summaryrefslogtreecommitdiff
path: root/puppet
diff options
context:
space:
mode:
Diffstat (limited to 'puppet')
-rw-r--r--puppet/manifests/site.pp1
m---------puppet/modules/apache0
-rw-r--r--puppet/modules/site_config/manifests/ruby.pp14
-rw-r--r--puppet/modules/site_nickserver/manifests/init.pp162
-rw-r--r--puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb23
-rw-r--r--puppet/modules/site_nickserver/templates/nickserver.yml.erb19
-rw-r--r--puppet/modules/site_webapp/manifests/couchdb.pp9
-rw-r--r--puppet/modules/site_webapp/manifests/init.pp28
8 files changed, 240 insertions, 16 deletions
diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp
index 2d41d45f..22172584 100644
--- a/puppet/manifests/site.pp
+++ b/puppet/manifests/site.pp
@@ -29,6 +29,7 @@ if 'couchdb' in $services {
if 'webapp' in $services {
include site_webapp
+ include site_nickserver
}
if 'monitor' in $services {
diff --git a/puppet/modules/apache b/puppet/modules/apache
-Subproject 090e59ad1fcba01e868237a83cadf9254cf09d3
+Subproject c3e92a9b3cb02f1546b6b1570f10a968d380005
diff --git a/puppet/modules/site_config/manifests/ruby.pp b/puppet/modules/site_config/manifests/ruby.pp
new file mode 100644
index 00000000..2a720114
--- /dev/null
+++ b/puppet/modules/site_config/manifests/ruby.pp
@@ -0,0 +1,14 @@
+class site_config::ruby {
+ Class[Ruby] -> Class[rubygems] -> Class[bundler::install]
+ class { '::ruby': ruby_version => '1.9.3' }
+ class { 'bundler::install': install_method => 'package' }
+ include rubygems
+}
+
+
+#
+# Ruby settings common to all servers
+#
+# Why this way? So that other classes can do 'include site_ruby' without creating redeclaration errors.
+# See https://puppetlabs.com/blog/modeling-class-composition-with-parameterized-classes/
+#
diff --git a/puppet/modules/site_nickserver/manifests/init.pp b/puppet/modules/site_nickserver/manifests/init.pp
new file mode 100644
index 00000000..7dfa2603
--- /dev/null
+++ b/puppet/modules/site_nickserver/manifests/init.pp
@@ -0,0 +1,162 @@
+#
+# TODO: currently, this is dependent on some things that are set up in site_webapp
+#
+# (1) HAProxy -> couchdb
+# (2) Apache
+#
+# It would be good in the future to make nickserver installable independently of site_webapp.
+#
+
+class site_nickserver {
+ tag 'leap_service'
+ include site_config::ruby
+
+ #
+ # VARIABLES
+ #
+
+ $nickserver = hiera('nickserver')
+ $nickserver_port = $nickserver['port'] # the port that public connects to (should be 6425)
+ $nickserver_local_port = '64250' # the port that nickserver is actually running on
+ $nickserver_domain = $nickserver['domain']
+
+ $couchdb_user = $nickserver['couchdb_user']['username']
+ $couchdb_password = $nickserver['couchdb_user']['password']
+ $couchdb_host = 'localhost' # couchdb is available on localhost via haproxy, which is bound to 4096.
+ $couchdb_port = '4096' # See site_webapp/templates/haproxy_couchdb.cfg.erg
+
+ # temporarily for now:
+ $domain = hiera('domain')
+ $address_domain = $domain['full_suffix']
+ $x509 = hiera('x509')
+ $x509_key = $x509['key']
+ $x509_cert = $x509['cert']
+ $x509_ca = $x509['ca_cert']
+
+ #
+ # USER AND GROUP
+ #
+
+ group { 'nickserver':
+ ensure => present,
+ allowdupe => false;
+ }
+ user { 'nickserver':
+ ensure => present,
+ allowdupe => false,
+ gid => 'nickserver',
+ home => '/srv/leap/nickserver',
+ require => Group['nickserver'];
+ }
+
+ #
+ # NICKSERVER CODE
+ # NOTE: in order to support TLS, libssl-dev must be installed before EventMachine gem
+ # is built/installed.
