/leap-webapp/config/config.yml':
+      content => template('site_webapp/config.yml.erb'),
+      owner   => leap-webapp,
+      group   => leap-webapp,
+      mode    => '0600';
+  }
+
+  include site_shorewall::webapp
+
+}
diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb
new file mode 100644
index 00000000..9cf85f0c
--- /dev/null
+++ b/puppet/modules/site_webapp/templates/config.yml.erb
@@ -0,0 +1,5 @@
+production:
+  admins: [admin]
+  domain: <%= @provider_domain %>
+  client_ca_key: <%= scope.lookupvar('site_webapp::client_ca::key_path') %>
+  client_ca_cert: <%= scope.lookupvar('site_webapp::client_ca::cert_path') %>
diff --git a/puppet/modules/site_webapp/templates/couchdb.yml.erb b/puppet/modules/site_webapp/templates/couchdb.yml.erb
new file mode 100644
index 00000000..ee521713
--- /dev/null
+++ b/puppet/modules/site_webapp/templates/couchdb.yml.erb
@@ -0,0 +1,8 @@
+production:
+  prefix: ""
+  protocol: 'https'
+  host: <%= @couchdb_host %>
+  port: 6984
+  username: <%= @couchdb_user %>
+  password: <%= @couchdb_password %>
+