9 files changed, 200 insertions, 47 deletions

diff --git a/puppet/modules/site_webapp/files/migrate_design_documents b/puppet/modules/site_webapp/files/migrate_design_documents
new file mode 100644
index 00000000..6e24aa5b
--- /dev/null
+++ b/puppet/modules/site_webapp/files/migrate_design_documents
@@ -0,0 +1,16 @@
+#!/bin/sh
+
+cd /srv/leap/webapp
+
+# use admin credentials
+cp config/couchdb.yml.admin config/couchdb.yml
+chown leap-webapp:leap-webapp config/couchdb.yml
+
+# needs to be run twice 
+RAILS_ENV=production /usr/bin/bundle exec rake couchrest:migrate
+RAILS_ENV=production /usr/bin/bundle exec rake couchrest:migrate
+
+# use user credentials and remove admin credentials
+cp config/couchdb.yml.webapp config/couchdb.yml
+chown leap-webapp:leap-webapp config/couchdb.yml
+
diff --git a/puppet/modules/site_webapp/manifests/apache.pp b/puppet/modules/site_webapp/manifests/apache.pp
index 554b9147..8b340160 100644
--- a/puppet/modules/site_webapp/manifests/apache.pp
+++ b/puppet/modules/site_webapp/manifests/apache.pp
@@ -12,8 +12,7 @@ class site_webapp::apache {
   $api_cert         = $x509['cert']
   $api_root         = $x509['ca_cert']
 
-  $apache_no_default_site = true
-  include apache::ssl
+  class { '::apache': no_default_site => true, ssl => true }
 
   apache::module {
     'alias':   ensure => present;
diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp
index 6cac666f..b4ef0980 100644
--- a/puppet/modules/site_webapp/manifests/couchdb.pp
+++ b/puppet/modules/site_webapp/manifests/couchdb.pp
@@ -1,16 +1,79 @@
 class site_webapp::couchdb {
 
-  $webapp           = hiera('webapp')
-  $couchdb_host     = $webapp['couchdb_hosts']
-  $couchdb_user     = $webapp['couchdb_user']['username']
-  $couchdb_password = $webapp['couchdb_user']['password']
+  $webapp                  = hiera('webapp')
+  # haproxy listener on port localhost:4096, see site_webapp::haproxy
+  $couchdb_host            = 'localhost'
+  $couchdb_port            = '4096'
+  $couchdb_admin_user      = $webapp['couchdb_admin_user']['username']
+  $couchdb_admin_password  = $webapp['couchdb_admin_user']['password']
+  $couchdb_webapp_user     = $webapp['couchdb_webapp_user']['username']
+  $couchdb_webapp_password = $webapp['couchdb_webapp_user']['password']
+
+  $stunnel                 = hiera('stunnel')
+  $couch_client            = $stunnel['couch_client']
+  $couch_client_connect    = $couch_client['connect']
+
+  include x509::variables
+  $x509                    = hiera('x509')
+  $key                     = $x509['key']
+  $cert                    = $x509['cert']
+  $ca                      = $x509['ca_cert']
+  $cert_name               = 'leap_couchdb'
+  $ca_name                 = 'leap_ca'
+  $ca_path                 = "${x509::variables::local_CAs}/${ca_name}.crt"
+  $cert_path               = "${x509::variables::certs}/${cert_name}.crt"
+  $key_path                = "${x509::variables::keys}/${cert_name}.key"
 