+ #
+
+ package {
+ 'libssl-dev': ensure => installed;
+ }
+ vcsrepo { '/srv/leap/nickserver':
+ ensure => present,
+ revision => 'origin/master',
+ provider => git,
+ source => 'git://code.leap.se/nickserver',
+ owner => 'nickserver',
+ group => 'nickserver',
+ require => [ User['nickserver'], Group['nickserver'] ],
+ notify => Exec['nickserver_bundler_update'];
+ }
+ exec { 'nickserver_bundler_update':
+ cwd => '/srv/leap/nickserver',
+ command => '/bin/bash -c "/usr/bin/bundle check || /usr/bin/bundle install --path vendor/bundle"',
+ unless => '/usr/bin/bundle check',
+ user => 'nickserver',
+ timeout => 600,
+ require => [ Class['bundler::install'], Vcsrepo['/srv/leap/nickserver'], Package['libssl-dev'] ],
+ notify => Service['nickserver'];
+ }
+
+ #
+ # NICKSERVER CONFIG
+ #
+
+ file { '/etc/leap/nickserver.yml':
+ content => template('site_nickserver/nickserver.yml.erb'),
+ owner => nickserver,
+ group => nickserver,
+ mode => '0600',
+ notify => Service['nickserver'];
+ }
+
+ #
+ # NICKSERVER DAEMON
+ #
+
+ file {
+ '/usr/bin/nickserver':
+ ensure => link,
+ target => '/srv/leap/nickserver/bin/nickserver',
+ require => Vcsrepo['/srv/leap/nickserver'];
+ '/etc/init.d/nickserver':
+ owner => root, group => 0, mode => '0755',
+ source => '/srv/leap/nickserver/dist/debian-init-script',
+ require => Vcsrepo['/srv/leap/nickserver'];
+ }
+
+ service { 'nickserver':
+ ensure => running,
+ enable => true,
+ hasrestart => true,
+ hasstatus => true,
+ require => File['/etc/init.d/nickserver'];
+ }
+
+ #
+ # FIREWALL
+ # poke a hole in the firewall to allow nickserver requests
+ #
+
+ file { '/etc/shorewall/macro.nickserver':
+ content => "PARAM - - tcp $nickserver_port",
+ notify => Service['shorewall'],
+ require => Package['shorewall'];
+ }
+
+ shorewall::rule { 'net2fw-nickserver':
+ source => 'net',
+ destination => '$FW',
+ action => 'nickserver(ACCEPT)',
+ order => 200;
+ }
+
+ #
+ # APACHE REVERSE PROXY
+ # nickserver doesn't speak TLS natively, let Apache handle that.
+ #
+
+ apache::module {
+ 'proxy': ensure => present;
+ 'proxy_http': ensure => present
+ }
+
+ apache::vhost::file {
+ 'nickserver': content => template('site_nickserver/nickserver-proxy.conf.erb')
+ }
+
+ x509::key { 'nickserver':
+ content => $x509_key,
+ notify => Service[apache];
+ }
+
+ x509::cert { 'nickserver':
+ content => $x509_cert,
+ notify => Service[apache];
+ }
+
+ x509::ca { 'nickserver':
+ content => $x509_ca,
+ notify => Service[apache];
+ }
+} \ No newline at end of file
diff --git a/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb b/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb
new file mode 100644
index 00000000..67896cd3
--- /dev/null
+++ b/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb
@@ -0,0 +1,23 @@
+#
+# Apache reverse proxy configuration for the Nickserver
+#
+
+Listen 0.0.0.0:<%= @nickserver_port -%>
+
+<VirtualHost *:<%= @nickserver_port -%>>
+ ServerName <%= @nickserver_domain %>
+ ServerAlias <%= @address_domain %>
+
+ SSLEngine on
+ SSLProtocol -all +SSLv3 +TLSv1
+ SSLCipherSuite HIGH:MEDIUM:!aNULL:!SSLv2:!MD5:@STRENGTH
+ SSLHonorCipherOrder on
+
+ SSLCACertificatePath /etc/ssl/certs
+ SSLCertificateChainFile /etc/ssl/certs/nickserver.pem
+ SSLCertificateKeyFile /etc/x509/keys/nickserver.key
+ SSLCertificateFile /etc/x509/certs/nickserver.crt
+
+ ProxyPass / http://localhost:<%= @nickserver_local_port %>/
+ ProxyPreserveHost On # preserve Host header in HTTP request
+</VirtualHost>
diff --git a/puppet/modules/site_nickserver/templates/nickserver.yml.erb b/puppet/modules/site_nickserver/templates/nickserver.yml.erb
new file mode 100644
index 00000000..7aab5605
--- /dev/null
+++ b/puppet/modules/site_nickserver/templates/nickserver.yml.erb
@@ -0,0 +1,19 @@
+#
+# configuration for nickserver.
