10 files changed, 70 insertions, 13 deletions

diff --git a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb
index 87c40005..43bd1076 100644
--- a/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb
+++ b/puppet/modules/site_apache/templates/vhosts.d/common.conf.erb
@@ -1,5 +1,7 @@
 <VirtualHost *:80>
-  ServerName <%= domain %>
+  ServerName <%= webapp_domain %>
+  ServerAlias <%= domain_name %>
+  ServerAlias <%= domain %>
   ServerAlias www.<%= domain %>
   RewriteEngine On
   RewriteRule ^.*$ https://<%= domain -%>%{REQUEST_URI} [R=permanent,L]
@@ -7,7 +9,6 @@
 </VirtualHost>
 
 <VirtualHost *:443>
-
   ServerName <%= webapp_domain %>
   ServerAlias <%= domain_name %>
   ServerAlias <%= domain %>
diff --git a/puppet/modules/site_check_mk/files/extra_service_conf.mk b/puppet/modules/site_check_mk/files/extra_service_conf.mk
index 61b0dd39..a4c6e769 100644
--- a/puppet/modules/site_check_mk/files/extra_service_conf.mk
+++ b/puppet/modules/site_check_mk/files/extra_service_conf.mk
@@ -5,14 +5,10 @@ extra_service_conf["max_check_attempts"] = [
 ]
 
 #
-# run check_mk_agent every 2 minutes if it terminates successfully.
+# run check_mk_agent every 10 minutes if it terminates successfully.
 # see https://leap.se/code/issues/6539 for the rationale
 #
-# update: temporarily set interval to 60 minutes until we solve the
-#         issue with the users db getting bloated with deleted
-#         test users.
-#
 extra_service_conf["normal_check_interval"] = [
-  ("60", ALL_HOSTS , "Check_MK" )
+  ("10", ALL_HOSTS , "Check_MK" )
 ]
 
diff --git a/puppet/modules/site_couchdb/files/designs/tmp_users/User.json b/puppet/modules/site_couchdb/files/designs/tmp_users/User.json
new file mode 120000
index 00000000..ed3d0af9
--- /dev/null
+++ b/puppet/modules/site_couchdb/files/designs/tmp_users/User.json
@@ -0,0 +1 @@
+../users/User.json
\ No newline at end of file
diff --git a/puppet/modules/site_couchdb/manifests/create_dbs.pp b/puppet/modules/site_couchdb/manifests/create_dbs.pp
index 40148b8e..f9a08807 100644
--- a/puppet/modules/site_couchdb/manifests/create_dbs.pp
+++ b/puppet/modules/site_couchdb/manifests/create_dbs.pp
@@ -64,6 +64,13 @@ class site_couchdb::create_dbs {
     require => Couchdb::Query::Setup['localhost']
   }
 
+  ## tmp_users database
+  ## r/w: webapp
+  couchdb::create_db { 'tmp_users':
+    members => "{ \"names\": [], \"roles\": [\"replication\", \"users\"] }",
+    require => Couchdb::Query::Setup['localhost']
+  }
+
   ## messages db
   ## store messages to the clients such as payment reminders
   ## r/w: webapp
diff --git a/puppet/modules/site_static/manifests/domain.pp b/puppet/modules/site_static/manifests/domain.pp
index 6941b1a3..b9177f25 100644
--- a/puppet/modules/site_static/manifests/domain.pp
+++ b/puppet/modules/site_static/manifests/domain.pp
@@ -12,9 +12,18 @@ define site_static::domain (
 
   create_resources(site_static::location, $locations)
 
-  x509::cert { $domain: content => $cert }
-  x509::key  { $domain: content => $key }
-  x509::ca   { "${domain}_ca": content => $ca_cert }
+  x509::cert { $domain:
+    content => $cert,
+    notify => Service[apache]
+  }
+  x509::key { $domain:
+    content => $key,
+    notify => Service[apache]
+  }
+  x509::ca { "${domain}_ca":
+    content => $ca_cert,
+    notify => Service[apache]
+  }
 
   apache::vhost::file { $domain:
     content => template('site_static/apache.conf.erb')
diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp
index 3ae4d266..1dbc745d 100644
--- a/puppet/modules/site_webapp/manifests/couchdb.pp
+++ b/puppet/modules/site_webapp/manifests/couchdb.pp
@@ -6,6 +6,8 @@ class site_webapp::couchdb {
   $couchdb_port            = '4096'
   $couchdb_webapp_user     = $webapp['couchdb_webapp_user']['username']
   $couchdb_webapp_password = $webapp['couchdb_webapp_user']['password']
+  $couchdb_admin_user      = $webapp['couchdb_admin_user']['username']
+  $couchdb_admin_password  = $webapp['couchdb_admin_user']['password']
 
   include x509::variables
 
@@ -17,6 +19,13 @@ class site_webapp::couchdb {
       mode    => '0600',
       require => Vcsrepo['/srv/leap/webapp'];
 
