9 files changed, 146 insertions, 35 deletions

diff --git a/puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf b/puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf
deleted file mode 100644
index 0dff2cd6..00000000
--- a/puppet/modules/site_apache/files/vhosts.d/couchdb_proxy.conf
+++ /dev/null
@@ -1,10 +0,0 @@
-Listen 0.0.0.0:6984
-
-<VirtualHost *:6984>
-    SSLEngine On
-    SSLProxyEngine On
-    SSLCertificateKeyFile /etc/x509/keys/leap_couchdb.key
-    SSLCertificateFile    /etc/x509/certs/leap_couchdb.crt
-    ProxyPass / http://127.0.0.1:5984/
-    ProxyPassReverse / http://127.0.0.1:5984/
-</VirtualHost>
diff --git a/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp b/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp
index 7739473e..536dd8db 100644
--- a/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp
+++ b/puppet/modules/site_couchdb/manifests/apache_ssl_proxy.pp
@@ -1,25 +1,13 @@
-define site_couchdb::apache_ssl_proxy ($key, $cert) {
+class site_couchdb::apache_ssl_proxy {
 
-  $apache_no_default_site = true
-  include apache
-  apache::module {
-    'proxy':        ensure => present;
-    'proxy_http':   ensure => present;
-    'rewrite':      ensure => present;
-    'ssl':          ensure => present;
-  }
-  apache::vhost::file { 'couchdb_proxy': }
+# This is here to disable the previously configured apache ssl proxy
+# we were using this, but have switched to stunnel instead.
+#
+# Unfortunately, the current apache shared module doesn't handle
+# ensure=>absent, so this is going to be done the crude way, and will only
+# work for debian+derivitives, which is fine for now, but not good for the
+# future
 
-  x509::key {
-    'leap_couchdb':
-      content => $key,
-      notify  => Service[apache];
-  }
-
-  x509::cert {
-    'leap_couchdb':
-      content => $cert,
-      notify  => Service[apache];
-  }
+  package { 'apache2': ensure => absent }
 
 }
diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp
index 25956938..d317de65 100644
--- a/puppet/modules/site_couchdb/manifests/init.pp
+++ b/puppet/modules/site_couchdb/manifests/init.pp
@@ -4,6 +4,7 @@ class site_couchdb ( $bigcouch = false ) {
   $x509                   = hiera('x509')
   $key                    = $x509['key']
   $cert                   = $x509['cert']
+  $ca                     = $x509['ca_cert']
   $couchdb_config         = hiera('couch')
   $couchdb_users          = $couchdb_config['users']
   $couchdb_admin          = $couchdb_users['admin']
@@ -30,11 +31,15 @@ class site_couchdb ( $bigcouch = false ) {
     -> Couchdb::Create_db['client_certificates']
     -> Couchdb::Add_user[$couchdb_webapp_user]
     -> Couchdb::Add_user[$couchdb_ca_daemon_user]
-    -> Site_couchdb::Apache_ssl_proxy['apache_ssl_proxy']
 
-  site_couchdb::apache_ssl_proxy { 'apache_ssl_proxy':
-    key   => $key,
-    cert  => $cert
+  # this is here to disable and remove the proxy
+  include site_couchdb::apache_ssl_proxy
+
+  # the above apache_ssl_proxy is replaced by the following stunnel
+  class { 'site_couchdb::stunnel':
+    key  => $key,
+    cert => $cert,
+    ca   => $ca
   }
 