   file {
-    '/srv/leap-webapp/config/couchdb.yml':
+    '/srv/leap/webapp/config/couchdb.yml.admin':
+      content => template('site_webapp/couchdb.yml.admin.erb'),
+      owner   => leap-webapp,
+      group   => leap-webapp,
+      mode    => '0600',
+      require => Vcsrepo['/srv/leap/webapp'];
+
+    '/srv/leap/webapp/config/couchdb.yml.webapp':
       content => template('site_webapp/couchdb.yml.erb'),
       owner   => leap-webapp,
       group   => leap-webapp,
-      mode    => '0600';
+      mode    => '0600',
+      require => Vcsrepo['/srv/leap/webapp'];
+
+    '/srv/leap/webapp/logs/production.log':
+      owner   => leap-webapp,
+      group   => leap-webapp,
+      mode    => '0666',
+      require => Vcsrepo['/srv/leap/webapp'];
+
+    '/usr/local/sbin/migrate_design_documents':
+      source => 'puppet:///modules/site_webapp/migrate_design_documents',
+      owner  => root,
+      group  => root,
+      mode   => '0744';
+  }
+
+  class { 'site_stunnel::setup':
+    cert_name => $cert_name,
+    key       => $key,
+    cert      => $cert,
+    ca_name   => $ca_name,
+    ca        => $ca
+  }
+
+  exec { 'migrate_design_documents':
+    cwd      => '/srv/leap/webapp',
+    command  => '/usr/local/sbin/migrate_design_documents',
+    require  => Exec['bundler_update'],
+    notify   => Service['apache'];
+  }
+
+  $couchdb_stunnel_client_defaults = {
+    'connect_port' => $couch_client_connect,
+    'client'     => true,
+    'cafile'     => $ca_path,
+    'key'        => $key_path,
+    'cert'       => $cert_path,
   }
 
+  create_resources(site_stunnel::clients, $couch_client, $couchdb_stunnel_client_defaults)
 }
diff --git a/puppet/modules/site_webapp/manifests/haproxy.pp b/puppet/modules/site_webapp/manifests/haproxy.pp
new file mode 100644
index 00000000..4a7e3c25
--- /dev/null
+++ b/puppet/modules/site_webapp/manifests/haproxy.pp
@@ -0,0 +1,14 @@
+class site_webapp::haproxy {
+
+  include site_haproxy
+
+  $haproxy     = hiera('haproxy')
+  $local_ports = $haproxy['local_ports']
+
+  # Template uses $global_options, $defaults_options
+  concat::fragment { 'leap_haproxy_webapp_couchdb':
+    target  => '/etc/haproxy/haproxy.cfg',
+    order   => '20',
+    content => template('site_webapp/haproxy_couchdb.cfg.erb'),
+  }
+}
diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp
index e8134521..e743dc07 100644
--- a/puppet/modules/site_webapp/manifests/init.pp
+++ b/puppet/modules/site_webapp/manifests/init.pp
@@ -3,20 +3,19 @@ class site_webapp {
   $definition_files = hiera('definition_files')
   $provider         = $definition_files['provider']
   $eip_service      = $definition_files['eip_service']
+  $soledad_service  = $definition_files['soledad_service']
+  $smtp_service     = $definition_files['smtp_service']
   $node_domain      = hiera('domain')
   $provider_domain  = $node_domain['full_suffix']
   $webapp           = hiera('webapp')
+  $api_version      = $webapp['api_version']
+  $secret_token     = $webapp['secret_token']
 
-  Class[Ruby] -> Class[rubygems] -> Class[bundler::install]
-
-  class { 'ruby': ruby_version => '1.9.3' }
-
-  class { 'bundler::install': install_method => 'package' }
-
-  include rubygems
+  include site_config::ruby
   include site_webapp::apache
   include site_webapp::couchdb
   include site_webapp::client_ca
+  include site_webapp::haproxy
 
   group { 'leap-webapp':
     ensure    => present,
@@ -28,19 +27,20 @@ class site_webapp {
     allowdupe => false,
     gid       => 'leap-webapp',
     groups    => 'ssl-cert',
-    home      => '/srv/leap-webapp',
+    home      => '/srv/leap/webapp',
     require   => [ Group['leap-webapp'] ];
   }
 
-  file { '/srv/leap-webapp':
+  file { '/srv/leap/webapp':
     ensure  => directory,
     owner   => 'leap-webapp',
     group   => 'leap-webapp',
     require => User['leap-webapp'];
   }
 