+#
+
+domain: "<%= @address_domain %>"
+
+couch_host: "<%= @couchdb_host %>"
+couch_port: <%= @couchdb_port %>
+couch_database: "users"
+couch_user: "<%= @couchdb_user %>"
+couch_password: "<%= @couchdb_password %>"
+
+hkp_url: "https://hkps.pool.sks-keyservers.net:/pks/lookup"
+
+user: "nickserver"
+port: <%= @nickserver_local_port %>
+pid_file: "/var/run/nickserver"
+log_file: "/var/log/nickserver.log"
+
diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp
index 7a3839c8..b4ef0980 100644
--- a/puppet/modules/site_webapp/manifests/couchdb.pp
+++ b/puppet/modules/site_webapp/manifests/couchdb.pp
@@ -29,18 +29,21 @@ class site_webapp::couchdb {
content => template('site_webapp/couchdb.yml.admin.erb'),
owner => leap-webapp,
group => leap-webapp,
- mode => '0600';
+ mode => '0600',
+ require => Vcsrepo['/srv/leap/webapp'];
'/srv/leap/webapp/config/couchdb.yml.webapp':
content => template('site_webapp/couchdb.yml.erb'),
owner => leap-webapp,
group => leap-webapp,
- mode => '0600';
+ mode => '0600',
+ require => Vcsrepo['/srv/leap/webapp'];
'/srv/leap/webapp/logs/production.log':
owner => leap-webapp,
group => leap-webapp,
- mode => '0666';
+ mode => '0666',
+ require => Vcsrepo['/srv/leap/webapp'];
'/usr/local/sbin/migrate_design_documents':
source => 'puppet:///modules/site_webapp/migrate_design_documents',
diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp
index b01141ae..1dfe6936 100644
--- a/puppet/modules/site_webapp/manifests/init.pp
+++ b/puppet/modules/site_webapp/manifests/init.pp
@@ -11,13 +11,7 @@ class site_webapp {
$api_version = $webapp['api_version']
$secret_token = $webapp['secret_token']
- Class[Ruby] -> Class[rubygems] -> Class[bundler::install]
-
- class { 'ruby': ruby_version => '1.9.3' }
-
- class { 'bundler::install': install_method => 'package' }
-
- include rubygems
+ include site_config::ruby
include site_webapp::apache
include site_webapp::couchdb
include site_webapp::client_ca
@@ -77,30 +71,37 @@ class site_webapp {
file {
'/srv/leap/webapp/public/provider.json':
content => $provider,
+ require => Vcsrepo['/srv/leap/webapp'],
owner => leap-webapp, group => leap-webapp, mode => '0644';
'/srv/leap/webapp/public/ca.crt':
ensure => link,
+ require => Vcsrepo['/srv/leap/webapp'],
target => '/usr/local/share/ca-certificates/leap_api.crt';
"/srv/leap/webapp/public/${api_version}":
ensure => directory,
+ require => Vcsrepo['/srv/leap/webapp'],
owner => leap-webapp, group => leap-webapp, mode => '0755';
"/srv/leap/webapp/public/${api_version}/config/":
ensure => directory,
+ require => Vcsrepo['/srv/leap/webapp'],
owner => leap-webapp, group => leap-webapp, mode => '0755';
"/srv/leap/webapp/public/${api_version}/config/eip-service.json":
content => $eip_service,
+ require => Vcsrepo['/srv/leap/webapp'],
owner => leap-webapp, group => leap-webapp, mode => '0644';
"/srv/leap/webapp/public/${api_version}/config/soledad-service.json":
content => $soledad_service,
+ require => Vcsrepo['/srv/leap/webapp'],
owner => leap-webapp, group => leap-webapp, mode => '0644';
"/srv/leap/webapp/public/${api_version}/config/smtp-service.json":
content => $smtp_service,
+ require => Vcsrepo['/srv/leap/webapp'],
owner => leap-webapp, group => leap-webapp, mode => '0644';
}
@@ -111,19 +112,19 @@ class site_webapp {
target => $webapp['favicon'];
'/srv/leap/webapp/app/assets/stylesheets/tail.scss':
- ensure => 'link',
+ ensure => 'link',
require => Vcsrepo['/srv/leap/webapp'],
- target => $webapp['tail_scss'];
+ target => $webapp['tail_scss'];
'/srv/leap/webapp/app/assets/stylesheets/head.scss':
- ensure => 'link',
+ ensure => 'link',
require => Vcsrepo['/srv/leap/webapp'],
- target => $webapp['head_scss'];
+ target => $webapp['head_scss'];
'/srv/leap/webapp/public/img':
- ensure => 'link',
+ ensure => 'link',
require => Vcsrepo['/srv/leap/webapp'],
- target => $webapp['img_dir'];
+ target => $webapp['img_dir'];
}
file {
@@ -132,6 +133,7 @@ class site_webapp {
owner => leap-webapp,
group => leap-webapp,
mode => '0600',
+ require => Vcsrepo['/srv/leap/webapp'],
notify => Service['apache'];
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-04 13:36:16 +0000