   couchdb::query::setup { 'localhost':
diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp
new file mode 100644
index 00000000..b4635951
--- /dev/null
+++ b/puppet/modules/site_couchdb/manifests/stunnel.pp
@@ -0,0 +1,42 @@
+class site_couchdb::stunnel ($key, $cert, $ca) {
+
+  include x509::variables
+  include site_stunnel
+
+  $cert_name = 'leap_couchdb'
+  $ca_path = "${x509::variables::certs}/leap_client_ca.crt"
+  $cert_path = "${x509::variables::certs}/${cert_name}.crt"
+  $key_path = "${x509::variables::keys}/${cert_name}.key"
+
+  x509::key {
+    $cert_name:
+      content => $key,
+      notify  => Service['stunnel'];
+  }
+
+  x509::cert {
+    $cert_name:
+      content => $cert,
+      notify  => Service['stunnel'];
+  }
+
+  x509::ca {
+    $cert_name:
+      content => $ca,
+      notify  => Service['stunnel'];
+  }
+
+  stunnel::service { 'couchdb':
+    accept     => '6984',
+    connect    => '127.0.0.1:5984',
+    client     => false,
+    cafile     => $ca_path,
+    key        => $key_path,
+    cert       => $cert_path,
+    verify     => '2',
+    pid        => '/var/run/stunnel4/couchdb.pid',
+    rndfile    => '/var/lib/stunnel4/.rnd',
+    debuglevel => '4'
+  }
+}
+
diff --git a/puppet/modules/site_stunnel/manifests/init.pp b/puppet/modules/site_stunnel/manifests/init.pp
new file mode 100644
index 00000000..6ba2c4b8
--- /dev/null
+++ b/puppet/modules/site_stunnel/manifests/init.pp
@@ -0,0 +1,18 @@
+class site_stunnel {
+
+  # include the generic stunnel module
+  # increase the number of open files to allow for 800 connections
+  $stunnel_default_extra = 'ulimit -n 4096'
+  include stunnel
+
+  # The stunnel.conf provided by the Debian package is broken by default
+  # so we get rid of it and just define our own. See #549384
+  if !defined(File['/etc/stunnel/stunnel.conf']) {
+    file {
+      # this file is a broken config installed by the package
+      '/etc/stunnel/stunnel.conf':
+        ensure => absent;
+    }
+  }
+}
+
diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp
index 9312cdb1..b8a4201d 100644
--- a/puppet/modules/site_webapp/manifests/couchdb.pp
+++ b/puppet/modules/site_webapp/manifests/couchdb.pp
@@ -1,5 +1,9 @@
 class site_webapp::couchdb {
 
+  $x509             = hiera('x509')
+  $key              = $x509['key']
+  $cert             = $x509['cert']
+  $ca               = $x509['ca_cert']
   $webapp           = hiera('webapp')
   $couchdb_hosts    = $webapp['couchdb_hosts']
   # for now, pick the first couchdb host before we have a working
@@ -16,4 +20,9 @@ class site_webapp::couchdb {
       mode    => '0600';
   }
 
+  class { 'site_webapp::couchdb_stunnel':
+    key  => $key,
+    cert => $cert,
+    ca   => $ca
+  }
 }
diff --git a/puppet/modules/site_webapp/manifests/couchdb_stunnel.pp b/puppet/modules/site_webapp/manifests/couchdb_stunnel.pp
new file mode 100644
index 00000000..e6657e13
--- /dev/null
+++ b/puppet/modules/site_webapp/manifests/couchdb_stunnel.pp
@@ -0,0 +1,42 @@
+class site_webapp::couchdb_stunnel ($key, $cert, $ca) {
+
+  include x509::variables
+  include site_stunnel
+
+  $cert_name = 'leap_couchdb'
+  $ca_path = "${x509::variables::certs}/leap_client_ca.crt"
+  $cert_path = "${x509::variables::certs}/${cert_name}.crt"
+  $key_path = "${x509::variables::keys}/${cert_name}.key"
+
+  x509::key {
+    $cert_name:
+      content => $key,
+      notify  => Service['stunnel'];
+  }
+
+  x509::cert {
+    $cert_name:
+      content => $cert,
+      notify  => Service['stunnel'];
+  }
+
+  x509::ca {
+    $cert_name:
+      content => $ca,
+      notify => Service['stunnel'];
+  }
+
+  $couchdb_stunnel_client_defaults = {
+    'client'     => true,
+    'cafile'     => $ca_path,
+    'key'        => $key_path,
+    'cert'       => $cert_path,
+    'verify'     => '2',
+    'rndfile'    => '/var/lib/stunnel4/.rnd',
+    'debuglevel' => '4'
+  }
+
+  create_resources(site_webapp::couchdb_stunnel::clients, hiera('stunnel'), $couchdb_stunnel_client_defaults)
+
+}
+
diff --git a/puppet/modules/site_webapp/manifests/couchdb_stunnel/clients.pp b/puppet/modules/site_webapp/manifests/couchdb_stunnel/clients.pp
new file mode 100644
index 00000000..eac43b08
--- /dev/null
+++ b/puppet/modules/site_webapp/manifests/couchdb_stunnel/clients.pp
@@ -0,0 +1,17 @@
+define site_webapp::couchdb_stunnel::clients
+    ( $accept_port, $connect, $client, $cafile, $key, $cert,
+      $verify, $pid = $name, $rndfile, $debuglevel ) {
+
+    stunnel::service { $name:
+      accept     => "127.0.0.1:${accept_port}",
+      connect    => "${connect}:6984",
+      client     => $client,
+      cafile     => $cafile,
+      key        => $key,
+      cert       => $cert,
+      verify     => $verify,
+      pid        => "/var/run/stunnel4/${pid}.pid",
+      rndfile    => $rndfile,
+      debuglevel => $debuglevel
+    }
+  }
diff --git a/puppet/modules/stunnel b/puppet/modules/stunnel
new file mode 160000
+Subproject 03b51fcb718734f4b2ea76c038ffbe9b2b348b1