-  vcsrepo { '/srv/leap-webapp':
+  vcsrepo { '/srv/leap/webapp':
     ensure   => present,
+    force    => true,
     revision => 'origin/master',
     provider => git,
     source   => 'git://code.leap.se/leap_web',
@@ -51,17 +51,17 @@ class site_webapp {
   }
 
   exec { 'bundler_update':
-    cwd     => '/srv/leap-webapp',
-    command => '/bin/bash -c "/usr/bin/bundle check || /usr/bin/bundle install --path vendor/bundle"',
+    cwd     => '/srv/leap/webapp',
+    command => '/bin/bash -c "/usr/bin/bundle check || /usr/bin/bundle install --path vendor/bundle --without test development"',
     unless  => '/usr/bin/bundle check',
     user    => 'leap-webapp',
     timeout => 600,
-    require => [ Class['bundler::install'], Vcsrepo['/srv/leap-webapp'] ],
+    require => [ Class['bundler::install'], Vcsrepo['/srv/leap/webapp'] ],
     notify  => Service['apache'];
   }
 
   exec { 'compile_assets':
-    cwd     => '/srv/leap-webapp',
+    cwd     => '/srv/leap/webapp',
     command => '/bin/bash -c "/usr/bin/bundle exec rake assets:precompile"',
     user    => 'leap-webapp',
     require => Exec['bundler_update'],
@@ -69,47 +69,72 @@ class site_webapp {
   }
 
   file {
-    '/srv/leap-webapp/public/provider.json':
+    '/srv/leap/webapp/public/provider.json':
       content => $provider,
+      require => Vcsrepo['/srv/leap/webapp'],
       owner   => leap-webapp, group => leap-webapp, mode => '0644';
 
-    '/srv/leap-webapp/public/ca.crt':
+    '/srv/leap/webapp/public/ca.crt':
       ensure  => link,
+      require => Vcsrepo['/srv/leap/webapp'],
       target  => '/usr/local/share/ca-certificates/leap_api.crt';
 
-    '/srv/leap-webapp/public/config':
+    "/srv/leap/webapp/public/${api_version}":
       ensure => directory,
+      require => Vcsrepo['/srv/leap/webapp'],
       owner  => leap-webapp, group => leap-webapp, mode => '0755';
 
-    '/srv/leap-webapp/public/config/eip-service.json':
+    "/srv/leap/webapp/public/${api_version}/config/":
+      ensure => directory,
+      require => Vcsrepo['/srv/leap/webapp'],
+      owner  => leap-webapp, group => leap-webapp, mode => '0755';
+
+    "/srv/leap/webapp/public/${api_version}/config/eip-service.json":
       content => $eip_service,
+      require => Vcsrepo['/srv/leap/webapp'],
       owner   => leap-webapp, group => leap-webapp, mode => '0644';
-  }
 
-  try::file {
-    '/srv/leap-webapp/public/favicon.ico':
-      ensure => 'link',
-      target => $webapp['favicon'];
-
-    '/srv/leap-webapp/app/assets/stylesheets/tail.scss':
-      ensure => 'link',
-      target => $webapp['tail_scss'];
+    "/srv/leap/webapp/public/${api_version}/config/soledad-service.json":
+      content => $soledad_service,
+      require => Vcsrepo['/srv/leap/webapp'],
+      owner   => leap-webapp, group => leap-webapp, mode => '0644';
 
-    '/srv/leap-webapp/app/assets/stylesheets/head.scss':
-      ensure => 'link',
-      target => $webapp['head_scss'];
+    "/srv/leap/webapp/public/${api_version}/config/smtp-service.json":
+      content => $smtp_service,
+      require => Vcsrepo['/srv/leap/webapp'],
+      owner   => leap-webapp, group => leap-webapp, mode => '0644';
+  }
 
-    '/srv/leap-webapp/public/img':
-      ensure => 'link',
-      target => $webapp['img_dir'];
+  try::file {
+    '/srv/leap/webapp/public/favicon.ico':
+      ensure  => 'link',
+      require => Vcsrepo['/srv/leap/webapp'],
+      target  => $webapp['favicon'];
+
+    '/srv/leap/webapp/app/assets/stylesheets/tail.scss':
+      ensure  => 'link',
+      require => Vcsrepo['/srv/leap/webapp'],
+      target  => $webapp['tail_scss'];
+
+    '/srv/leap/webapp/app/assets/stylesheets/head.scss':
+      ensure  => 'link',
+      require => Vcsrepo['/srv/leap/webapp'],
+      target  => $webapp['head_scss'];
+
+    '/srv/leap/webapp/public/img':
+      ensure  => 'link',
+      require => Vcsrepo['/srv/leap/webapp'],
+      target  => $webapp['img_dir'];
   }
 