+    '/srv/leap/webapp/config/couchdb.admin.yml':
+      content => template('site_webapp/couchdb.admin.yml.erb'),
+      owner   => leap-webapp,
+      group   => leap-webapp,
+      mode    => '0600',
+      require => Vcsrepo['/srv/leap/webapp'];
+
     '/srv/leap/webapp/log':
       ensure  => directory,
       owner   => leap-webapp,
diff --git a/puppet/modules/site_webapp/manifests/cron.pp b/puppet/modules/site_webapp/manifests/cron.pp
index 811ad11d..bdf0fb74 100644
--- a/puppet/modules/site_webapp/manifests/cron.pp
+++ b/puppet/modules/site_webapp/manifests/cron.pp
@@ -2,6 +2,18 @@ class site_webapp::cron {
 
   # cron tasks that need to be performed to cleanup the database
   cron {
+    'rotate_databases':
+      command     => 'cd /srv/leap/webapp && bundle exec rake db:rotate',
+      environment => 'RAILS_ENV=production',
+      hour        => [0,6,12,18],
+      minute      => 0;
+
+    'delete_tmp_databases':
+      command     => 'cd /srv/leap/webapp && bundle exec rake db:deletetmp',
+      environment => 'RAILS_ENV=production',
+      hour        => 1,
+      minute      => 1;
+
     'remove_expired_sessions':
       command     => 'cd /srv/leap/webapp && bundle exec rake cleanup:sessions',
       environment => 'RAILS_ENV=production',
diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp
index ea64048b..5071d9bc 100644
--- a/puppet/modules/site_webapp/manifests/init.pp
+++ b/puppet/modules/site_webapp/manifests/init.pp
@@ -50,7 +50,7 @@ class site_webapp {
     owner    => 'leap-webapp',
     group    => 'leap-webapp',
     require  => [ User['leap-webapp'], Group['leap-webapp'] ],
-    notify   => Exec['bundler_update']
+    notify   => [ Exec['bundler_update'], Exec['rotate_dbs'] ]
   }
 
   exec { 'bundler_update':
@@ -67,6 +67,19 @@ class site_webapp {
     notify  => Service['apache'];
   }
 
+  # this only needs to be called before the first time the web app is run.
+  # after that, the cron job will take care of running db:rotate regularly.
+  exec { 'rotate_dbs':
+    cwd     => '/srv/leap/webapp',
+    command => '/bin/bash -c "RAILS_ENV=production /usr/bin/bundle exec rake db:rotate"',
+    user    => 'leap-webapp',
+    timeout => 600,
+    refreshonly => true,
+    require => [
+      Vcsrepo['/srv/leap/webapp'],
+      Class['site_config::ruby::dev']];
+  }
+
   #
   # NOTE: in order to support a webapp that is running on a subpath and not the
   # root of the domain assets:precompile needs to be run with
diff --git a/puppet/modules/site_webapp/templates/couchdb.admin.yml.erb b/puppet/modules/site_webapp/templates/couchdb.admin.yml.erb
new file mode 100644
index 00000000..a0921add
--- /dev/null
+++ b/puppet/modules/site_webapp/templates/couchdb.admin.yml.erb
@@ -0,0 +1,9 @@
+production:
+  prefix: ""
+  protocol: 'http'
+  host: <%= @couchdb_host %>
+  port: <%= @couchdb_port %>
+  auto_update_design_doc: false
+  username: <%= @couchdb_admin_user %>
+  password: <%= @couchdb_admin_password %>
+
diff --git a/puppet/modules/tapicero/templates/tapicero.yaml.erb b/puppet/modules/tapicero/templates/tapicero.yaml.erb
index 40048a5e..fb3b93aa 100644
--- a/puppet/modules/tapicero/templates/tapicero.yaml.erb
+++ b/puppet/modules/tapicero/templates/tapicero.yaml.erb
@@ -17,7 +17,7 @@ connection:
 
 # file to store the last processed user record in so we can resume after
 # a restart:
-seq_file: "/var/lib/leap/tapicero/tapicero.seq"
+seq_dir: "/var/lib/leap/tapicero/"
 
 # Configure log_file like this if you want to log to a file instead of syslog:
 # log_file: "/var/leap/log/tapicero.log"