   file {
-    '/srv/leap-webapp/config/config.yml':
+    '/srv/leap/webapp/config/config.yml':
       content => template('site_webapp/config.yml.erb'),
       owner   => leap-webapp,
       group   => leap-webapp,
-      mode    => '0600';
+      mode    => '0600',
+      require => Vcsrepo['/srv/leap/webapp'],
+      notify  => Service['apache'];
   }
 
   include site_shorewall::webapp
diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb
index 9cf85f0c..df562cd9 100644
--- a/puppet/modules/site_webapp/templates/config.yml.erb
+++ b/puppet/modules/site_webapp/templates/config.yml.erb
@@ -1,5 +1,15 @@
+<%- cert_options = @webapp['client_certificates'] -%>
 production:
   admins: [admin]
   domain: <%= @provider_domain %>
   client_ca_key: <%= scope.lookupvar('site_webapp::client_ca::key_path') %>
   client_ca_cert: <%= scope.lookupvar('site_webapp::client_ca::cert_path') %>
+  secret_token: "<%= @secret_token %>"
+  client_cert_lifespan: <%= cert_options['life_span'].to_i %>
+  client_cert_bit_size: <%= cert_options['bit_size'].to_i %>
+  client_cert_hash: <%= cert_options['digest'] %>
+  allow_limited_certs: <%= @webapp['allow_limited_certs'].inspect %>
+  allow_unlimited_certs: <%= @webapp['allow_unlimited_certs'].inspect %>
+  allow_anonymous_certs: <%= @webapp['allow_anonymous_certs'].inspect %>
+  limited_cert_prefix: "<%= cert_options['limited_prefix'] %>"
+  unlimited_cert_prefix: "<%= cert_options['unlimited_prefix'] %>"
diff --git a/puppet/modules/site_webapp/templates/couchdb.yml.admin.erb b/puppet/modules/site_webapp/templates/couchdb.yml.admin.erb
new file mode 100644
index 00000000..a0921add
--- /dev/null
+++ b/puppet/modules/site_webapp/templates/couchdb.yml.admin.erb
@@ -0,0 +1,9 @@
+production:
+  prefix: ""
+  protocol: 'http'
+  host: <%= @couchdb_host %>
+  port: <%= @couchdb_port %>
+  auto_update_design_doc: false
+  username: <%= @couchdb_admin_user %>
+  password: <%= @couchdb_admin_password %>
+
diff --git a/puppet/modules/site_webapp/templates/couchdb.yml.erb b/puppet/modules/site_webapp/templates/couchdb.yml.erb
index ee521713..2bef0af5 100644
--- a/puppet/modules/site_webapp/templates/couchdb.yml.erb
+++ b/puppet/modules/site_webapp/templates/couchdb.yml.erb
@@ -1,8 +1,9 @@
 production:
   prefix: ""
-  protocol: 'https'
+  protocol: 'http'
   host: <%= @couchdb_host %>
-  port: 6984
-  username: <%= @couchdb_user %>
-  password: <%= @couchdb_password %>
+  port: <%= @couchdb_port %>
+  auto_update_design_doc: false
+  username: <%= @couchdb_webapp_user %>
+  password: <%= @couchdb_webapp_password %>
 
diff --git a/puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb b/puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb
new file mode 100644
index 00000000..f08161ee
--- /dev/null
+++ b/puppet/modules/site_webapp/templates/haproxy_couchdb.cfg.erb
@@ -0,0 +1,16 @@
+
+listen bigcouch-in
+  mode http
+  balance  roundrobin
+  option httplog
+  option dontlognull
+  option httpchk GET /
+  option http-server-close
+  
+  bind localhost:4096
+<% for port in @local_ports -%>
+  server couchdb_<%=port%> localhost:<%=port%> check inter 3000 fastinter 1000 downinter 1000 rise 2 fall 1
+<% end -%>
+
+
+